Showing results for 
Search instead for 
Did you mean: 

NAC Layer 3 OOB Real IP Gateway


i am deploying NAC as layer 3 OOB Real IP Gateway using ACL. i have a problem that Agent doesn't try to communicate with CAS untrusted interface

i enabled logging on the Switch and i found that NAC agent sends udp requests to its default gw (interface vlan on the switch) not to the CAS untrusted interface. and because of this no trigger for NAC Authenticationa and posture assessment happened.

i configured access list on untrusted vlan interface to allow ip traffic to cas untrusted

agent discovery host points to CAS untrusted interface.

can anybody guide me to solve this problem.

8 Replies 8

Faisal Sehbai
Rising star
Rising star


In the unauthenticated role, where you say traffic is open to the CASs untrusted interface, are you able to ping that IP address?


Nate Austin
Cisco Employee
Cisco Employee

Hi Ayman,

The agent will send discovery packets initially to udp/8905 to the clients default gateway (which works when the CAS is L2 adjacent to the user). If the agent doesn't get a response to those packets it will switch over to udp/8906 to the discovery host that is configured.

Can you do a packet capture on the client and see if the secondary udp/8906 packets are sent out?



Thanks Nate. I installed wire shark on the agent machine to inspect agent traffic.

I see that the agent talks to the GW on udp 8905 then to CAS untrusted interface on udp 8906 but nothing happens

No agent authentication was triggered. Also in don't see any match on the ACL that the agent is talking to the CAS.

Please advice.


Ayman Alsayed

Senior Systems Engineer I Professional Services

CCIE #19512

8, Fathy Talaat Street | Square 1145 | Sheraton Buildings | Heliopolis-Cairo-Egypt.

Tel: +202-22685211

GSM: +20-101690035

Hmm Did u add the static routes back to your auth vlans on your NAC servers? you will need the NAC servers to reply back to the clients on the untrusted interface instead of the trusted.


Verify the traffic flow first. Can you ping the untrusted interface of your NAC server from your Auth subnet?



I have exactly the same issue with this. Is this resoved yet?

User on the Auth VLAN is able to communicate with CAS Untrust Interface and discovery host is already set to it.

On wireshark I see the client is communicating with the CAS Untrust Interface but nothing happens. No login offered by the agent.

FYI, Web Agent works fine.

Need help on this. Please advise.


Has anyone found a solution to this issue?  I am seeing this same issue at two different sites.

The first site is a OOB VGW with CASs installed at the  site and the CAMs are at another site.  Web authentication works fine  and ports are changed as they should be, but agent never works.  I have the discovery host set to the CAM IP address.

The second site is a Real IP Gateway remote site that is experiancing the same behavior.  I tried changing the discovery host to the either IP of the CAS as well as the CAM IP and no change.

Any reply is greatly appreciated!



As explained above, the Agent communicates over UDP/8905 to send discovery packets (L2), with no response the packet is Layer3 encapsulated and sent over UDP/8906.

The objective of setting the Discovery host IP is to forward the traffic THROUGH the CAS server in case of Layer 3 OOB deployments. Thus if you are using the CAM server IP address, ensure that the CAM server resides on the TRUSTED side of the CAS server, and the traffic does NOT bypass the CAS server i.e directly going to the CAM server without having CAS inline, which most probably happens due to routing.

Thus for OOB, you may point to the IP address of the

- UNTRUSTED interface of the CAS server,

- TRUSTED interface of the CAM server provided the traffic will CROSS the CAS server first.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers