Solved: NAC ports

suthomas1 · ‎03-27-2011

Hello Experts,

Have few questions which came across while doing NAC work at one of our subsidaries. If there are certain user ports which are not enabled for NAC profile, is there any way ( except physical check on user laptop by enabling all ports & checking ) which may be used to track down non-enabled user ports for NAC.

Secondly, if the user port on NAC is manually to be made on user vlan ( rather than quarantine or temporary vlan ), what is the correct sequence for this.

should the user field on NAC be typed manually to user vlan or the port profile should be made to uncontrolled followed by port bounce & update.

Apprecite all help,thanks.

Tiago Antunes · ‎04-06-2011

Hi,

Please see inline:

If there are certain user ports which are not enabled for NAC profile, is there any way ( except physical check on user laptop by enabling all ports & checking ) which may be used to track down non-enabled user ports for NAC.

[Tiago] You can check on the CAM GUI what are the controled and uncontrolled ports. This is the only place where the ports can be set to be managed/unmanaged.

Secondly, if the user port on NAC is manually to be made on user vlan ( rather than quarantine or temporary vlan ), what is the correct sequence for this.

should the user field on NAC be typed manually to user vlan or the port profile should be made to uncontrolled followed by port bounce & update.

[Tiago] When doing the switch configuration, the switchports can be put either on the user vlan or default access vlan. This depends on the port profile settings you have configured. By default, when a port is manged, if a client connects to it, an SNMP trap is sent to the CAM. The CAM checks if the machine is certified or not (checks the mac address). If the machine is not certified the CAM changes the vlan to the unauthenticated vlan configured on the port profile.

So, every time you connect a PC to a switchport, the CAM evaluates what is the correct vlan the PC to start with and changes it accordingly.

HTH,

Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

View solution in original post

Tiago Antunes · ‎04-06-2011

Hi,

Please see inline:

If there are certain user ports which are not enabled for NAC profile, is there any way ( except physical check on user laptop by enabling all ports & checking ) which may be used to track down non-enabled user ports for NAC.

[Tiago] You can check on the CAM GUI what are the controled and uncontrolled ports. This is the only place where the ports can be set to be managed/unmanaged.

Secondly, if the user port on NAC is manually to be made on user vlan ( rather than quarantine or temporary vlan ), what is the correct sequence for this.

should the user field on NAC be typed manually to user vlan or the port profile should be made to uncontrolled followed by port bounce & update.

[Tiago] When doing the switch configuration, the switchports can be put either on the user vlan or default access vlan. This depends on the port profile settings you have configured. By default, when a port is manged, if a client connects to it, an SNMP trap is sent to the CAM. The CAM checks if the machine is certified or not (checks the mac address). If the machine is not certified the CAM changes the vlan to the unauthenticated vlan configured on the port profile.

So, every time you connect a PC to a switchport, the CAM evaluates what is the correct vlan the PC to start with and changes it accordingly.

HTH,

Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.