Solved: Re: Cisco NAC - Mapping Rules with VLAN ID - Page 2 - Cisco Community

6955

Views

0

Helpful

29

Replies

Hello,

I have a NAC L3 - OOB - Real IP Gateway environment.

The NAC is the version 4.8.1.

Each floor of the company has one Access Vlan, one Auth Vlan and one User Role.

I configured an LDAP Auth Server where the default role is Unauthenticated Role

and created Mapping Rules based on the Vlan ID of Auth Vlan on each floor.

Ex: The Access Vlan of the 8th floor is 380, the Auth Vlan is 908 and User Role is

FuncionariosB8.

When I run an Auth Test, the result is as expected and User is mapped to the desired Role.

But when put into production, the user enters the Default Unauthenticated Role.

The figures attached show my settings in the NAC.

The log file below is taken nac_manager.log

2011-02-25 17:42:23.091 +0100 [TP-Processor23] INFO com.perfigo.wlan.web.admin.UserInfoManager - UIM - removeUsersByMacList: 1 MACs 0 users

2011-02-25 17:42:44.709 +0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - Cond#1:AuthServerMapCondition: mapid=1 condId=1 type=2 lOp=VLAN ID op=equals rOp=907

2011-02-25 17:42:44.709 +0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - conditions - {1=false}

2011-02-25 17:42:44.709 +0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - Cond#1:AuthServerMapCondition: mapid=0 condId=1 type=2 lOp=VLAN ID op=equals rOp=908

2011-02-25 17:42:44.710 +0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - conditions - {1=false}

2011-02-25 17:42:44.710 +0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - Cond#1:AuthServerMapCondition: mapid=2 condId=1 type=2 lOp=VLAN ID op=equals rOp=909

2011-02-25 17:42:44.710 +0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - conditions - {1=false}

2011-02-25 17:42:44.710 +0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - Cond#1:AuthServerMapCondition: mapid=3 condId=1 type=2 lOp=VLAN ID op=equals rOp=929

2011-02-25 17:42:44.710 +0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - conditions - {1=false}

2011-02-25 17:42:44.710 +0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - Cond#1:AuthServerMapCondition: mapid=8 condId=1 type=2 lOp=VLAN ID op=equals rOp=928

2011-02-25 17:42:44.710 +0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - conditions - {1=false}

2011-02-25 17:42:44.710 +0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - Cond#1:AuthServerMapCondition: mapid=11 condId=1 type=2 lOp=VLAN ID op=equals rOp=910

2011-02-25 17:42:44.710 +0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - conditions - {1=false}

2011-02-25 17:42:44.710 +0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - Cond#1:AuthServerMapCondition: mapid=13 condId=1 type=2 lOp=VLAN ID op=equals rOp=931

2011-02-25 17:42:44.710 +0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - conditions - {1=false}

2011-02-25 17:42:44.710 +0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - Cond#1:AuthServerMapCondition: mapid=15 condId=1 type=2 lOp=VLAN ID op=equals rOp=911

2011-02-25 17:42:44.711 +0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - conditions - {1=false}

2011-02-25 17:42:44.711 +0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - Cond#1:AuthServerMapCondition: mapid=17 condId=1 type=2 lOp=VLAN ID op=equals rOp=912

2011-02-25 17:42:44.711 +0100 [TP-Processor23] INFO c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator - conditions - {1=false}

2011-02-25 17:42:49.103 +0100 [Thread-72] ERROR com.perfigo.wlan.web.sms.SnmpUtil - Failed to find Access VLAN for switch [10.5.0.121] port [88]. Use default Access VLAN 380 instead.

2011-02-25 17:42:49.354 +0100 [Thread-73] ERROR com.perfigo.wlan.web.sms.SnmpUtil - Failed to find Access VLAN for switch [10.5.0.121] port [88]. Use default Access VLAN 380 instead.

Can you help me with this problem? that will need to open a TAC?

Kind Regards,

Daniel Stefani

34 KB

11 KB

69 KB

64 KB

29 Replies 29

Hi,

I could not open attached file, please send this file as a txt.

