cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
963
Views
0
Helpful
5
Replies

NAC traffic control isn't working

drbenham
Level 1
Level 1

I've been tasked with cleaning up a failed NAC (4.8.0 VGW L2 OOB) install, and am running into an issue.  When the users are in the unauthenticated role (and properly in the unauthenticated vlan), the traffic control ACLs are not functioning.  The users can get to anything, regardless of what I put in the ACLs. 

I've verified that traffic is properly in-band, flowing through the CAS (there isn't an issue with the L2 path).  Even if I place a "block all" rule at the top of the Unauthenticated Role ACL, all traffic still gets through.

Also (and probably as a result of this), users cannot go through the certification process.  They get an "unknown user" message on the NAC agent, and can't get past it.  The fact that I could still browse the web at that stage is what led me to realize this ACL problem existed.

What would cause this?  I've done many NAC installs (mostly VGW L2 OOB), and I've never run into this.

Thanks,

Dave

5 Replies 5

Tarik Admani
VIP Alumni
VIP Alumni

Dave,

I wanted to make sure that there isnt an svi configured for the unauthenticate vlan, also as far as dhcp traffic is the dhcp trafffic flowing through the CAS and are the clients assigned with an ip address from their mapped vlan's subnet? It seems as if the traffic is bypassing the CAS also from where the clients reside to the CAS untrusted interface, there arent any other trunks configured in the path that might allow this traffic to hit an svi configured for this vlan.

Best thing to do at this point as far as testing goes, is to prune the unauth vlan from all trunk links that arent in the path of the clients to the untrusted port of the CAS.

You can also do a show mac address and make sure that the only links that learn of this mac address is link coming into the switch that CAS resides on and the trusted interface (with the vlan tags swapping from the downlink and the trusted vlan leaving the trusted interface of the CAS).

I hope this helps and please provide an update.

thanks,

Tarik Admani

Thank you for your response.

There is no SVI configured on the unauthenticated VLANs.  I verified that traffic is in fact flowing through the CAS by shutting off the untrusted NIC.  When I did this, traffic immediately stopped.  I left the interface shut for a few minutes, and traffic never reestablished.  I also did a similar test by removing the VLAN mapping for this client VLAN.  Client traffic stopped then, too.  The CAS is definitely passing this trafffic; I just can't figure out why.  I've never had a problem with the traffic control ACLs before. 

Clients are receiving DHCP through the CAS, from the trusted DHCP server.  The IP address is valid for the trusted VLAN, which is normal since it is in VGW mode.

The clients are plugged into a swtich that is one hop away from the core (the CAS is also one hop away from the core, but on a different switch).  The trunks are configured properly on both switches. 

I will definitely do a show mac to determine that the mac is only being learned from the switch that the cas is plugged into.  I will be onsite again in a couple hours.  However, due to my other test above, I am certain that the traffic is flowing through the cas.

Is there a setting somewhere in the "Clean Access" portion of the CAM that would allow clients to bypass the traffic control?  I don't recall ever seeing one, and I couldn't find one yesterday, but I figured I would throw it out there. 

It really bothers me that everything else seems to be working ok.  The CAM is properly controlling switch ports, the ADSSO service is started (usually a major pain!), etc.  This is one of the most basic functionalities of the CAS, and it seems like it is completely hosed.

I may upgrade them to 4.8.2 (from 4.8.0) today, just for the heck of it.  I'm not aware of any bugs in 4.8.0 that would cause this, but I don't have any other ideas.

Thanks again!  Please let me know if you have any other ideas...  I will report back to verify that the MAC is being learned from the CAS switch.

Dave

drbenham
Level 1
Level 1

The mac addresses look good.  Untrusted side goes out the link to the switch the test machine is plugged into.  Trusted side comes from the switch the CAS is plugged into, as expected.

The traffic is definitely not circumventing the CAS.

Dave

I found it.  The previous admin had created subnet filters that  allowed all traffic from the subnets that were being assigned to  workstations.  Evidently, that allows all traffic to just pass right  through the CAS, regardless of the user role policies/acls.  Good times.

Thanks for your suggestions!


Dave

No problem let us know if there is anything else we can do to help!