Re: NAC problem - VLAN change works but can't access network - C

Xavier Lloyd · ‎01-18-2011

Ok so I'm deploying NAC in L2 OOB VG mode with computers plugged in behind Cisco IP phones.

Here is my configuration:

VLANS

CAS - 800
CAM - 810
access - 820

auth - 830

voice - 20

Switch ports:

User switch - Catalyst 3560

interface GigabitEthernet0/35

description TO USER
switchport trunk encapsulation dot1q
switchport trunk native vlan 830
switchport mode trunk
switchport voice vlan 20

snmp trap mac-notification added

spanning-tree portfast
end

Devices switch - Catalyst 3750

interface GigabitEthernet1/0/8
description NAC-SERVER-TRUSTED
switchport trunk encapsulation dot1q
switchport trunk native vlan 777
switchport trunk allowed vlan 800,820
switchport mode trunk
switchport nonegotiate
end

interface GigabitEthernet1/0/24
description NAC-SERVER-UNTRUSTED
switchport trunk encapsulation dot1q
switchport trunk native vlan 776
switchport trunk allowed vlan 830
switchport mode trunk
end

interface GigabitEthernet1/0/37
description NAC-MANAGER
switchport access vlan 810
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree guard root
end

Here is my problem:

When I connect to the network and authenticate to the NAC server, the login is successful and the SNMP works. The NAC changes the native VLAN to 820 (access) and makes the allowed VLANS everything except 830 (auth). However, once I authenticate, I set up a continuous ping to the default gateway which is set to the vlan 820 virtual interface on the User Switch. I the pings fail for about a minute or 2, then they start succeeding, then stop. Once they stop, the NAC agent pops up asking me to authenticate. The whole process repeats.

Both switches have all the VLANs in their database, and all the VLANs have management interfaces except 830 (auth).

I don't know what the problem could be. Any ideas?

Xavier Lloyd · ‎01-20-2011

Further insight into the problem:

I noticed that when I authenticated with the NAC, I used another computer to check my VLAN and it was, in fact, set to the access VLAN. With my pings failing, though, I had no idea what was happening. After a minute I checked again and my VLAN was set to the authentication VLAN.

I got super-stumped and just deleted the CAS from the CAM and deleted all the config from the CAM and just started over from scratch. Everything is working now. As for the differences in the config...I'm not entirely sure what caused the solution but I do know that I only set the VLAN for the port whereas before I set it on the port, the user...and pretty much everywhere else I could find a VLAN association. The complication made it difficult to troubleshoot.

EDIT:

Everything WAS working...I came back the next day and the problem came back. I get booted off my access VLAN but the NAC still sees me as an online user.

*sigh* does anyone have any expertise with NAC deployements who I can talk to this about? Please PM me if you've ever done L2 OOB VG and are willing to help >_<

Xavier Lloyd · ‎01-21-2011

I don't know but maybe the problem could be with my setting of the management VLANs and setting VLAN ID passthroughs on the NAC Server.

Currently the settings are:

Platform: APPLIANCE

Trusted Interface (to protected network)

Untrusted Interface (to managed network)

IP Address
Subnet Mask
Default Gateway
Set management VLAN ID:
Pass through VLAN ID to managed network

IP Address
Subnet Mask
Default Gateway
Set management VLAN ID:
Pass through VLAN ID to protected network

Notes:

The IP address (192.168.82.10) is on the Access VLAN/Subnet, the default gateway is the SVI for the Access VLAN (820)
The NAC Server management VLAN is set to 800 which is the Server VLAN.

Questions:

If I checked the VLAN ID Passthrough on the trusted interface...what would it do differently?
Does the untrusted interface need a management VLAN too (given the switch config above)?

I may be talking to myself but I'll test these settings and post back.

Xavier Lloyd · ‎01-21-2011

Ok I've found what I think MIGHT be the root problem...when the CAS reboots...nothing can ping it and it can't ping anything. I have to telnet to the switch and ping which succeeds...then all the communications work. Is this normal?

