cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2198
Views
0
Helpful
6
Replies

Can we configure a PC with a static IP address to work with NAC

yasirirfan
Level 4
Level 4

Dear All

We have out of band NAC implementation, our implementer is telling us we cannot configure NAC on any devices whihc are configured with static IP address. We have to bypass them is this right?

Best regards,

Yasir

6 Replies 6

That depends on what you want to achieve. You won't be able to profile that PC through DHCP-messages, but it can be profiled through other ways as HTTP. And a PC with static IP can also run the NAC-Agent.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Karsten,

Using static ip addressing with OOB will not work, and NAC does not profile users, clean access only profiles users with a dedicated appliance like the nac profiler, which is a complete different topic with respect to oob.

For OOB to work you will have to use dhcp so that clients are first placed on the vlan that runs inline with the NAC, so users can be validated that they meet your requirements. Then the clean access manager sends an SNMP set message to change the user vlan, it is up to the nac agent at that point to refresh the client's ip address (by detecting the vlan change) in order to have the client refresh its IP on the new vlan.

I hope this helps.

Thanks,

Tarik Admani
*Please rate helpful posts*

Hi Tarik,

I must confess that I didn't think that it really was about clean access ... I was thinking about ISE.

My last CCA-contact is already some years old, but if the subnet doesn't change when moving from the initial to the new VLAN, shouldn't it work then? I just try to remember the workflow: User connects PC with static IP that matches the network in the initial VLAN, Switch sends MAC-notification, NAA discovers way to NAS, gets postured and the switchport gets moved to the correct VLAN where the static IP is also valid. Shouldn't that work?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Sorry about my previous message, I wasnt trying to flame you....you are correct with ISE since it uses radius you can temporarily redirect all user traffic based on the redirection urls....etc.

You are correct if you are only using 1:1 authentication vlan to access vlan mapping (for example 110 > 10), however if you have different levels of access (admin, staff, operator) different vlans will have to rolled out and that is where the deployment breaks.

Hope that makes sense,

here is the traffic flow for OOB -

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml#oobm

Yasir,

As you know there are different ways of deploying clean access, you can use static ip addressing but I havent had much success and I often tell customer to move away from this approach and use dhcp. The way clean access works is that it intercepts all dhcp broadcasts that sets on the same vlan as on if its virtual interfaces. Once it receives the broadcast is start so builds internal mac address table and the retags the dhcp request to the clean vlan, using the vlan mapping feature when in virtual gateway.

However this all changes with real-ip....

Tarik Admani
*Please rate helpful posts*

Sorry about my previous message, I wasnt trying to flame you....

I didn't feel it that way ...

Hope that makes sense

absolutely. And when thinking about CCA, I think we also had PCs with static PCs involved. But because of the IP-renew problems we simplified the setup with the 1:1 relationship for vlans.

And thats what I really love with the new model based on CoA and changing interface-ACL. All these problems can be avoided in many cases.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Octavian Szolga
Level 4
Level 4

Hi,

Can someone please confirm that NAC Agent (preinstalled with no xml file) works with static IP addressing on PCs?

I've noticed that NAC Agent launches on a PC with dynamic IP addressing but if the same PC has static IP addressing it doesn't do anything. In both cases the redirection works, so this is not the problem.

I'm using ISE 1.1.3 with patch2 installed and NAC Agent 4.9.0.51.

To be noticed that at the moment I don't want to provision the xml file to NAC Agent users, I only want to test the fact that redirection and pop-up works as it should.