Our client has a network with 20 CAS pairs and 1 CAM pair all with v4.7.2.The wired users are all pass through NAC for authentication.
We now want to implement the same setup for the wireless users. The client has a WLC 4404 with v6.0.199.For the need of NAC authentication 1 pair of CAS has been implemented.
I have followed the document NAC Out−Of−Band (OOB) Wireless Configuration Example
I have also checked the guides for CAM(V4.7.2) and WLC(V6.0).
The issue is that the implementation of NAC and WLC is not working. The users are connecting like there is no NAC in between. From the troubleshooting I have performed it seems that the WLC is not communicating correctly with the CAM.I can only see Disassociation traps from the WLC.
Is there any updated document or any other info that can help me to solve the issue?
That document is a nice one and contains all needed to have it working.
Please make sure that accounting is configured on the WLAN so that the WLC can send the accounting start to the CAM.
Also, plese verify if you have the NAC check box enabled on the WLAN.
Is the quarantine interface configured on the WLC?
What is exactly the client behavior?
Does the client get an IP address?
Does the Clean Access Agent pops up?
NAC checkbox and quarantine interface is enabled on WLC.
The client behaviour is like before i enable the NAC:it connects to the SSID and access the network.No agent or redirction page appears.
As far as the Radius accounting feature do i have to enable it even though SSO feature is not enabled?
If i enable the Radius accounting will i see discoverd clients on the CAM?
Just a note from the controller perspective.
The interface vlan must be the NAC access vlan and what WLC calls "quarantine vlan" is the NAC authentication vlan.
When a client is wireless connected, go in the monitor client page and check the client details. In which vlan is it placed? is it NAC_REQD state or RUN state ?
If it's run, it means it somehow got the OK from the CAM while if it's NAC_REQD, it means the WLC is doing its job but apparently your quarantine vlan allows network access.
> As far as the Radius accounting feature do i have to enable it even though SSO feature is not enabled?
> If i enable the Radius accounting will i see discoverd clients on the CAM?
For Wireless SSO you have to point the RADIUS accounting to the CAS.. not the CAM.
You will be able to see the users under the "active VPN clients"; the VPN terminology comes by the fact that Wireless and VPN SSO actually share the same method, being RADIUS accounting from either the WLC or the VPN gateway.
However, if for now you don't see any web redirection nor agent pop-up, I'd check the WLC dynamic interface config for the access and quarantine VLAN, but also the VLAN mapping and managed subnet configuration on the VGW CAS.
Thank you for your inputs.
The problem in the end was not the configuration/nor the software of the WLC but the operation of the device itself.
I configured the Wism module(same software version as the Wlc) on the 6500 switch that the client has and moved the wireless configuration to it.
By the minute i performed this the NAC opration worked!!!!
I have also enabled SSO using Windows AD in order for the user to have the same feeling as its wired connection.That also worked from the start.
It seems that the WLC has a lot of problems and Cisco needs to solve them out.
I strongly doubt that it's a platform problem. Especially since a Wism blade is actually 2 WLC 4404 assembled in a blade, so the platform IS really the same.
I'm quite sure that there is something different in your setup between the wism and the WLC so you might want to check on their differences. It can be as simple as a vlan missing or something like this.
WLC was a temporary solution until Wism been placed to the network so there is no need to furhter troubleshoot.
Anyway since you doubt there is a problem with the WLC, have you performed such a setup and worked?
If yes please post it in order to use for future clients.
We don't have such a setup always ready at disposal, but we'll sure consider posting config examples of NAC + WLC OOB actually. thanks for the request.