07-26-2010 11:54 PM - edited 03-09-2019 11:05 PM
Hi to All,
I would like to ask some help for my nac appliance. Currently im setting up the nac appliance. I just having trouble what ip address should I use for the managed subnet. I have setup trusted vlan as it is existing in our network but what about the untrusted vlan? Should i make new ip addresses for it and put it in the untrusted? I dont know if made it correct but I cannot get an ip address everytime i change the switchport to port profile I made. Please can you guys help me i just need to know it for my project. thanks.
Solved! Go to Solution.
07-27-2010 05:01 AM
Richard,
This looks correct - assuming that 10.1.10 and 10.1.20 are the IP subnets associated with VLAN 10 and 20.
Do you have VLANs 100 and 200 trunked to your untrusted interface of your CAS?
Faisal
07-27-2010 09:39 AM
Richard,
For DHCP to work you need the managed subnets (which you have), VLAN mapping (which you have) and absolutely no L3 SVIs for your unauthenticated VLANs, so make sure that on all your L3 devices there are no VLAN interfaces for VLAN 100 or 200. Then make sure that the VLAN 100/200 are trunked to the untrusted interface, and VLAN 10/20 are trunked to the trusted interface of the CAS.
If you haven't rebooted your CAS after making these managed subnet and/or VLAN mapping changes, suggest you reboot it too, and then test.
HTH,
Faisal
07-27-2010 05:01 AM
Richard,
This looks correct - assuming that 10.1.10 and 10.1.20 are the IP subnets associated with VLAN 10 and 20.
Do you have VLANs 100 and 200 trunked to your untrusted interface of your CAS?
Faisal
07-27-2010 08:52 AM
Yes, there are vlan 100, 200 trunked to my L3 switch connected to the untrusted eth1 in the CAS. These vlan 100, 200 serves as a authentication vlan. With this setup the workstation cannot acquire an IP address from the DHCP server(windows server). And from the Ports Management page of the CAS, it is showing that the access vlan 10 of the switch (where the workstation is connected) was changed to authentication vlan 100.
Faisal, can you please give me more info about how does authentication vlan works and where does the unauthenticated users gets an IP Address during the time it is not yet mapped to the trusted vlans? Thanks.
07-27-2010 09:39 AM
Richard,
For DHCP to work you need the managed subnets (which you have), VLAN mapping (which you have) and absolutely no L3 SVIs for your unauthenticated VLANs, so make sure that on all your L3 devices there are no VLAN interfaces for VLAN 100 or 200. Then make sure that the VLAN 100/200 are trunked to the untrusted interface, and VLAN 10/20 are trunked to the trusted interface of the CAS.
If you haven't rebooted your CAS after making these managed subnet and/or VLAN mapping changes, suggest you reboot it too, and then test.
HTH,
Faisal
07-27-2010 11:26 PM
Faisal, that is correct.The workstation can get now ip address from the dhcp server although it has an authentication vlan from the CAS.
One thing more how can I know that the port profile is applying to the switchport, basically I did not allowed the traffic from the user role that I made for testing. I'm expecting that after I get an ip address from the dhcp server it will go for posture assessment or blocking the traffic. What happen is I can able to access the internet from the network and it doesnt require any web login or agent login although I enable it from the device management. Can you please tell me how does it work? Please see attachment. Thanks.
07-28-2010 09:20 PM
Richard,
If it's able to get to the internet in the unauthenticated role, then it's bypassing the CAS somehow. Some things to check in that situation would be whether you have L3 SVIs for your untrusted VLANs anywhere, since the traffic could be taking that path. Also please check your CAS specific traffic policies to see if you have them allowed there by chance. You can view those by going to CCA Servers -> Manage -> Filter -> Roles. Also using the Block All at the top is sort of redundant since the default policy in the unauthenticated role is to allow DNS only and block all traffic.
HTH,
Faisal
07-29-2010 03:34 AM
Hi Faisal,
Good day.
I dont have any interface vlan for the authentication in the untrusted. But I have the authentication vlan in the vlan database of the switch and allowed it to the switchport trunk. What I notice also I opened all the ports in the traffic policies thats why in the unauthenticated role the workstation could access the internet. When I limit the traffic it redirects to the domain but it is still cannot pass to the web login agent although I created an account to the local of the cam. Can you please tell what port should I put in the traffic policies for unauthenticated role? Is there something wrong with the ip address that im using or the certificate(Full domain name or ip: MOD.local ---> should it be ip address?). Thanks again your a great help.
07-30-2010 11:27 PM
Richard,
Can you confirm whether your certificates are issued to DNS names or IP addresses? If names, can the CAS and CAM resolve each others names? Can the client resolve these names?
Faisal
07-31-2010 11:10 PM
Its the service ip address of the cam eth0 I used for generating the certificates. The same with the cas the service ip address trusted network used for certificates. The cam can able to add the cas from the device management.
I tested it again after I generated a new certificate for both the cam and cas, now the error is invalid provider name when I opened the browser. Though I created a local user for testing. Allowing in the traffic control (port 80 and 443). Is there any other problem with the configuration of the certificates or traffic control? Thanks Faisal.
08-03-2010 10:15 AM
Richard,
Please post the screen shots of your Auth servers, and your user pages.
Faisal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide