cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3535
Views
0
Helpful
26
Replies

NAC Out of band deployment problem

narges3707
Level 1
Level 1

hi ,

I have implemented cisco nac solution in layer 2 Virtual Gateway out of band mode , but I have a problem with Remediation process ( I am using NAC agent),

when clients are not compliant with my security policy , they move from unauthenticated role to temporary role , the problem is users in temporary role can not ping anywhere , I want to allow users to connect to internet and download the proper file , but they can not , I create access rule and permit all thing for temporary role but it does not work ,

I think nac server does not retag traffic correctly ( I set a clan mapping rule that do mapping between my authentication and access vlan),

is it correct that nac server does vlan retagging for all remediation traffic ? if yes how can i solve this problem?

best regard

26 Replies 26

Tarik Admani
VIP Alumni
VIP Alumni

You can verify this by issuing a show mac address

on the switch that the Cas is connected to and see two entries one on the untrusted vlan from the trunking interface of the downstream switch, and the other from the trusted vlan on the trusted interface. If these entries are present then check your routing to see if these subnets can get through your firewall.

Thanks,

Tarik Admani

Sent from Cisco Technical Support iPad App

Thank you for your attention ,

I did not see such out put of my sho mac add command ,

I sent a image of my current topology , it may be useful , please find it.

I used router instead of cisco layer 3 switches (SVI for user access vlan is configured on router as sub interfaces) , and On my NAC Server I created a vlan mapping rule that map unauthenticated vlan to one of my access vlan ,

I have a problem with my Managed subnet !! I have to put my Managed Subnet as default gateway for my client because if I put the router SVI cisco nac agent client does not pop up at all !!!

I read different documents about that and all of them said that your client default gateway must be SVI , but it does not work,

best regard

Hi can you please post the configuration of the port settings for the untrusted and trusted interfaces? When you issue the show mac address (macaddr of client) what entries do you see? Also when you made these changes did you reboot the CAS? Keep in mind that everytime you make a network related change on the CAS the unit must be rebooted in order for the changes to take affect.

Thanks,

Tarik Admani
*Please rate helpful posts*

Dear Tarik Admani,

Thank you for your reply ,

The out put of sho mac add for my client mac address is as follow:

Switch#sho mac address-table dynamic address 5404.a674.f220

         Mac Address Table

-------------------------------------------

Vlan   Mac Address       Type       Ports

----   -----------       --------   -----

110   5404.a674.f220   DYNAMIC     Fa0/6 (Unauthenticated vlan)

50   5404.a674.f220   DYNAMIC     Fa0/2   (Access vlan)

Total Mac Addresses for this criterion: 2


And it is my configuration for NAS ports:

interface FastEthernet0/2

description CONNECT TO TRUSTED-NAS

switchport trunk native vlan 100

switchport trunk allowed vlan 20,50

switchport mode trunk

!

interface FastEthernet0/3

description CONNECT TO UNTRUSTED-NAS

switchport trunk native vlan 101

switchport trunk allowed vlan 110

switchport mode trunk

best regard

Hi,

Can you please post a screenshot of your temporary role traffic policies, at this point the traffic is being mapped correctly. Based on the entries provided from the mac address table. At this point we need to see where the traffic is being dropped on your network.

thanks,

Tarik Admani
*Please rate helpful posts*

Dear Tarik Admani -

I just mentioned that DG of my unauthenticated client is the Managed subnet in cas , Is it ok ?

Please find the attachment,

best regard

Please uncheck the top option "Enable subnet based vlan retag" I have seen this cause issues in other deployments as well. Then try to set the default gateway for you client to the router's interface.

Thanks,

Tarik Admani

Tarik Admani
*Please rate helpful posts*

Dear Tarik Admani,

I unchecked " subnet based vlan retag"  , but  it doesnt work , when I changed client DG to SVI ( because I alter my router with a C3750) , the client does not resolve the mac address of DG and it is sending ARP request for this purpose but does not get the response at all,

Does ARP Traffic retag through NAS?

Best regard

When you made these changes did you reboot the CAS? After further research the default gateway for these users is the managed subnet found in this guide: http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_addSrvr.html#wp1060206

thanks,

Tarik Admani
*Please rate helpful posts*

Dear Tarik Admani ,

Yes I do that when I changed configuration on my CAS ,

I have read this document before but I also see some other document that say you must use SVI as gateway (I attache one of them ) , when I use the managed subnet as gateway cisco agent pops up but in remediation process they did not ping anywhere, client in remediation process must connect to a ftp server to download the files ( I created it in Requirement part in clean access) , but when the client placed in temporary rule they always send arp request for the ftp ip address and did not get any response , I think the problem is there , but I do not know how I should do  with it?

What is the model of the switch you are running and what is the current code? Also the vlan that you are mapping to which is 50, is it allowed through the trunk on both sides of the link. Do you see the clients mac address on vlan 50 on the router's subinterface? Is spanning tree forwarding vlan 50 on the uplink?

Thanks,

Tarik Admani
*Please rate helpful posts*

Dear Tarik Admani ,

I have two switch one of them is WS-C3750-24TS with IOS “c3750-ipservicesk9-mz.122-52.SE.bin” , I used it as core switch that NAM and NAS and my ftp server connected to it , and the other on is my access switch that clients connected to it which is WS-C2950G-24-EI with ios “c2950-i6q4l2-mz.121-22.EA14.bin” ,

Version of My Nac manager is 4.9 and it is installed on esx 4.1 , and it has a trial license.

I attached my configuration of both of the switches ,

What vlan is the ftp server on? If it is on vlan 50 then you will have to create a static route that points this ip address through the trusted interface. This is because of the managed subnet configuration....it always assumes that all ip addresses that belong to this ip space are behind the untrusted vlan. It is best to keep network resources including the NAM on a seperate vlan to which the CAS is connected to.

Let me know if this is the case.

Thanks,

Tarik Admani
*Please rate helpful posts*

Dear Tarik Admani,

Yes my ftp server was in vlan 50 , I changed the vlan and put it in the vlan 200 , but the problem is still there and my client  in unauthenticated vlan does not connect to it, in my switches I turned debugging for arp traffic on but It shows nothing!!

Thanks .