ABDUL MAJID KHAN · ‎01-21-2011

Xavier,

It seem like the CAS is putting the user after authentication in the Quarentine or Temp Role. While performing the test, after authentication try the below;

Login to CAM ------- Monitoring -----------Online Users ------------- Check if the user that u logged in appear in the Inband or Out-of-Band.

If yes, than you might be using some posture assessement which is resulting the user to go to Quarantine/Temp role.

HTH

ABDUL MAJID KHAN

Xavier Lloyd · ‎01-21-2011

Abdul,

I checked what you suggested and the CAM says that I'm an online user. The agent tells me that I completed the check successfully though so I'm pretty sure I'm not in the quarantine or temporary role. Also, I've configured all the roles to allow all traffic for testing purposes so being in the quarantine or temp role shouldn't affect my pings I think.

Thanks for the response, I'm still testing different things.

~Xavier

EDIT

Ok so I tested something and discovered the reason the CAS can't ping out until the switch pings it. I had the Management VLAN on the trusted interface set to 800 (Server VLAN), but the IP address and default gateway were in VLAN 820 (Access VLAN).

Here's what I don't understand now...how is the CAS supposed be in its own VLAN but have an address on the Access VLAN? I'm going to leave it on the Access VLAN and try authenticating and see what happens.

ABDUL MAJID KHAN · ‎01-21-2011

Xavier,

I also have experienced that i am not able to ping the CAS IPs from the vlans that are migrated (Trusted) to the CAS. But i am able to reach from all other vlans. This may be the default behaviour of the NAC. But I'll have to do some research on this......

HTH,

ABDUL MAJID KHAN

Xavier Lloyd · ‎01-24-2011

Abdul, thanks for your help so far =] It's been much appreciated!

I made a couple updates to my configuration.

I changed the IP addresses on the CAS to be in the CAS Management VLAN subnet (192.168.80.10 / VLAN 800) and created a managed subnet on the CAS for VLAN 830. The managed subnet has an IP address of 192.168.82.10 and the VLAN is the Auth VLAN (830).

I'm now having a different pinging problem now though. I can't ping the Access VLAN from the CAS (as you said you couldn't) but I figure that that's because it would be trying to send the ping out of the untrusted interface because of the managed subnet.

Here's my config so far

CAS Network settings

Trusted Interface (to protected network)

Untrusted Interface (to managed network)

IP Address
Subnet Mask
Default Gateway
Set management VLAN ID:
Pass through VLAN ID to managed network

IP Address
Subnet Mask
Default Gateway
Set management VLAN ID:

CAS Managed Subnet settings

Enable subnet-based VLAN retag

IP/Netmask	Description	VLAN	Delete
192.168.80.10 / 255.255.255.0	Main Subnet	-1
192.168.82.10 / 255.255.255.0	Users in VLAN 820	830

Now I've realised though that now my untrusted traffic isn't hitting the CAS at all. I'm pretty sure it's a networking problem though but I can't see where I messed up in my design.

I have a question. From my untrusted host, I'm I supposed to be able to ping the managed subnet on the CAS? I can't...

Xavier Lloyd · ‎01-24-2011

Also when I browse to the NAC Server at its management address (192.168.80.10 / VLAN 800) from my untrusted host (192.168.82.50 / VLAN 830), the login page comes up. I login and then the redirect message appears. Once this happens, the redirect fails and my network connectivity goes whack for a minute or so.

Xavier Lloyd · ‎01-25-2011

Ok I've solved it finally!

The problem was that I didn't configure the device filter for the IP Phone. This caused the mac notifications from the phone to be constantly generating from the same port as my PC. Since the phone wasn't certified then it assumed what whoever was connected to my port was unauthenticated.

This is why my PC was seen as certified and online but it reconfigured my switchport.

Praise the Lord...now I can move on with my life lol. This is the last time (I hope) I'll overlook something that I figure can wait till later .

Thanks again for your help Abdul =]

Peace out all!

NAC problem - VLAN change works but can't access network - Can't reach CAS until ping from switch