Solved: Being driven nuts by Cisco NAC! Help!!

wkw · ‎04-19-2008

Hello all,

Getting desperate here..been trying to get the Cisco NAC solution (Cisco NAC 3310) to work but with limited success, and the results are so far discouragingly random. I have a lot of experience with Cisco products and so far this one has been the most distressing :-( Any help here would be gladly appreciated!!

Ok here's the setup: the CAM and CAS are setup in OOB VG mode (layer-2). I've setup everything according to Cisco's guide (i hope) - different VLANs for the CAM and CAS, VLANs mapping done, Managed Subnets, Switch Profiles etc configured. Yet I'm getting strange responses - some PCs are unable to connect to the network, even though the managed switch port successfully informs the CAM that a new MAC is detected (the switch port changes to the auth vlan from the initial vlan). I racked my brains trying to figure out what's wrong, the events logs doesnt indicate much problems. Just to check on some uncertainties:

1. For the Managed subnet IP, should I tick the "Enable Subnet based Vlan retag" box?

2. For the Managed Subnet, should I put the Managed Subnet IP address as the gateway IP? E.g. VLAN 110 (untrusted vlan) mapped to VLAN 10 (trusted VLAN) which is subnet 10.1.10.0/24. The gateway is 10.1.10.254. So should I configure Managed Subnet IP/Netmask as 10.1.10.254/255.255.255.0? Or choose another unused IP address within that subnet (e.g. 10.1.10.1)?

3. I'm also experiencing the situation where logging in successfully (pass the NAC verification etc), I unplugged my laptop from the managed switch port, and after a while plugged it in. This time no authentication happens, but network connectivity is broken (even though the Cisco Agent is running). Seems that the network port is placed into the Auth VLAN, yet nothing is prompted to login. Any ideas??

W

gojericho0 · ‎04-21-2008

Woon,

What policies do have setup on your current user roles?

You may want to try allowing all TCP/UDP and fragments to see if does not login constantly.

Right click on the access agent as well and select properties. Make sure it does not have a discovery host since this is a L2 implementation

Also you be able to rate the previous post so if others are having similar issues they will look at this thread

Thanks!

View solution in original post

gojericho0 · ‎04-20-2008

Hi, hopefully I can help with some of your questions and get you on the right track:

1. For the Managed subnet IP, should I tick the "Enable Subnet based Vlan retag" box?

This is normally used for wireless networks when a client is in the range of an AP on one vlan and there is an overlapping signal from an AP on another vlan. The subnet would then retag when changes occur. Unless you are in this situation I wouldn't worry about this.

2. For the Managed Subnet, should I put the Managed Subnet IP address as the gateway IP? E.g. VLAN 110 (untrusted vlan) mapped to VLAN 10 (trusted VLAN) which is subnet 10.1.10.0/24. The gateway is 10.1.10.254. So should I configure Managed Subnet IP/Netmask as 10.1.10.254/255.255.255.0? Or choose another unused IP address within that subnet (e.g. 10.1.10.1)?

For this you will chose unused IP address that the CAS will use. This will allow it to perform ARPs to communicate to the managed host

3. I'm also experiencing the situation where logging in successfully (pass the NAC verification etc), I unplugged my laptop from the managed switch port, and after a while plugged it in. This time no authentication happens, but network connectivity is broken (even though the Cisco Agent is running). Seems that the network port is placed into the Auth VLAN, yet nothing is prompted to login. Any ideas??

Check your OOB port profile. There are some options you can change after an authenticated port becomes disconnected.

Couple other helpful hints. If the switch supports it use mac-notification snmp traps. This will allow Clean access to see multiple macs on the same port. Also I would configure the switchports to have persistent ifindex to avoid some potential headaches.

Good Luck!

wkw · ‎04-20-2008

Thanks, will try out your suggestion. Currently "Enable subnet based Vlan retag" is ticked, so I will untick that. I'm already using a unused IP address for the Managed Subnet IP.

As for the OOB port profile, which options are you refering to? For the User Roles (Normal Authenticated User) I've disabled "Bounce Switch Port after Login (OOB)) and "Refresh IP After Login (OOB)) - is that ok? Currently I only have the Unauthenticated Role, the Normal Authenticated Role (for authenticated users) and Quarantine Role. Switch is using mac-notification snmp traps. Will try the persistent ifindex thingy and report back.

Some extra info/question: for the CAS Network setting:

1. Currently I've enabled L3 support, even though it's L2 adjacent. Would it affect anything? Or should i untick that option.

2. I've set both trusted and untrusted CAS interface to the same IP address (10.1.61.1). Just that the management VLAN ID is different (one is 61 on the trusted, another unused vlan 51 on the untrusted interface). What about the default gateway for both trusted and untrusted? Should they be the same as well.

Do I need to Pass through VLAN ID to managed network on either interfaces?

thanks,

Woon

wkw · ‎04-21-2008

Hi,

I've tried those steps you mentioned and it's working! So far, L3 support unticked, trusted and untrusted interface same IP, (one on vlan 61 and anothe on unused vlan 999 on the untrusted interface, default gw the same). I found out i set the wrong default gateway on my untrusted CAS interface. After correcting that, turning on snmp ifindex persistence it started to work.

I'm now trying to do AD SSO (multiple AD servers). I can successfully login, but after login (i.e after CTRL-ALT-DEL, login) - I get a message from the Cisco Clean Access Agent: " Performing Windows Domain Automatic Login for Clean AccesS". After that, another message: "Successfully login!". Which is good.

However, the problem is that the same message will keep on appearing over and over again. While my network remains down. I check in the CAM logs, it repeats the same log entries:

Authentication 2008-04-21 18:09:18 [00:17:A4:D5:9A:8A ## 10.1.14.22] test@xxx.xxx.MY - Successfully logged in temporary role, Provider: xxx-AD, L2 MAC address: 00:17:A4:D5:9A:8A, Role: Temporary Role, OS: Windows XP Pro/Home

Authentication 2008-04-21 18:09:09 [00:17:A4:D5:9A:8A ## 10.1.14.22] test@xxx.xxx.MY - Successfully logged in as out-of-band user, Provider: xxx-AD, Role: Authenticated-Normal, OS: Windows XP Pro/Home

Anyone knows why this is happening and how to rectify?? I'm so close now to getting this to work fully, so please help!!

Thanks in advance,

Woon

gojericho0 · ‎04-21-2008

Woon,

What policies do have setup on your current user roles?

You may want to try allowing all TCP/UDP and fragments to see if does not login constantly.

Right click on the access agent as well and select properties. Make sure it does not have a discovery host since this is a L2 implementation

Also you be able to rate the previous post so if others are having similar issues they will look at this thread

Thanks!

wkw · ‎04-25-2008

Thanks man,

I've finally got it to work. Turns out that the problem was that i had previously put in a discovery host on the access agent. Now it's working great :)

cheers,

woon

gojericho0 · ‎04-26-2008

No problem! Glad you got it working