NAC - L3 OOB

Similar Messages

• NAC WLC OOB integration

  I am trying to get NAC integration with WLC working for wireless users in OOB and can't get it to work. I followed directions step by step from the Configuration Example on the Cisco web site. Without enabling NAC on the WLC I am able to associate and work fine. With NAC enabled, association works but the client stays on Quarantive VLAN and never gets switched. I can see the client as Discovered client on the CAM only when I turn off 802.1x for layer 2 security on the WLAN but still it does not get switched to Access VLAN nor do I get a web login screen. The DHCP for wireless clients is provided by the WLC itself so that traffic does not pass through the CAS. Am I doing anything wrong?

  Faisal
  I haven't tried to browse to the CAS IP. I will try that when I am there next time. The laptop did have a NAC agent with a discovery host of the CAM IP as it was used as a wired client before. Looking at the routing table, I would think routing should not be an issue as the Guest subnet correctly points to the untrusted interface with no GW and that should take VLAN 201 pathw hich is the quarantine VLAN ID for WLC Guest WLAN. Just FYI the 172.16.8.0 subnet which is the guest subnet is not being routed internally for security reasons and is jus a L2 VLAN on the core switch
  10.8.21.11/32           -               0 0
  10.8.21.1/32            -               1 0
  10.8.21.0/24            -               2 0
  0.0.0.0/0               10.8.21.1       1 0
  10.8.17.0/24            -               2 8
  10.8.15.0/24            -               2 8
  172.16.8.0/24           -               2 8
  10.8.21.10/32           -               0 2
  10.8.17.169/32          10.8.21.1       1 0
  10.8.17.152/32          10.8.21.1       1 0
  10.8.17.182/32          10.8.21.1       1 0
  10.8.17.128/32          10.8.21.1       1 0
  10.8.17.119/32          10.8.21.1       1 0
  10.8.17.137/32          10.8.21.1       1 0
  10.8.17.188/32          10.8.21.1       1 0
  10.8.17.200/32          10.8.21.1       1 0
  10.8.17.165/32          10.8.21.1       1 0
  10.8.17.124/32          10.8.21.1       1 0
  10.8.17.113/32          10.8.21.1       1 0
  10.8.17.197/32          10.8.21.1       1 0
  10.8.17.206/32          10.8.21.1       1 0
  Thanks
  Shaffeel

• NAC L3 OOB not working accross WAN

  I am setting up a proof of concept lab for a NAC installation.
  I am using Cisco Catalyst 3550 and 2950 switches (the actual environment is using 3750 and 2960 and 2950 switches) and have the NAC set up in central L3 OOB configuration. In this configuration i have a single NAS and NAM at the "MAIN_SITE" and then two branch sites "BRANCH1" and "BRANCH2".
  At the main site, the OOB works fine and when a user logs on, the port is moved from the unauthenticated VLAN (290) to the role based VLAN (200) However, at the "branches" the switches are not placing the port into the role based VLAN, nor if a port is in VLAN 200 and a PC is plugged into that port does the port switch to VLAN 290 (unauthenticated).
  Sniffing the traffic with Wireshark i see the SNMP sets being sent by the NAM to the switch telling it to place the port into VLAN 200, but the switch is not doing it.
  My write strings are set up correctly and the NAM is able to set up the initial commands on the switch for the NAC ("snmp trap mac-notification added" commands to the ports).
  Can anyone say what is wrong?
  Sachin

  I defaulted the 3550 switch in the WAN and reconfigured it and it works now. I tried the same procedure for the 2950 switch but no dice. I replaced the 2950 switch with a 3550 that worked.
  Can anyone say if there is an issue with teh 2950 switch for L3 OOB? I don't have another 2950 switch to test with.
  Sachin

