topic Re: Problem with NAC v4.7.2 and WLC version v6.0.199.4 in L2-OOB in Network Security

Problem with NAC v4.7.2 and WLC version v6.0.199.4 in L2-OOB mode

s.demosthenous — Fri, 21 Feb 2020 12:06:30 GMT

Hello,

Our client has a network with 20 CAS pairs and 1 CAM pair all with v4.7.2.The wired users are all pass through NAC for authentication.

We now want to implement the same setup for the wireless users. The client has a WLC 4404 with v6.0.199.For the need of NAC authentication 1 pair of CAS has been implemented.

I have followed the document NAC Out−Of−Band (OOB) Wireless Configuration Example

(http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml).

I have also checked the guides for CAM(V4.7.2) and WLC(V6.0).

The issue is that the implementation of NAC and WLC is not working. The users are connecting like there is no NAC in between. From the troubleshooting I have performed it seems that the WLC is not communicating correctly with the CAM.I can only see Disassociation traps from the WLC.

Is there any updated document or any other info that can help me to solve the issue?

Thank you,

Stratos Demosthenous

Re: Problem with NAC v4.7.2 and WLC version v6.0.199.4 in L2-OOB

Tiago Antunes — Fri, 08 Oct 2010 10:50:17 GMT

That document is a nice one and contains all needed to have it working.

Please make sure that accounting is configured on the WLAN so that the WLC can send the accounting start to the CAM.

Also, plese verify if you have the NAC check box enabled on the WLAN.

Is the quarantine interface configured on the WLC?

What is exactly the client behavior?

Does the client get an IP address?

Does the Clean Access Agent pops up?

Thanks,

Tiago

Re: Problem with NAC v4.7.2 and WLC version v6.0.199.4 in L2-OOB

s.demosthenous — Fri, 08 Oct 2010 19:34:43 GMT

Hello Tiago,

NAC checkbox and quarantine interface is enabled on WLC.

The client behaviour is like before i enable the NAC:it connects to the SSID and access the network.No agent or redirction page appears.

As far as the Radius accounting feature do i have to enable it even though SSO feature is not enabled?

If i enable the Radius accounting will i see discoverd clients on the CAM?

Thank you,

Stratos Demosthenous

Re: Problem with NAC v4.7.2 and WLC version v6.0.199.4 in L2-OOB

Nicolas Darchis — Sat, 09 Oct 2010 07:00:33 GMT

Just a note from the controller perspective.

The interface vlan must be the NAC access vlan and what WLC calls "quarantine vlan" is the NAC authentication vlan.

When a client is wireless connected, go in the monitor client page and check the client details. In which vlan is it placed? is it NAC_REQD state or RUN state ?

If it's run, it means it somehow got the OK from the CAM while if it's NAC_REQD, it means the WLC is doing its job but apparently your quarantine vlan allows network access.

Re: Problem with NAC v4.7.2 and WLC version v6.0.199.4 in L2-OOB

Federico Lovison — Wed, 13 Oct 2010 20:26:17 GMT

> As far as the Radius accounting feature do i have to enable it even though SSO feature is not enabled?

> If i enable the Radius accounting will i see discoverd clients on the CAM?

For Wireless SSO you have to point the RADIUS accounting to the CAS.. not the CAM.

You will be able to see the users under the "active VPN clients"; the VPN terminology comes by the fact that Wireless and VPN SSO actually share the same method, being RADIUS accounting from either the WLC or the VPN gateway.

However, if for now you don't see any web redirection nor agent pop-up, I'd check the WLC dynamic interface config for the access and quarantine VLAN, but also the VLAN mapping and managed subnet configuration on the VGW CAS.

Regards,

Federico

Re: Problem with NAC v4.7.2 and WLC version v6.0.199.4 in L2-OOB

s.demosthenous — Mon, 25 Oct 2010 08:15:19 GMT

Hello all,

Thank you for your inputs.

The problem in the end was not the configuration/nor the software of the WLC but the operation of the device itself.

I configured the Wism module(same software version as the Wlc) on the 6500 switch that the client has and moved the wireless configuration to it.

By the minute i performed this the NAC opration worked!!!!

I have also enabled SSO using Windows AD in order for the user to have the same feeling as its wired connection.That also worked from the start.

It seems that the WLC has a lot of problems and Cisco needs to solve them out.

Thank you,

Stratos Demosthenous

Re: Problem with NAC v4.7.2 and WLC version v6.0.199.4 in L2-OOB

Nicolas Darchis — Mon, 25 Oct 2010 08:24:11 GMT

Hi Stratos,

I strongly doubt that it's a platform problem. Especially since a Wism blade is actually 2 WLC 4404 assembled in a blade, so the platform IS really the same.

I'm quite sure that there is something different in your setup between the wism and the WLC so you might want to check on their differences. It can be as simple as a vlan missing or something like this.

Regards,

Nicolas

Re: Problem with NAC v4.7.2 and WLC version v6.0.199.4 in L2-OOB

s.demosthenous — Mon, 25 Oct 2010 09:06:28 GMT

Hello,

WLC was a temporary solution until Wism been placed to the network so there is no need to furhter troubleshoot.

Anyway since you doubt there is a problem with the WLC, have you performed such a setup and worked?

If yes please post it in order to use for future clients.

Thank you,

Stratos Demosthenous

Re: Problem with NAC v4.7.2 and WLC version v6.0.199.4 in L2-OOB

Nicolas Darchis — Mon, 25 Oct 2010 09:37:30 GMT

We don't have such a setup always ready at disposal, but we'll sure consider posting config examples of NAC + WLC OOB actually. thanks for the request.

Nicolas