Kamil

Hi,

Captured by TCPDUMP in NAC MANAGER the communications between the Switch and CAM.

We can see in line 14 that the Switch responds to requests from the get-request madeby CAM with the VLAN ID information.

Help...

Kind Regards,

Daniel Stefani

337 KB

First of all, solve the problem of SNMP and when are you sure that is OK move to next step.

The attached file show capture from wireshark but every log which you send is always massage of SNMPv2.

Why are you refers to the VLAN 908 all the time, it's just Auth VLAN.

Do you get proper OID from the switch on CAM?

Are you able manage switch ports by CAM on port profile?

Kamil

Hi,

ok, I think the snmp is working properly.
somehow, the NAC app does not receive the information of the VLAN ID during conditional tests of the Mapping Rule.

how do I get the proper OID on NAC from the switch?

On captures I just see the OIDs that the NAC itself sends to the switch during a process of user authentication.

Yes, I can manage the switch ports through the CAM, see att file...

Daniel Stefani

96 KB

I send you a link to the Switch OID Support and there is a command how to verify.

This command also I send you earlier and is snmpget.

What happend when you bounce the port 88. Is the CAM change VLAN to 908?

If yes, verify also on a switch console for this port.

You can verify how CAM see detail about connected switch.

Kamil

with snmpget i have the follow output:

[root@srvtatcam001 ~]# snmpget -v 1 -c nac-ro 10.5.0.121 1.3.6.1.2.1.1.2.0

SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.400

Yes, the switch port change vlan.

The att file show the switch logs and config port before, during and after the nac process.

I am considering downgrade to version 4.8.0

OK, the communication through SNMP works and this issue we can eliminate now.

But in switch logs which you send there is a message:

Mar 1 14:36:54.000: %LINK-3-UPDOWN: Interface Vlan908, changed state to up

Do you have configured interface SVI VLAN 908, it's a routed interface?

Could you send to PM a IP address of NAC configuration and related switch ports configuration.

Kamil

Yes, routed interface....

see my topology deployment from the viewpoint of the 8th floor...

The connection between switches are L3?

Do you have in your network active L3 routing protocol?

What is your NAC deployment model, it's a L2 OOB VG or L3 OOB RG?

Kamil

yes, run dynamic routing...

my deployment is L3 - OOB - RG as mentioned in the first post.

I use VRF Lite with Tunnel GRE for traffic isolation

this post has not been answered correctly and I did not vote

That you have L3 deployment, do you add static routes to manage user subnets on CAS?

Kamil

Yes

Hi Daniel,

If you are truly in an L3 deployment (where the users reside at least one L3 hop away from the CAS) then you will not be able to use VLAN ID as a valid mapping condition, because the CAS will not know what Vlan the user is coming from. The way that condition works is that it looks at the vlan tag on the packet from the client and bases the mapping based off that. If the clients vlan is not trunked to the CAS and instead the traffic is routed, then the traffic will no longer be on that vlan, and thus will not hit that mapping rule.

I am aware that the conditions are created on the CAM and not the CAS however for the VLAN ID information the CAM relies on the CAS to provide that information from the client traffic. The CAM does not look at the SNMP traffic to perform this mapping to a user role.

This is mentioned in the configuration guide at the link below, and also the note that it will only work in Layer 2 mode:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_auth.html#wp1158789

-----

That being said if you are doing a one to one mapping based on floors, you can accomplish this with your port profiles instead of with user roles. Create a port profile for each floor and apply it to the ports/switches associated with that floor. That way it will always bounce ports with that profile to the same vlans

You can still do a per floor port profile and set it to look at User Role vlan but also set a default access vlan on it for a one-to-one mapping fallback. Then leave all user roles without a vlan except for the Guest role. That way if you are a guest it will change the port to the vlan defined in that role, and for any other role it will fall back to the default access vlan on that port profile for that floor.

Thanks,

Nate

Hi Nate

I did what you suggested and is working as expected, thanks.

Kind Regards,

Daniel Stefani

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community

Review Cisco Networking for a $25 gift card