cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3534
Views
0
Helpful
26
Replies

NAC Out of band deployment problem

narges3707
Level 1
Level 1

hi ,

I have implemented cisco nac solution in layer 2 Virtual Gateway out of band mode , but I have a problem with Remediation process ( I am using NAC agent),

when clients are not compliant with my security policy , they move from unauthenticated role to temporary role , the problem is users in temporary role can not ping anywhere , I want to allow users to connect to internet and download the proper file , but they can not , I create access rule and permit all thing for temporary role but it does not work ,

I think nac server does not retag traffic correctly ( I set a clan mapping rule that do mapping between my authentication and access vlan),

is it correct that nac server does vlan retagging for all remediation traffic ? if yes how can i solve this problem?

best regard

26 Replies 26

Hi,

Can you please post a screenshot of the interface settings from the UI? Also is the CAS running in vmware also?

Thanks,

Tarik Admani
*Please rate helpful posts*

Dear  Tarik Admani ,

If you mean the ip configuration of CAS and CAM , I send it for you aan attachement ,

yes both of the NAC Manager and NAC Server are installed on esx 4.1.

best regard

Dear  Tarik Admani ,

Could you please do a favor and skim this document ?  It is for NAC 4.9 and it said that your DG must be the SVI clearly,

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cas/s_deploy.html

Thanks,

Dear Admani,

when I changed the client 's gateway to ip address of SVI in 3750,  clients Arp request was recieved by 3750 and it sends the reply but the problem is the client does not recieve these reply , But i do not know what it happens?

it is the output on C3750 :

<10.10.50.4 is client ip in untrusted part of NAS   and the 10.10.50.1 is the SVI IP in 3750)

23:02:23: IP ARP: rcvd req src 10.10.50.4 14da.e9af.9d22, dst 10.10.50.1 Vlan50

23:02:23: IP ARP: sent rep src 10.10.50.1 0013.1aeb.9748,

                 dst 10.10.50.4 14da.e9af.9d22 Vlan50

thanks,

At this point there is much we can do when it comes to troubleshooting this setup because of the fact that you are using vmware in order to simulate the CAS appliance. It will much easier to go with ISE since you are using this in your test lab anyways. You can achieve all the same features using radius over snmp for oob management of clients, and the acls are much easier to manage and deploy for temporary network access..etc. ISE also comes with a 90 day in the iso so that should get you going.

Thanks,

Tarik Admani

Dear admani ,

thank you for your reply ,

Do you think the problem caused by ESX server ?

when client can pass all the posture assessment correctly ( and not placed in temporary role) , everything works great  but when it failed the problem begins to start.

thanks,

Its hard to tell, it seems as if you have everything setup correctly. One assumption I made is that all traffic is allowed from the trusted to untrusted. If you state that the traffic works fine if the client passes all the checks, then your next option is to test the traffic in the reverse direction. In the screenshot that you posted for the temporary role, where you allowing alll tcp and udp traffic, can you drop the box down so that path shows from trusted > untrusted and make sure that all traffic is allowed?

Thanks,

Tarik Admani
*Please rate helpful posts*

Dear Tarik Admani ,

Yes I checked it , everything is allowed form both direction.

It is so strange why my clients could not get the ARP response from it is default gateway. C3750 responses to its request in corresponding VLAN  but the response will fade after that.

thanks,

Were you able to validate by running a packet capture or did you use the arp –a on the client end to see that the arp entry was incomplete? I would try to remove the rules, and reenter the rules again.

Thanks,

Tarik Admani
*Please rate helpful posts*

I am running wireshark on client and see that client send broadcast ARP for finding the mac of DG periodically and I also that the SVI on 3750 answer to these request with the INT VLAN 50 mac address , but after that I do not know what happend? It does not get to client.

thanks,

One more item to check, and this is basic, when the client fails the requirement....are they being placed in the temporary role? Also can you make sure that you have configured any traffic policies on the local CAS, here is a guide that will show you this setting - http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cas/s_trfpol.html#wp1040154

Thanks,

Tarik Admani
*Please rate helpful posts*

Yes I checked it via monitoring>reporting , and it said that user successfully logged in temporary role, i created permit all on Local policy but the result is the same ,

yesterday I changed the DG of my client to SVI and after that I defined the ARP Entry for DG in CCA servers>Advanced>ARP and added the arp entry for my DG on Untrusted interface , then the NAC agent client poped up , now  when client send ARP request for its DG the CAS response to it with its untrusted interface mac address and SVI ip Address ,

I do not know that it is a normal behavior or not ?

thanks