NAC layer 3 Virtual Gateway Setup

I am running the NAC Appliance currently in virtual gateway mode for layer 2 inband and it works great. I wanted to add layer 3 virtual gateway inband to this same NAC server, but I can't seem to find enough documentation on this. I do have layer 3 enabled and a static route to the layer 3 network in place. I don't think I understand how to get the network to go through the NAC. Do I need to run the Agent on the layer 3 network or can it still somehow go through just the web page authentication?
Thanks.

Policy route the unauthenticated traffic so it forces the layer 3 network in question through your CAS layer 3 device. Your discovery host address should be on the other side of the clean access server trusted side. Theres a NAC Chalk talk pdf that steps this through for you
Search "NAC Chalktalk"

Similar Messages

NAC L3 OOB Virtual Gateway/Real-IP Gateway

In a Central Deployment (NAC server at Central Site) for Remote Office (WAN) users it´s possible to work with L3 OOB
Virtual Gateway? or it´s only possible to work with L3 OOB Real-IP gateway?
If it´s possible both modes (Real-IP o Virtual) which are the advantages/disadvantages of each one?
I didn't found a response for this in the documentation.
Thanks in advance.

Hi, Paul
>>I then disconnect the PC and patch it into the Switch 2. I then authenticate but instead of the port being moved to the correct VLAN it is left in the authentication VLAN and the Web Login cycles and asks me to log in again. Looking at the Online Users display it says I'm online on Switch 1 on the port I have disconnected from. This is INCORRECT!
Have a look at the Switch Management ->Port Profiles and below "Options: Device Connected to Port" (the second one) "Change to .... if the device is certified" there should be Access VLAN option -make it active.

NAC Problem_In-Band Virtual Gateway deployment

we deployed In-Band virtual gateway deployment..
the users connected to untrusted Vlan and took IP address from DHCP where it configured on ASA that is connected to trusted interface but no one can reach to the gateway " IP address of the firewall" and when we open any browser not redirect to web login page and we don't have local DNS and we use global DNS..
Note: we used HP switches..
Please support me ASAP..
BR,
Saad Eid

I have not found any either. You can use the one for VPN since it will be the same.
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml

NAC Appliance + OOB Virtual Gateway Trunking issues

I have the following problem. When I connect the CAS eth0 to a trunk port in the core switch it disconnects from the CAM. When the port is in access mode, the CAM can connect to the CAS. The core switch is a 4500 with IOS 12.2(25)EW. What could be the problem?

Hi prananth,
I managed to resolve the issue. It was a HA issue. I had configured "Link failure detect" on the redundant CAS app. Apparently the CAS couldnt reach the pingable IP causing failover to take place many times between the two boxes causing the CAS not to communicate with the CAM.
Kindly help me with the following problem I am now having:
http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=General&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddf45d4/0#selected_message
I will really appreciate. Thank you.

NAC - virtual gateway vs. real gateway

Hi All,
I don't have too much experience with NAC deployment. I want to go with L3 (because we have central site), OOB (for LAN) and IB (for wireless and VPN). but I don't know whether I should go with real gateway or virtual gateway. I know virtual gateway is easier than real gateway. but technically, which way is more popular and provide better security measures?
any suggestion would be very appreciated.
thanks
Alex

If your remote subnets are multiple hops away, RIP would be the option you should use. They both are equally popular, but for L3 subnets which are remote, RIP is the most often used design

NAC/CCA Configuration Verification: OOB + Virtual Gateway (L2)

Hello,
I am currently configuring a NAC deployment based on Out-of-Bound OOB with Virtual gateway. Can someone please verify my configs below:
Core Switch:
VLAN DB:
vlan 10
name VLAN_DEPT1
vlan 11
name VLAN_DEPT2
vlan 20
name VLAN_DEPT3
vlan 26
name VLAN_DEPT4
vlan 27
name VLAN_DEPT5
vlan 28
name VLAN_DEPT6
vlan 29
name VLAN_DEPT7
vlan 30
name VLAN_DEPT8
vlan 32
name VLAN_DEPT9
vlan 50
name VLAN_NetMGT
vlan 51
name VLAN_CAS_MGT
vlan 52
name VLAN_CAM_MGT
vlan 210
name VLAN_DEPT1_Auth
vlan 211
name VLAN_DEPT2_Auth
vlan 220
name VLAN_DEPT3_Auth
vlan 226
name VLAN_DEPT4_Auth
vlan 227
name VLAN_DEPT5_Auth
vlan 228
name VLAN_DEPT6_Auth
vlan 229
name VLAN_DEPT7_Auth
vlan 230
name VLAN_DEPT8_Auth
vlan 232
name VLAN_DEPT9_Auth
Interface Configs
interface GigabitEthernet3/41
description "Link to Cisco CAM-PRI eth0"
switchport access vlan 52
switchport mode access
spanning-tree portfast
spanning-tree guard root
no cdp enable
no ip address
interface GigabitEthernet3/42
description "Link to Cisco CAM-FO eth0"
switchport access vlan 52
switchport mode access
spanning-tree portfast
spanning-tree guard root
no cdp enable
no ip address
interface GigabitEthernet3/43
description "Trunk to Cisco CAS-PRI eth1 / UN-Trusted Network"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 777
switchport mode trunk
switchport trunk allowed vlan 210,211,220,226-230,232
interface GigabitEthernet3/44
description "Trunk to Cisco CAS-FO eth1 / UN-Trusted Network"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 777
switchport mode trunk
switchport trunk allowed vlan 210,211,220,226-230,232
interface GigabitEthernet3/46
description "Trunk to Cisco CAS-PRI eth0 / Trusted Network"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 700
switchport mode trunk
switchport trunk allowed vlan 10,11,20,26-30,32,50-51
interface GigabitEthernet3/48
description "Trunk to Cisco CAS-FO eth0 / Trusted Network"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 700
switchport mode trunk
switchport trunk allowed vlan 10,11,20,26-30,32,50-51
interface GigabitEthernet1/1
description "Trunk link to DEPT1 Access SW"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 700
switchport mode trunk
!------- Example of VLAN Interface --------
interface Vlan10
description "DEPT1 VLAN"
ip address x.x.10.1 255.255.255.0
ip helper-address x.x.50.5
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
!------- No VLAN Interface for AUTH VLAN 210 --------
Access Switch Configuration
interface GigabitEthernet0/1
description "Trunk Link to Core Switch"
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 700
switchport mode trunk
no ip address
interface GigabitEthernet0/6
switchport access vlan 30
switchport mode access
spanning-tree portfast
spanning-tree guard root
no cdp enable
no ip address
=========================================
Is the above config correct?
Thanks

Hi,
By bogus I assume you mean something like;
interface Vlan700
description "BIT BUCKET for unused ports"
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
shutdown

NAC Appliance for Wirelles In-Band Virtual Gateway

Hi, People.
Does anybody know as configuring NAC Appliance for Wirelles In-Band Virtual Gateway.
Tks.

Hi Wemerson,
Basic Wireless or Wired InBand is basically the same thing regarding the NAC configuration.
Please follow the chalk-talks available online: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html.
Notes:
- In Inband all traffic MUST flow through the CAS, which means that al the traffic on the VLAN of the wireless client MUST flow through the CAS. This can be done via L2 mechanisms (VLAN restrictions) or L3 (routing).
- For the CAS, it is transparent if the client traffic comes from a wireless client or wired client.
- If you want to use wireless sso, you can configure the WLC the same way as a VPN concentrator. the Wlc will then send RADIUS Accounting information to the CAS and the CAS can allow clients to access resouces if they have already been authenticated by the WLC.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

L3 Deployment OOB Virtual Gateway

Hi Faisal,
Good day! I would like to ask about the L3 deployment approach using OOB Virtual Gateway. What I did was enabled the L3 support and applied static routes. When I tried to connect a client workstation I cannot get an ip address. The cisco switch that Im using to the remote site were already discovered in the devices in NAC. When I check the ports it change to authentication vlan 100 but cannot passthrough. The IP block for the site is 10.19.x.x. Do I have to put a managed subnet and vlan mapping? But what I've read from the manual no need to configure the managed subnet instead a static route need to apply.
For the L2 deployment OOB Virtual gateway its working now, the IP block im using is 10.1.x.x. I want add the L3 deployment for the remote sites also for the users to authenticate through the nac. I'm thinking to apply 2 approach for the nac one for L2 deployment for the main site and L3 deployment for the remote site. Faisal, am I doing it correctly? Please let me know what should I apply for it and see attachment. Thanks.
Richard

I have setup windows dhcp server locally in the L3 hops away network. Basically the network from the main site (where the NAC is installed) and the remote site were already connected and talking because of the static route. The remote site has always dhcp server locally where the clients get ip address. Also I created the dhcp scope for the authentication vlan as what I see in the manual though in the example they're using L3 switch. I configured the static route in the cas. What else do need in the configuration?
In the OOB virtual gateway there is no problem using the windows dhcp server but the thing it cannot do L3 hops away it just in the main site. Thats why I change to OOB RIP. Please see the attachment.

Cisco Clean Access OOB with virtual gateway

I have set the clean access OOB virtual gateway mode, i put managed subnet one of unused ip with unauthenticated vlan,some of the pc running with dhcp so i put ip refresh after successful authentication (this working fine), but some of them running with static so i cannot refresh the ip address,
after authentication through clean access clean access manager changing Unautheticated vlan(44) authenticated vlan (4), but i can't access internet and any other application through network (even with static ip and dhcp (if i put refresh dhcp ip i can) ), in pc arp cache i can see the orginal gateway mac address if i clear the arp cache with arp -d command the moment it start working how can solve this issue please help me guys
thank you

This document describes how to configure the syslog settings in order to log the events to an external server in the Cisco Network Admission Control (NAC) Appliance, formerly known as Cisco Clean Access (CA).
http://www.cisco.com/en/US/products/ps6128/products_tech_note09186a008085d6e9.shtml

Can not use the Gateway setup assistant

Hello,
I want to use the Gateway setup assistant from NAT service.
My Os X server is in french.
I have a bug, when setting for VPN from the assistant, I can't continue she setup.
I click on the "continue" button but nothing happens !
Is this a bug ? Someone got the same result ?
Thx to help

No answer ?
Perhaps it is a bug in french translation.

Gateway Setup Assistant on a 10..x.y.z subnet

Hi,
I'm trying to use Gateway Setup Assistant on a 10..x.y.z subnet.....
BUT
the assistant tells me that it will siwtch everything to 192.168.0.x !!!! which i obviously do not want
Hence, how can i use that assistant without screwing up my current subnet setup OR how can i setup that gateway manually ?
Thks
Laurent

Hi,
>>can u pls explain what is this mounting?
Mounting is equivalent to creating a map drive in Windows.
To know more about mounting check this page http://www.techotopia.com/index.php/Sharing_Ubuntu_Linux_Folders_with_Remote_Linux_and_UNIX_Systems
>>If i use ftp..what do i use for port?
he standard port for FTP communication is port 21. Also you can check this link http://www.zephyrcorp.com/unix-ftp.htm
I will suggest you to do some google and find it out yourself. You will get lot more of information on these
Regards
suraj

Need help setting up a virtual switch setup for my lab.

Hi,
I used to be able to get this to work. But, I'm not able to anymore.
I have two network cards in my PC.
#1 Is what I use for everyday use and it's configured to use :
IP: 192.168.0.2
GW: 192.168.0.1
DNS : 192.168.0.1 (Router address)
#2 Is setup to use
IP: 192.168.0.3
GW: 192.168.0.1
DNS : 192.168.0.1 (Router address)
Then I create a Virtual Switch in Hyper V Virtual Switch Manager and bind it to Network Card #2.
This creates the Hyper V Virtual Ethernet Adapter that I bind my VM's to.
But for some reason none of my VM's can get a connection to the internet. There is an exclamation mark over the network icon.
When I go back and look at the TCP/IP V4 properties of the Virtual Ethernet Adapter, I release that it has no DNS settings.
But when I put any settings in there it gives me a warning about setting multiple default gateways, and do I want to continue, yes or no?
What could I be doing wrong?
Thanks

Hi midi25,
Then I create a Virtual Switch in Hyper V Virtual Switch Manager and bind it to Network Card #2.
This creates the Hyper V Virtual Ethernet Adapter that I bind my VM's to.
I think you checked the "Allow management operating system ..." , the new Vethernet adapter is a virtual adapter for HOST ( the name same with the Vswitch) .
So , the "multiple default gateway" will arise when you configure GW for it .
Best Regards
Elton Ji
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

EDI Gateway Setup

Hi All
I need info regarding EDI Gateways(EDI Outbound Transaction setup)
I am trying to generate the falt file for Outbound Purchase Order using standard Extract programs. But I am getting empty file.
I have gone through some documents available on Net. But I could not fix this problem.
I wanted to know the basic steps we need to perform to get the output file.
I am using standard catagories only so far. I Defined values for some Categories and attached those categories to some of the columns in the Interface Table.
But still I am not getting the output file.
Do you I need to delete the columns from Output Definition to which I have not attached any category.
When I setup Trading Partner Information, Just I created A dummy name for the parnet header and attached one of the supplier name and supplier site to that partner. Will it validate the partner information somewhere while extracting the data. Is this partner information need to be present somewhere or we can create the dummy names for the testing purpose.
Please feel free to send info to [email protected]
I appreaciate your help regarding this.

If you are looking at e-Commerce Gateway, you should also look at the full Oracle B2B solution, which includes complete integration, EDI, mapping, TPM, AS2 etc. capabilities. It provides a standards-driven, flexible, end-to-end solution that you won't find elsewhere. If you are and e-Business Suite user, this would be an ideal choice.
John Morris

PI 2.0 - virtual express "setup" Fail - The passwords do not match:

Hi all,
Since my lab is mostly VM, I was going to upgrade my PI 1.3 to 2.0. Cisco documentation says the inline upgrade is not supported for the small virtual appliance. Anyhow, I deployed the new 2.0 Express virtual OVA file, allowing to to use all needed resources.
To get to the point, when I run through the initial setup/bootstrap, I cannot get past the setting of the admin user's password. Regardless of what I type, I always get the same message "The passwords do not match". I can simply type the letter 'a' for a password attempt and am told they do not match. Only when leaving it blank for the password do I see a message showing a 6 character minimum. I can type abc123 or whatever basic combination, advanced combination, cases, symbols, numbers, etc. No matter what I do I cannot make the passwords "match"!
I have blown away the VM and re-deployed, validating checksum on OVA downloaded, PI-VA-2.0.0.0.294-Express.ova.
I cannot get past this step. Has anyone else experienced this or have any input? I'm not finding anything in my searches.
Thanks!

