Is DHCP Server Mandatory for NAC Deployment?

SWAPNIL VITE · ‎09-06-2012

Dear Experts,

Is it Mandatory to have DHCP Server for NAC Deployment?

We want to deploy NAC for 500-600 users across WAN. We are planning for L3-OOB-Real Gateway central deployment Solution.

We are having one NAC Server (3355) - with 1500 users license & one NAC manger (3315) with 3 NAC Server Licnese.

Currently there is no DHCP Server in Network. All users are having Static IPs to their desktops/Laptops.

20 Remote offices are managed by ISP.

So please clarify, whether we can deploy NAC without DHCP or it is mandatory? Is it documented in cisco site ?

Please provide the prerequisites for NAC deployment.

Tarik Admani · ‎09-06-2012

Hi,

If you are doing out of band eployment then dhcp will be required, you will have to route your initial traffic through the Clean Access Server, however once the out of band feature kicks in it will move the client from the "unauthenticated" vlan to the "authenticated or trusted" vlan. Here is some documentation that will help you with the flow:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_L3oob.html#wp1089652

If you plan on performing L3 In Band then you are good to go, the only reason you need dhcp is because of your policy based routing where initial traffic always has to flow through the CAS.

Thanks,

Tarik Admani
*Please rate helpful posts*

SWAPNIL VITE · ‎09-06-2012

Hi Tarik,

Thanks for your Inputs, Can you also help us with prerequisites of each NAC deployment mode.

Tarik Admani · ‎09-06-2012

Hi,

I havent come across anything written as a pre-requisite but if based on my experience working with Clean Access DHCP server is only required for the following scenarios:

Real-IP Gateway - out of band, once again the reason is that a policy based route or other methods to force the untrusted subnet over to the clean access server for inspectioin and authentication, you need a dhcp server so that when a user passes the clean access policies, their vlan is changed and they obtain another ip address which places them on the production vlan
Virtual Gateway OOB when assigning user based vlans - this means that if the users are assigned to a different vlan than the intial vlan mappings. So if a user is on vlan 100 and that is mapped to vlan 10, then they will have an ip address on vlan 10 while their port is on vlan 100. So in this case the CAS acts as a transparent firewall and swaps the vlan tags from vlan 100 to 10 for initial traffic that is clean, when the user meets the policies if they are changed to vlan 20 then you will need a dhcp server.

Where you do not require a dhcp server:

All InBand deployments, the CAS acts like a transparent firewall and you can use features like role based traffic filters, and bandwidth restrictions.
Virtual Gateway OOB while assigning the user to the trusted vlan that they are originally mapped to. If we go back to our last example we see that the user is mapped from vlan 100 to vlan 10. So their ip address is on vlan 10, if the manager sets the vlan back on vlan 10, then they will have full access without having the need to change the users ip address.

Let me know if this makes sense.

Thanks,

Tarik Admani
*Please rate helpful posts*

SWAPNIL VITE · ‎09-06-2012

Hi Tarik,

Thanks Again for your valuable inputs,

IN L3 OOB Real IP GW Mode, we can use CAS as a DHCP Server.

In CAS config guide it is given thatIt allocates client IP addresses for the managed (untrusted) network.

Initially When user in Untrusted network, after posture assessment user will need IP address from Trusted Network.

For this should we have separate DHCP Server ? or

Can we configure this CAS DHCP Server for trusted (Employee) network as well ?

Since we dont have a DHCP Server in network?

game123 · ‎01-13-2014

Not really ! But depends on your solution sketch up .