cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2276
Views
0
Helpful
18
Replies

NAC deployment on Remote Branch

syedaltaf.shah
Level 1
Level 1

Hello guys,

I need help for deploying Cisco NAC on remote branch. i did all the necesary steps & configs but still no luck, On main site we have OOB-Real IP Gateway deployment. all the campus is deployed but for remote branch it is not working, we have inbetween firewalls & routers(offcorse) i have allowed IP any to NAC Server & Manager. but still no luck.

Is there any point i am missing do i have to do some extra config for remote branch ?

18 Replies 18

The issue is  after installing the Agent on client, it switches to untrusted vlan, but NAC agent seems to be dead, no activity or not showing anything, may be not communicating with CAS or CAM.

in firewall there is access-list for IP any to CAM & CAS. so it means no blocks from firewall. even CAM is able to Manage remote switches (changing vlan, assigning port profiles etc)

Syed,

Did you generate the CAS certificate from the untrusted inteface?

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cas/s_admin.html#wp1136393

Also what is the discovery host for the agent set to?

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cam/m_agntd.html#wp1050646

Also do you have L3 support enabled on the CAS and also make sure that you do not have a managed subnet configured for these clients since that will break the L3 discovery mechanisms for these end users.

Please post a few screenshots of your static routes that are defined on the CAS.

Thanks,

Tarik Admani

Dear Tarik,

for the above questions.

1. Yes CAS certificate generated.

2. Yes L3 Suppor tenabled.

3. discovery host is the CAM IP.

4.  make sure that you do not have a managed subnet configured for these clients

How & Where to verify this ?

5. here is a Static route for remote branch.

Subnet 192.17.25.0/255.255.255.0  - > 192.17.8.19 (gateway)   untrusted

Did you generate the certificate on the CAS so it resolved to the untrusted interface?

You can find the managed subnet configuration here:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cas/s_addSrvr.html#wp1060206

Also keep in mind, any changes you make related to certificates or network settings, you must reboot the CAS for thoses changes to take into effect. Please reboot the CAS and see if that restore your issue.

I also wanted to verify how you were able to get the download page? The reason is that if you are not being automatically redirected to the page then most likely all the client traffic isnt being redirect either. For troubleshooting you may want to change the discovery host of the agent to the untrusted ip of the CAS and see if that causes the agent to pop up.

Thanks,

Tarik Admani