Solved: Re: NAC for wireless layer 3 oob

joachim_chan · ‎08-25-2011

Hi,

Anyone implemented nac for wireless layer 3 oob? This is using nac appliance not ise.

What I did is to configure wlc as per layer 2 oob setup. Configure svi 669 (authentication/quarantine vlan) on switches that’s with the wism. Pbr all vlan 669 traffic to test cas untrusted interface.

Problem now I’m not able to get an ip from dhcp after associating. DHCP works when tested on wired. Is there any additional config to be done on WLC or am i doing it right??

The test cas/cam are ugraded to ver 4.8.2.

Regards

Joachim

Nicolas Darchis · ‎09-13-2011

Everyone can do a mistake and it seems I did a big one :-)

l3 wireless OOB was not supported until last version :

§Wireless L3 OOB RIP has been introduced in 4.8.2.

§In order to support wireless in L3 OOB RIP deployment – DHCP release and renew values were propagated from CAS to the client so that client can perform IP refresh.

§The configuration of WLC and AP’s needs to be done like in Wireless L2 OOB VGW deployments.

§There are no ports in WLC hence Port profile is not required

§WLC allows only two VLAN’s namely Quarantine (Auth) and Access VLAN’s. Hence the support for User role Vlans is not there in Wireless deployments.

§iPhone/iPad support is also not present. Reason being IP address cannot be refreshed in iPhone/iPad due to lack of support for Java Applet/ActiveX.

§The authentication trap control needs to be checked in order for the WLC to send 599.0.4 trap.

View solution in original post

Nicolas Darchis · ‎08-26-2011

PBR is the only required difference between l2 and l3.

Can you check in a debug client on the WLC if debugs packets are leaving ? Check with a sniffer trace where do they get lost ?

Not sure how you did your policy based routing, but the dhcp packets are unicast from wireless clients. You could have them broadcast as in wired if you disable the dhcp proxy behavior of the wlc.

joachim_chan · ‎08-26-2011

Thanks for your reply, I will try the debugs,

the dhcp proxy has already been disabled. PBR is done for all authentication vlan 669 as source. I suppose, when dhcp request hits the svi interface, ip helper will forward to dhcp servers and will not be under policy base routing since source doesn't fall under vlan 669.

joachim_chan · ‎09-05-2011

I was reading this, i got more confused.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/secwlandg20/ch5_2_SPMb.html#wp1299921

It states that

Regardless of the gateway method of the NAC appliance, any dynamic interface (VLAN) associated with a WLAN that requires NAC services should be trunked directly to the untrusted interface (Eth1) of the NAC appliance. There should be no corresponding SVI configured on the catalyst 6000 for these vlans.

So does that mean for wireless nac layer 3 setup, i still need to trunk it back to my cas?? and not pbr????

Nicolas Darchis · ‎09-05-2011

Well if you have to do that, it's not layer 3 anymore :-)

I think they mean that you have to do it regardless of VGW or RIP, but that's for layer 2 still

Nicolas Darchis · ‎09-13-2011

Everyone can do a mistake and it seems I did a big one :-)

l3 wireless OOB was not supported until last version :

§Wireless L3 OOB RIP has been introduced in 4.8.2.

§In order to support wireless in L3 OOB RIP deployment – DHCP release and renew values were propagated from CAS to the client so that client can perform IP refresh.

§The configuration of WLC and AP’s needs to be done like in Wireless L2 OOB VGW deployments.

§There are no ports in WLC hence Port profile is not required

§WLC allows only two VLAN’s namely Quarantine (Auth) and Access VLAN’s. Hence the support for User role Vlans is not there in Wireless deployments.

§iPhone/iPad support is also not present. Reason being IP address cannot be refreshed in iPhone/iPad due to lack of support for Java Applet/ActiveX.

§The authentication trap control needs to be checked in order for the WLC to send 599.0.4 trap.

joachim_chan · ‎09-20-2011

Not a problem, i got things running from getting authentication vlan ip address >> authentication >> posture. One thing not working is the refresh of ip address.

FYI.. i manage to make it working for ip refresh. I made a stupid mistake, chose rip setting on cas, should be rip oob. jeez..

Also if iphone/ipad is not supported?? That's bad!

Latest update, from android mobiles we are unable to authenticate, we are getting the below msg,

Unable to process out-of-band login request from [00:00:00:00:00:00 ## 172.30.104.88] s110060. Cause: MAC address of 172.30.104.88 not found.

Nicolas Darchis · ‎09-22-2011

The error message means that that CAM didn't get the notification from the WLC that the client came online. So probably an SNMP community/trap issue.

Regarding iphone/ipad, I find it funny how people blame on other companies non support of iphones/ipad when it's Apple releasing a nice-looking product but not supporting basic things like fast roaming on wireless, flash, etc ... :-)

As the note was saying the problem is that there is no way to "force" the iphone/ipad to renew its ip address.

joachim_chan · ‎09-22-2011

I did a tcpdump on the cam, it sees the trap. From discovered wireless clients i see my mobile device ip and mac address. It's working for windows xp/7 but not for mobile devices. I probably open a tac case.

As for iphone/ipad, that's why i'm using android phone instead. lol.. majority of users uses iphone here, so can't blame the organisation to look into apple support.