• NAC L3 OOB VoIP

  I've configured a CAM and CAS as both L2 OOB and have enabled L3 support with Real IP. I have a remote site that uses Avaya 4610SW VoIP phones. Both the CAM and CAS reside locally with no CAS at the remote site.
  I'm able to get full functionality with VoIP phones and clients connected to the phones from a Layer 2 perspective, however when I try and get the remote office VoIP phone/client combo, it doesn't work. When I remove the phone and plug the client machine directly to the switchport, it works, so I'm sure the PBR and GRE configs are correct.
  From my readings, I know that you need to exclude the mac addresses of the phones, and when I have done testing from a Layer 2 perspective, it works without a problem. The problem that I am seeing is that the mac address of the phone is not being picked up by the NAC. I'm aware that mac addresses are stripped off for L3, but I have no idea how to get this to work. The profile has been set up to not bounce the port, mac address notification vs linkup/down, etc.
  Any ideas would be greatly appreciated.
  Thanks
  Jeff

  Jeff,
  In this scenario, the L3 stripping off the MACs doesn't apply. If you are controlling the switch on the remote site with CAM and sending MAC-Notifications to the CAM, those notifications would include the MAC of your phone.
  You have to make sure that the MAC addresses of those phones are in the "IGNORE" filter on your CAM and not ALLOW filter. This essentially tells the CAM that when the switch reports a new MAC on the switchport, and if it's in the IGNORE filter, to ignore that MAC and now switch the port back to AUTH vlan.
  HTH,
  Faisal

• NAC L3 OOB Virtual Gateway/Real-IP Gateway

  In a Central Deployment (NAC server at Central Site) for Remote Office (WAN) users it´s possible to work with L3 OOB
  Virtual Gateway? or it´s only possible to work with L3 OOB Real-IP gateway?
  If it´s possible both modes (Real-IP o Virtual) which are the advantages/disadvantages of each one?
  I didn't found a response for this in the documentation.
  Thanks in advance.

  Hi, Paul
  >>I then disconnect the PC and patch it into the Switch 2. I then authenticate but instead of the port being moved to the correct VLAN it is left in the authentication VLAN and the Web Login cycles and asks me to log in again. Looking at the Online Users display it says I'm online on Switch 1 on the port I have disconnected from. This is INCORRECT!
  Have a look at the Switch Management ->Port Profiles and below "Options: Device Connected to Port" (the second one) "Change to .... if the device is certified" there should be Access VLAN option -make it active.

• NAC L2 OOB VG ARP, DNS

  I am deploying a NAC 4.7.2 in-house to stage for a customer deployment, the deployment method I used is L2 OOB VG, I configured the switch, managed subnets, and vlan mapping. However, two problems arose:
  1. Arp replies from the trusted to the untrusted are not being bridged between the access vlan and authentication vlan
  2. dns replies are also not being forwarded from the trusted (access vlan) to the untrusted (authentication vlan)
  what's strange is that DHCP is working fine.
  I have tried to add an arp entry for the default gateway (client gets mac address of untrusted interface as the default gateway) which nac redirects and provided the login process and remaps my port to the access vlan but then I have to manually remove the arp entry for the switch to discover the real mac-address of the default gateway once the client is in the access vlan.
  is there anything else besides managed subnets, and vlan mapping for L2 OOB VG to work. from my understanding , DHCP, DNS, and arp should be bridged normally between the trusted <--> untrusted interfaces with no additional configurations.

  Hanny,
  Sorry I couldn't look at your diagram in detail before. So there's something wrong here.
  You claim in the PDF that VLAN 5 and 6 are untrusted, mapping to 15 and 16, for which you have the SVIs defined.
  You also claim that FA0/17 is the untrusted interface and FA0/13 is the trusted interface, yet your interface definitions are the inverse of your network diagram. Is it just as simple as you plugging in the interfaces wrong? Or the error is in the diagram? Or the interface definitions in the PDF?
  Please clarify. If you can also, please post the Network tab from your CAS, the Advanced tab from your CAS showing the managed subnets and the VLAN Mapping tab from your CAS. Also please post your sanitized show running-config from your switch and verify where each of the interfaces are plugged in?
  Thanks,
  Faisal

