08-24-2012 03:45 AM - edited 03-10-2019 07:27 PM
Dear Experts,
Is it possible to deploy NAC without having DHCP server in the network? We have some 300-400 users in the campus and want to enable NAC for them.
As per my understanding Cisco NAC cannot be deployed without DHCP server in the network, however it is not documented anywhere on the site. Currently all users' machines are configured with static IP.
We want to do user authentication, AV remediation and Patch deployment through NAC. Is it possible to deploy NAC without DHCP server??
Thanks in advance.
nayan
08-24-2012 03:49 AM
Hi,
You need a dhcp server in order to have the broadcast packet flow through the clean access server. The help the cas build the mac add to ip mapping it needs.
You can consider using ise since it provide more flexibilty.
Thanks,
08-24-2012 03:56 AM
Thanks Tarik for the quick answer.
Can you suggest some URL where it is mentioned that DHCP is mandatory pre-requisite for NAC deployment?
Thanks in advance.
08-24-2012 08:33 AM
Hi,
Here is the basic flow of clean access for both inband and out of band: (http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_white_paper0900aecd802bdc42.html)
Figure 1. Laptop Attempts to Access the Internal Network
1. When the laptop first accesses the network, the Cisco Clean Access Server determines that the computer's MAC address is not in the list of certified devices, and that laptop is placed into an unauthenticated role. While in this role, only User Datagram Protocol (UDP) Port 53 (Domain Name System [DNS]) and Dynamic Host Control Protocol (DHCP) traffic (via DHCP and VLAN passthrough) is allowed.
2. The laptop gets an IP address from the DHCP server, but cannot get past the Clean Access Server acting as an IP filter.
3. The laptop user opens a browser and is redirected to an SSL-based Web login page where she enters her credentials, which in turn map her into the "employee" role.
4. As an "employee," she is asked to download the Clean Access Agent.
5. The Clean Access Agent performs the posture assessment and forwards the results to the Clean Access Server to make the network admissions decision.
Tarik Admani
*Please rate helpful posts*
08-25-2012 11:07 AM
Here is some additional information for wireless that requires disabling the dhcp proxy configuration, this is needed so that clean access will inspect the dhcp broadcasts in order the build it's internal Mac address table.
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_woob.html#wp1320606
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide