topic Re: WLC 9800 - NAC State feature in Wireless

WLC 9800 - NAC State feature

tiluna — Fri, 30 Jun 2023 16:30:46 GMT

Hi,

I'm trying to figure out on what WLAN's I would use this feature on. Is this specifically for CWA?

Thanks

Re: WLC 9800 - NAC State feature

Mark Elsen — Fri, 30 Jun 2023 16:49:50 GMT

- If you are referring to Network Access Control ; let's say to start with it is a common feature usually used on all your WLAN's ; have a look at this document : https://community.cisco.com/t5/security-knowledge-base/ise-and-catalyst-9800-series-integration-guide/ta-p/3753060

Re: WLC 9800 - NAC State feature

Flavio Miranda — Fri, 30 Jun 2023 16:56:08 GMT

NAC State is not only for CWA, it is also used for 802.1x. The concepct of NAC state come from the past. You can see that on the WLC for AirOS you have three option about NAC State:

NAC ISE , SNMP NAC and None.

You can choose NAC ISE for use ISE Server as NAC and you can choose SNMP NAC for NAC out-of-the band.

If you were to deploy Wireless out-of-band you need to choose SNMP NAC but I never saw this kind of deployment.

Table 4-1 Wireless In-Band vs. Out-of-Band Deployment

Wireless In-Band Deployment Characteristics	Wireless Out-of-Band Deployment Characteristics
The Clean Access Server (CAS) is always inline with user traffic (both before and following authentication, posture assessment and remediation). Enforcement is achieved through being inline with traffic.	The Clean Access Server (CAS) is inline with user traffic only during the process of authentication, assessment and remediation. Following that, user traffic does not come to the CAS. Enforcement is achieved through the use of SNMP to coordinate with Wireless LAN Controllers (WLCs) and to assign/reassign VLAN assignments.
The CAS can be used to securely control authenticated and unauthenticated user traffic.	The CAS can control user traffic during the authentication, assessment and remediation phase, but cannot do so post-remediation since the traffic is Out-of-Band.
Bandwidth restricted to maximum allowable throughput for installed Clean Access Server(s).	Out-of-Band bandwidth not restricted by Clean Access Servers in network, as all client traffic bypasses CASs once clients are authenticated.

Re: WLC 9800 - NAC State feature

tiluna — Fri, 30 Jun 2023 17:38:33 GMT

Thank you. I guess I was a little confused since this article that deals with iPSK doesn't have to enabled:

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/216130-configure-catalyst-9800-wlc-ipsk-with-ci.html

Re: WLC 9800 - NAC State feature

Flavio Miranda — Fri, 30 Jun 2023 17:51:14 GMT

Got it.

I have no experience with iPSK but for standard 802.1x authentication, it is requested the NAC State is checked. But there was some change for 9800. We can see that the alternatives now is NAC type RADIUS and XWF.

Re: WLC 9800 - NAC State feature

Rich R — Sat, 08 Jul 2023 15:22:23 GMT

NAC is also just used to enable CoA (Change of Authorization) in conjunction with "aaa server radius dynamic-author" as in https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html