• NAC L3 OOB - Online Users not correct

  I'm testing a NAC 4.1.3 L3 OOB Real IP configuration and have come across an anomaly. Can someone help please.
  I have configured two switches to be managed by NAC and have configured a role for Web Authentication and set all ports to be controlled.
  When I connect a PC to switch 1 and authenticate all works well and the View Online Users displays the PC/role/Switch Port correctly.
  I then disconnect the PC and patch it into the Switch 2. I then authenticate but instead of the port being moved to the correct VLAN it is left in the authentication VLAN and the Web Login cycles and asks me to log in again. Looking at the Online Users display it says I'm online on Switch 1 on the port I have disconnected from. This is INCORRECT!
  Looking at switch 1, it has moved the port I was connected to the VLAN it should be after authentication. This should have been done to the port I'm now on at the Switch 2!
  MAc notifications are used and Linkup/downs are enabled on the switches. They are not stacked. When disconnecting from the switches it correctly removes me from the online users. After authentication on the new switch it puts me back on the original switch where I was!!!!!!
  This is most infuriating, it means the product is useless if I have users moving from one desk to another ending up on a different switch where they will no longer be able to work as they cannot get past authentication.
  All help is gratefully received.
  Thanks,
  Paul Kyte

  Hi, Paul
  >>I then disconnect the PC and patch it into the Switch 2. I then authenticate but instead of the port being moved to the correct VLAN it is left in the authentication VLAN and the Web Login cycles and asks me to log in again. Looking at the Online Users display it says I'm online on Switch 1 on the port I have disconnected from. This is INCORRECT!
  Have a look at the Switch Management ->Port Profiles and below "Options: Device Connected to Port" (the second one) "Change to .... if the device is certified" there should be Access VLAN option -make it active.

• NAC L2 OOB Auth and Access VLAN

  I'm new to Cisco NAC appliance.
  I wanted to deploy L2 OOB VGM for my wired userd.
  I wanted to check whether can I have multple Authentication to Access VLAN mapping.
  For example :
  Authentication VLAN - 111 Map to Trusted VLAN 311
  and
  Authentication VLAN - 112 Map to Trusted VLAN 312
  Therefore, on the port profile of the switch, I can allocated which are the ports that should be using Authentication VLAN 111 and VLAN 112.
  Why I wanted to do this, because I need the users to obtain IP addresses that are associated with the trusted segment, so that I do not have to bounch the switch port or utilise DHCP release/renew from the CCA or web client.

  Role-based access VLAN mapping for Windows single sign-on (SSO) users can be achieved with this procedure:
  Choose Management > Auth Servers and select Auth Type to Active Directory SSO.
  Select Default Role for the role that you want Windows SSO users to be in after they are logged in. For example, in this case it should be vencorp.
  Choose User Management > User Roles, select the role (vencorp) and click Edit.
  Define the Out of Band User Role VLAN to 5 (or any VLAN that you want the users of this role to be).
  Save the role.
  Choose Switch Management > Profiles > Port > List and click Edit for the control profile.
  Change the Access VLAN to User Role VLAN and click Update.
  Login through the PC with SSO. You are now logged in the domain and have role-based VLAN mapping

• NAC L2 OOB VG with Nortel Phones

  Hi,
  Will users behind the Nortel IP phones be authenticated by NAC in L2 OOB VG mode.
  thanks
  sathappan

  Yes, assuming that the relevant switch ports are controlled by the CAM. Make sure that the phones are excluded from authentication by their MAC addresses (work out some valid prefix and exclude them from authentication) otherwise you will see authentication loops.
  HTH

• NAC with OOB and Wireless 802.1x

  Had Anybody any experience with
  integration NAC OOB and 802.1x?
  I have seen that there are some issues about it.

