cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2675
Views
0
Helpful
7
Replies

NAC L2 VG OOB VLAN role-based VLAN change

Hello!

I'm configuring NAC appliance in L2 OOB Virtual gateway.

Task:

When users without CAA try to access the network they forfarded to web authentication. Depending on credentials provided user is assigned to guest role with appropriate VLAN or asked to install CAA. Guest users are configured locally on the CAM.

When users with CAA try to access the network they provide their credentials to CAA and than after posture assesment they moved to appropriate role and VLAN. Now, because AD SOO is not working, one more LDAP authentication provider configured and is used to authenticate users.

Problem:

When user without nac agent is trying to access the network he is asked to install NAC agent. CAA installation, authentication (via LDAP provider) and postrure assesment are OK. CAA returns message that you have full access to the network. But VLAN on access swith port is no changed from Auth to Access. Users is in Online Users list on CAM but VLAN on switch port is still Auth. I perfomed snmp debug on the access switch and switch does no recieve snmp packet from CAM to VLAN change.

I believe that snmp comfiguration on CAM and switch and snmp communication are OK because when I provide guest credentials during web authentication the VLAN is changed from Auth to Access. And I see snmp reguest from CAM on the switch.

Pictures with CAM configuration attached.

Switch snmp config:

snmp-server community ХХХ RO

snmp-server community ХХX RW

snmp-server enable traps snmp linkdown linkup

snmp-server enable traps mac-notification

snmp-server host 10.XXX.168.3 version 2c XXX  mac-notification snmp

snmp ifmib ifindex persist

snmp-server community ХХХ RO

snmp-server community ХХX RW

snmp-server enable traps snmp linkdown linkup

snmp-server enable traps mac-notification

snmp-server host 10.XXX.168.3 version 2c XXX  mac-notification snmp

snmp ifmib ifindex persist

I'm no asking to help configure AD SSO. For now I'm only need to make it works with LDAP authentication.

Thanks in advance.

Konstantin.    

7 Replies 7

Here is one more screenshot showing that user is authenticated and is in Online Usres  list with corresponding Acces VLAN.

Here is AuthTest screenshot

One more interesting thing.

When I do "service perfigo stop" on primary CAS, secondary CAS becomes ACTIVE. After that CAA login and VLAN change to Access are OK. Workstation appears in certified device list. Everything seems to be OK.

After that I reboot the workstation or do logout via CAA and VLAN is changed back to Auth. Workstation is still in certified device list.

After that I performe CAA login and it's OK but VLAN is no changed to Access and remains Auth - sitation as described

earlier.

After that I perfome "service perfigo stop" on secondary (ACTIVE) CAS and situation repeates: for the first login everything works, but for every next VLAN is no changed.

Please, if anyone can help?

Maybe problem is on the CAS side? In addition to information I provided before here is screenshot that shows that ADSSO is started but 8910 port is not opened:

Trying to solve the problem I've upgraded CASs and CAMs to 4.8.2. Upgrade sucessfully completed, but after upgrade CAA doesn't popup and the login buton is gray! Only web authentication works.

Please, help to make it working.

CAA log is attached.

I reinstall NAC for 4.8.1 and now CAA communicates with CAS and pops up. Maybe it's bug of 4.8.2. So be carefull to use 4.8.2 in L2 VG OOB design.

I solved my problem with VLAN change. I've configured "Managed Subnet" entries and now VLANs changing works! I'm puzzeled why CAS hould have ip-adresses in all Auth VLANs (subnets) and why sometimes VLAN changing was working withoup "Managed Subnet" entries!

Now I'm trying to configure AD SSO. There are two 2008 R2 AD servers in domain XXXX.LOCAL and I'm trying to configure AD SSO without ktpass.

I've configured user NACUser on one servers in Users and performed ldp.exe configuration for this user with attriburtes:

userPrincipalName NACUser/xxxx.local@XXXX.LOCAL

servicePrincipalName NACUser/XXXX.LOCAL

But SSO does not working and I shoud enter credentials two times (on windows login and CAA login).

I've not recieved any support for previous posts but maybe now someone would help)

I've managed to make AD SSO working! I used AD SSO WITH ktpass. And for both XP and Win7 it started to work only after this

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1266896

I hope this would be helpful for someone.

Review Cisco Networking for a $25 gift card