topic Re: NAC - wanna test the basic setup - does not work !!!! in Network Security

NAC - wanna test the basic setup - does not work !!!!

game123 — Fri, 21 Feb 2020 11:54:34 GMT

SCENARIO :

· I have simple NAC setup with 1 NAC MGR “CAM” and 1 NAC SRVR “CAS”

· My users are running network 192.168.10.x/24 , and I wanna implement in L2 VG mode. Both NAC MGR and NAC SRVR can ping each other.

· CAM VLAN 55 = 192.168.55.x/24 , and CAS VLAN 66 = 192.168.66.x/24

· NAC MGR “CAM” has only 1 cable going to the core switch and NAC SRVR has 2 cables going to the core switch ( one is trusted trunk end and another is untrusted trunk end) . Created two VLANS 999 and 998 and put each of them on each link as blackhole prevention mechanism described in Cisco docs.

· I have a Windows 2008 DHCP Server who is giving the pool of IPs for users from 192.168.10.x/24 and it is working fine. Routing in the core switch is also ok.

· I have SSH and web access to both CAM and CAS boxes. They are also updating online smoothly.

· From the GUI, I have created the AV Rules also and CAM shows CAS as connected as well !!!! My version is 4.1.8 (upgraded from 4.1.3 )

INT VLAN 10 (USER VLAN) SVI is on core switch = 192.168.10.254 /24

INT VLAN 55 ( MGMT ) SVI is on core switch = 192.168.55.254/24

INT VLAN 66 (MGMT) SVI is on core switch = 192.168.66.254/24

PROBLEM :-

1. I am not able to download or get the NAC Client software MSI or stub file or ActiveX prompt to download ….

2. I don’t know how to start troubleshooting at this stage. Please note that My client PC is windows XP machine and the port is already configured to VLAN 100.

I have 1 CORE switch only and my NAC boxes and client are connected to the same CORE switch.

Re: NAC - wanna test the basic setup - does not work !!!!

Faisal Sehbai — Fri, 19 Mar 2010 20:36:07 GMT

Hello,

What's your untrusted vlan, and do you have the vlan mapping set in the CAS yet?

Faisal

Re: NAC - wanna test the basic setup - does not work !!!!

game123 — Sat, 20 Mar 2010 08:36:06 GMT

VLANS Mapping is done in CAM, i didnt find any field in CAS...

Also, i am copying the switch port configs... ( a simple logical connectivity diagram was attached also to this discussion already )

VLANS DATABASE

==============

vlan 10

name AuthVLAN

vlan 11

name TEST_VLAN_USER

vlan 55

name NAM_mgmt

vlan 998

name DummyVLAN998

vlan 999

name DummyVLAN999

*** Only SVI is VLAN 10 with network = 192.168.11.x/24 , there is no SVI for VLAN 11 ***

Following ports are configured as follows :-

============================================

interface GigabitEthernet2/9

description ** NAS's untrusted interface **

switchport

switchport trunk native vlan 999

switchport trunk allowed vlan 11

switchport mode trunk

no ip address

interface GigabitEthernet2/10

description **** NAS Mgmt interface IP 192.168.66.1 *****

switchport

switchport trunk native vlan 998

switchport trunk allowed vlan 10,66

switchport mode trunk

no ip address

interface GigabitEthernet2/11

description *** Test User Acess Port ***

switchport

switchport access vlan 11

switchport mode access

no ip address

interface GigabitEthernet2/12

description ***** Connected to Eth0 NAM on IP 192.168.55.1 ***

switchport

switchport access vlan 55

switchport mode access

no ip address

spanning-tree portfast

spanning-tree bpduguard enable

*** FROM THIS core switch I can ping 192.168.66.1 and also 192.168.55.1 with comfort ***

** Please note that actual IPs are 192.168.x.y and not 10.10.x.y respectively

Re: NAC - wanna test the basic setup - does not work !!!!

Faisal Sehbai — Sat, 20 Mar 2010 18:57:54 GMT

Click on CCA Servers, Manage my server, and post the screen shots of all tabs for your CAS.

Faisal