  Working pretty well.
  Check this out:
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml

• NAC Appliance OOB L3

  Hi everyone,
  "i have a friend" ( :-) )to which i want to deploy the NAC OOB L3.
  Why this one? Because he has a central location and a few branches (a few more actually) and these branches are at 2 L3 hops prom the center. More specific, there is a L3 switch as a gateway to the branch LAN users and after that, a router that connects to the center (GRE/IPSec).
  The question is, and i did not manage to find or to realise by myself: it is mandatory to use a DHCP server for allocating ip-s to clients? (for all of their states: unauthenticated, authenticated, permited etc).
  If not how it should be done?
  Second: if is mandatory, should it work only with a centraly deployed DHCP server, or i can use the L3 switch in every branch as a dhcp server?
  Thank you for your patiance.

  DHCP is required for L3 OOB real-ip gateway since the system will need to get a new address when it is switch to the authorization VLAN and then again after the posture process when it is switched back to its "normal" VLAN.
  As for the DHCP server, you can use either a central server, have a local switch provide the addresses or a combination of both.
  In our install, the local switch is the DHCP server for the auth VLAN and a local server is used for the access VLAN.
  Mike

• NAC L3 OOB VGM Deployment examples

  Greetings,
  Currently my customer has a L2 OOB VGM deployment for the users inside the campus network.
  The customer is opening new branch offices and wants to use the same NAC server for those office (NAC centrally deployed).
  I would like to get some example and guidance on how to configure the NAC in Layer 3 OOB VGM, since I wouldn't like to change my network topology in order to accomodate for Real-IP mode.
  I have only found examples for Real-IP Layer 3.

  Yes i agree with you. I asked because the NAC can be configured that way, and also Cisco's documentation suggests it is possible.
  The only way I thought that could accomplish L3 OOB VGM is by having a second interface in the WAN router connected to the unauthenticated VLAN, and redirecting traffic to that interface (PBR).

• NAC L3 OOB VGW possible?

  is it possible to do L3 NAC OOB with VGW.
  The documentation does not say that it is not possible, but i see some technical difficulties.
  In VGW deployment, the Auth IP = Access IP and only the vlan id changes. But on the other end of an L3 link I cannot see vlan id's and there for cannot distinguish between Auth and Access.
  So is it correct that OOB L3 VGW is not possible?

  It is my understanding that the IP address of the client must change when it moves from auth to access.
  It is still OOB because traffic only goes through the CAS during authentication/remediation. Because there are no VLAN mappings it is not VGW.
  Typically the CAS is at a core location, and you use policy routing or ACLs to separate auth traffic from access (though i prefer VRF) to "pipe" auth traffic back to the CAS.
  Once auth is successful, the CAM switches the port to the access vlan.

• NAC applianc OOB dns problem

  Hello friends, anybody can help me ?
  i have 1 CAS OOB, 3560 and 1 CAM. I have configured vlans, dhcp, etc. when the client are in the auth vlan, he own an ip from the trusted vlan with the vlan mapping configuration, buuuuuuuutttt dns doesn'w work. client web browser doesn't redirect. i can access the login page only writing the cas ip address in hte browser.
  i am lost, thanks.

  Make sure the ip address of the CAS is mapped to its name in the DNS server so that redirection takes place.

• NAC Appliance + OOB Virtual Gateway Trunking issues

  I have the following problem. When I connect the CAS eth0 to a trunk port in the core switch it disconnects from the CAM. When the port is in access mode, the CAM can connect to the CAS. The core switch is a 4500 with IOS 12.2(25)EW. What could be the problem?

  Hi prananth,
  I managed to resolve the issue. It was a HA issue. I had configured "Link failure detect" on the redundant CAS app. Apparently the CAS couldnt reach the pingable IP causing failover to take place many times between the two boxes causing the CAS not to communicate with the CAM.
  Kindly help me with the following problem I am now having:
  http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=General&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddf45d4/0#selected_message
  I will really appreciate. Thank you.