topic NAC deployment on Remote Branch in Network Access Control

NAC deployment on Remote Branch

syedaltaf.shah — Mon, 11 Mar 2019 02:15:23 GMT

Hello guys,

I need help for deploying Cisco NAC on remote branch. i did all the necesary steps & configs but still no luck, On main site we have OOB-Real IP Gateway deployment. all the campus is deployed but for remote branch it is not working, we have inbetween firewalls & routers(offcorse) i have allowed IP any to NAC Server & Manager. but still no luck.

Is there any point i am missing do i have to do some extra config for remote branch ?

NAC deployment on Remote Branch

Tarik Admani — Sun, 01 Jul 2012 05:53:26 GMT

Syed,

Can you give us a brief example of your current setup? Do you have PBR setup in order to force the users through the CAS during posture assessment, also do you have the static routes configured on the CAS that will route the traffic back to the clients? Also do you have the static routes configured so that if any response that needs to reach these clients are set to go through the trusted ip address of the CAS?

Thanks

Tarik Admani

If you can post a visio please do so, it will make it much easier to see what the path is for the clients and the CAS'

NAC deployment on Remote Branch

syedaltaf.shah — Sun, 01 Jul 2012 06:18:51 GMT

Hi Tarik,

sorry i cannot paste visio, i will giv you brief, All of the answers Yes i did.

1. NAC CAM & CAS both in Datacenter.

2. Our campus is big, so we have routing within Campus, and on each branch within campus we configured PBR on Branch Core Switches. whic is working fine for within the Campus.

3. The remote branch which is connected through IPVPN & Leased Lines, i have configured PBR on Core Switch as we did in Campus. Forced the Cient subnet to communicate only with CAS if in unauthenticated VLAN, and routed to CAS IP.

4. Did the Static route in CAS for this Branch Subnet.

5. Configured ACLs on ASA from any to CAS & CAM All IPs (Trust,Untrust,Virtual,real)

Is there anything else required ?

NAC deployment on Remote Branch

syedaltaf.shah — Sun, 01 Jul 2012 06:37:53 GMT

Dear Tarik,

is it spossible the default vlan creating problem ?? that Branch is using Default VLAN, the Normal VLAN is default VLAN1 & have created Vlan 10 for un-authenticated users.

NAC deployment on Remote Branch

Tarik Admani — Mon, 02 Jul 2012 03:08:45 GMT

Without understanding your network this is a little challenging to troubleshoot what you are facing. All clients must be on the unauthenticated vlan for their traffic to be isolated till they are authorized by the manager, where snmp is used to reassign the clients on the appropriate vlan.

Thanks,

Tarik

NAC deployment on Remote Branch

syedaltaf.shah — Mon, 02 Jul 2012 04:20:05 GMT

Dear Tarik,

i can draw u rough diagram, diagram in detail will be not possible. wud tht be enough ?

NAC deployment on Remote Branch

Tarik Admani — Mon, 02 Jul 2012 04:29:04 GMT

Yes,

We need to verify that your routing for the unauthenticated clients is symmetric and flows through the cas. You also want to configure the correct static routes.

NAC deployment on Remote Branch

syedaltaf.shah — Mon, 02 Jul 2012 08:06:57 GMT

Dear Tarik,

find below the rough diagram of this branch. i hope it helps ?

NAC deployment on Remote Branch

Tarik Admani — Mon, 02 Jul 2012 16:57:32 GMT

Syed,

From the remote branch are you forwarding all the tunneled traffic to the CAS virtual ip? Also with respect to static routes on the CAS are you pointing the untrusted clients subnets to the interface on the firewall?

When you open a web page to google for example what happens?

Thanks

Tarik Admani

NAC deployment on Remote Branch

syedaltaf.shah — Tue, 03 Jul 2012 04:32:32 GMT

Hi tarik,

1 From the remote branch are you forwarding all the tunneled traffic to the CAS virtual ip?

All traffic passing through tunnel, but un-authenticated traffic to CAS Virtual IP. through Policy.

2 Also with respect to static routes on the CAS are you pointing the untrusted clients subnets to the interface on the firewall.

No, its been routed to SVI on our core switches. we have CAS & CAM in Seprate VLAN, so routing those traffic to This interface on CoreSW.

Its not connected to internet. we hav no connection to internet, so anyway when it is in authenticated VLAN we cannot do anything, though i can reach to CAS & CAM IPs from clients but it is not shifted to normal VLAN,

NAC deployment on Remote Branch

Tarik Admani — Tue, 03 Jul 2012 04:41:26 GMT

Basically here is the traffic flow for example:

Unauthenticated clients are on 10.0.0.0/24, cas untrusted ip is 172.16.0.1/24 and trusted is 172.16.1.1/24
Unauthenticated traffic is routed to 172.16.0.1 via PBR for subnet 10.0.0.0/24
On your core switch you have a static route that points 10.0.0.0/24 to 172.16.1.1 (trusted CAS interface)
On your CAS configuration you have a static route that points 10.0.0.0/24 out the untrusted interface (over to the next hop which is usually the firewall interface).

I hope this makes senses, if it doesnt then you will need to contact your partner or open a TAC case so they can take a better look at your topology.

Thanks

Tarik Admani

NAC deployment on Remote Branch

syedaltaf.shah — Tue, 03 Jul 2012 05:17:55 GMT

Tarik,

On your core switch you have a static route that points 10.0.0.0/24 to 172.16.1.1 (trusted CAS interface)

You talking about the route in core switch of remote branch right???

i do not understand, first you are routing untrusted ip to untrusted interface of CAS then same traffic to trusted IP of CAS ?

NAC deployment on Remote Branch

Tarik Admani — Tue, 03 Jul 2012 14:41:57 GMT

Syed,

I apologize for the confusion. The traffic needs to be routed to the untrusted interface, where the CAS will then inspect the traffic and then route the interface through to its trusted interface, where it will hit the core. Your static routes in the core need to send any responses for these untrusted subnets back through the trusted interface, where the routing table inside the CAS will then send the traffic back out to the subnet for these clients. This is because the CAS do not support routing protocols.

I hope that clears up the confusion.

Re: NAC deployment on Remote Branch

syedaltaf.shah — Thu, 05 Jul 2012 05:53:32 GMT

thanks Tarik for clearification.

These all have already been done, as i said from the Clients, either in Untrusted VLAN or trusted VLAN i can reach to CAS & CAM Ip addresses. All untrusted traffic for clients been forwarded to CAS untrusted IP using policy map in core of remote site. but still not working.

Re: NAC deployment on Remote Branch

Tarik Admani — Thu, 05 Jul 2012 06:52:23 GMT

Can you share the issue you are having? Is the traffic being dropped at the server?

How are you able to verify that all the traffic is symmetrically routing through the Cas?

What ports do you have opened for the unauthenticate role? In real ip mode all dns traffic isn't allowed unless you allow it.

Thanks,

Sent from Cisco Technical Support iPad App

Re: NAC deployment on Remote Branch

syedaltaf.shah — Thu, 05 Jul 2012 09:49:15 GMT

The issue is after installing the Agent on client, it switches to untrusted vlan, but NAC agent seems to be dead, no activity or not showing anything, may be not communicating with CAS or CAM.

in firewall there is access-list for IP any to CAM & CAS. so it means no blocks from firewall. even CAM is able to Manage remote switches (changing vlan, assigning port profiles etc)

NAC deployment on Remote Branch

Tarik Admani — Thu, 05 Jul 2012 14:49:26 GMT

Syed,

Did you generate the CAS certificate from the untrusted inteface?

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cas/s_admin.html#wp1136393

Also what is the discovery host for the agent set to?

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cam/m_agntd.html#wp1050646

Also do you have L3 support enabled on the CAS and also make sure that you do not have a managed subnet configured for these clients since that will break the L3 discovery mechanisms for these end users.

Please post a few screenshots of your static routes that are defined on the CAS.

Thanks,

Tarik Admani

Re: NAC deployment on Remote Branch

syedaltaf.shah — Sun, 08 Jul 2012 04:51:11 GMT

Dear Tarik,

for the above questions.

1. Yes CAS certificate generated.

2. Yes L3 Suppor tenabled.

3. discovery host is the CAM IP.

4. make sure that you do not have a managed subnet configured for these clients

How & Where to verify this ?

5. here is a Static route for remote branch.

Subnet 192.17.25.0/255.255.255.0 - > 192.17.8.19 (gateway) untrusted

Re: NAC deployment on Remote Branch

Tarik Admani — Sun, 08 Jul 2012 04:56:43 GMT

Did you generate the certificate on the CAS so it resolved to the untrusted interface?

You can find the managed subnet configuration here:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cas/s_addSrvr.html#wp1060206

Also keep in mind, any changes you make related to certificates or network settings, you must reboot the CAS for thoses changes to take into effect. Please reboot the CAS and see if that restore your issue.

I also wanted to verify how you were able to get the download page? The reason is that if you are not being automatically redirected to the page then most likely all the client traffic isnt being redirect either. For troubleshooting you may want to change the discovery host of the agent to the untrusted ip of the CAS and see if that causes the agent to pop up.

Thanks,

Tarik Admani