So I was not correct in what fixed my issue.
So, when I rebooted the host (which contains my MS 2008 DC as well), I had to access my vSphere from my local windows machine client (VM running on Oracle VBox on my MBAIR) through my VPN to my lab.
When typing the password Combos from my local Windows VM, I could get past this step.
When it was time to type the ftpuser/web user (after I performed the initial setup), I again accessed through the vSphere Client loaded on the 2008 DC Virtual Machine running on the same host as the Prime 2.0 Install - same VLAN/etc. I access this via RDP, then launch vSphere from that DC.
From that client I was again getting the Passwords not matching. Only when launching vSphere Client locally (from my local MB AIR VM) was I able to get the passwords to work.
Bottom line, it seems when accessing vSphere client through an RDP session, using the console feature of vSphere client provided mixed/undesirable results. When I access console from a vSphere client (non-RDP) it was working fine.
Just figured I would let you know what seems to be the trigger.
Thanks Scott!

Getting SYSTEM_ERROR when testing Integarted SOA Gateway setup

Hi,
    I followed all the documentation out there for setting-up Integrated SOA Gateway in EBiz R12.1.3 instance. Finally, when I am testing my setup using "Testing ISG installation using operation TESTUSERNAME in FND_USER_PACKAGE (Doc ID 1506065.1)", I get below error:
    Could some one please help me on this.
Error Details
java.lang.NoClassDefFoundError: Could not initialize class org.collaxa.thirdparty.apache.wsif.logging.Trc at org.collaxa.thirdparty.apache.wsif.util.WSIFPluggableProviders.overrideDefaultProvider(WSIFPluggableProviders.java:183) at oracle.apps.fnd.soa.provider.services.jca.JCAHandler.<init>(JCAHandler.java:57) at oracle.apps.fnd.soa.provider.services.ServiceFactory.getServiceImplementation(ServiceFactory.java:45) at oracle.apps.fnd.soa.provider.SOAProvider.processMessage(SOAProvider.java:336) at oracle.j2ee.ws.server.provider.ProviderProcessor.doEndpointProcessing(ProviderProcessor.java:956) at oracle.j2ee.ws.server.WebServiceProcessor$1.run(WebServiceProcessor.java:358) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:396) at oracle.j2ee.ws.server.WebServiceProcessor.invokeEndpointImplementation(WebServiceProcessor.java:355) at oracle.j2ee.ws.server.provider.ProviderProcessor.doRequestProcessing(ProviderProcessor.java:466) at oracle.j2ee.ws.server.WebServiceProcessor.processRequest(WebServiceProcessor.java:114) at oracle.j2ee.ws.server.WebServiceProcessor.doService(WebServiceProcessor.java:96) at oracle.j2ee.ws.server.WebServiceServlet.doPost(WebServiceServlet.java:194) at javax.servlet.http.HttpServlet.service(HttpServlet.java:763) at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:713) at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:370) at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:871) at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:453) at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:313) at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:199) at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260) at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303) at java.lang.Thread.run(Thread.java:619)
    And here is the SOAP request and respond payloads.
[Request Payload]
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <soap:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" soap:mustUnderstand="1"><wsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:Username>asadmin</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">asadmin</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header>
    <soap:Body xmlns:ns1="http://xmlns.oracle.com/apps/fnd/soaprovider/plsql/fnd_user_pkg/testusername/">
        <ns1:InputParameters>
            <ns1:X_USER_NAME>OPERATIONS</ns1:X_USER_NAME>
        </ns1:InputParameters>
    </soap:Body>
</soap:Envelope>
[Response Payload]
<env:Envelope
xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header/>
<env:Body>
<env:Fault
    xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
   <faultcode
     xmlns="">SOAP-ENV:Server</faultcode>
   <faultstring
     xmlns="">SYSTEM_ERROR</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>
With regards,
Veerendra S.

Hi,
No receiver could be found means Check your Receiver Determination. Activate and update cache. Asysnchronous messages can be manually restarted.
have you seen this threads,
NO_RECEIVER_CASE_ASYNC
No receiver could be determined
regards,
ganesh.

NAC layer 3 Virtual Gateway Setup

Similar Messages

Maybe you are looking for