03-18-2010 06:27 AM - edited 02-21-2020 03:54 AM
i am deploying NAC as layer 3 OOB Real IP Gateway using ACL. i have a problem that Agent doesn't try to communicate with CAS untrusted interface
i enabled logging on the Switch and i found that NAC agent sends udp requests to its default gw (interface vlan on the switch) not to the CAS untrusted interface. and because of this no trigger for NAC Authenticationa and posture assessment happened.
i configured access list on untrusted vlan interface to allow ip traffic to cas untrusted
agent discovery host points to CAS untrusted interface.
can anybody guide me to solve this problem.
03-18-2010 10:39 AM
In the unauthenticated role, where you say traffic is open to the CASs untrusted interface, are you able to ping that IP address?
03-18-2010 10:51 AM
The agent will send discovery packets initially to udp/8905 to the clients default gateway (which works when the CAS is L2 adjacent to the user). If the agent doesn't get a response to those packets it will switch over to udp/8906 to the discovery host that is configured.
Can you do a packet capture on the client and see if the secondary udp/8906 packets are sent out?
03-21-2010 02:53 AM
Thanks Nate. I installed wire shark on the agent machine to inspect agent traffic.
I see that the agent talks to the GW on udp 8905 then to CAS untrusted interface on udp 8906 but nothing happens
No agent authentication was triggered. Also in don't see any match on the ACL that the agent is talking to the CAS.
Senior Systems Engineer I Professional Services
8, Fathy Talaat Street | Square 1145 | Sheraton Buildings | Heliopolis-Cairo-Egypt.
03-23-2010 03:40 AM
Hmm Did u add the static routes back to your auth vlans on your NAC servers? you will need the NAC servers to reply back to the clients on the untrusted interface instead of the trusted.
03-24-2010 02:28 PM
Verify the traffic flow first. Can you ping the untrusted interface of your NAC server from your Auth subnet?
05-26-2011 10:05 PM
I have exactly the same issue with this. Is this resoved yet?
User on the Auth VLAN is able to communicate with CAS Untrust Interface and discovery host is already set to it.
On wireshark I see the client is communicating with the CAS Untrust Interface but nothing happens. No login offered by the agent.
FYI, Web Agent works fine.
Need help on this. Please advise.
12-01-2011 10:08 AM
Has anyone found a solution to this issue? I am seeing this same issue at two different sites.
The first site is a OOB VGW with CASs installed at the site and the CAMs are at another site. Web authentication works fine and ports are changed as they should be, but agent never works. I have the discovery host set to the CAM IP address.
The second site is a Real IP Gateway remote site that is experiancing the same behavior. I tried changing the discovery host to the either IP of the CAS as well as the CAM IP and no change.
Any reply is greatly appreciated!
12-12-2011 11:42 AM
As explained above, the Agent communicates over UDP/8905 to send discovery packets (L2), with no response the packet is Layer3 encapsulated and sent over UDP/8906.
The objective of setting the Discovery host IP is to forward the traffic THROUGH the CAS server in case of Layer 3 OOB deployments. Thus if you are using the CAM server IP address, ensure that the CAM server resides on the TRUSTED side of the CAS server, and the traffic does NOT bypass the CAS server i.e directly going to the CAM server without having CAS inline, which most probably happens due to routing.
Thus for OOB, you may point to the IP address of the
- UNTRUSTED interface of the CAS server,
- TRUSTED interface of the CAM server provided the traffic will CROSS the CAS server first.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: