cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2836
Views
0
Helpful
12
Replies

CNAC Solution needed

netlinkin
Level 1
Level 1

Dear All,


I am trying to implement NAC in my network, I have CAM(3315) & CAS(3315) i have completed licensing on CAM   as i can see  (CAM Lite), under licencing tab.
I have gone  through the initial configuration of CAM & CAS.
Config <<
CAM(Eth0<trusted>=192.168.200.15/24) &
CAS(Eth0<trusted>=192.168.200.16/24 &
         Eth1<untrusted>=192.168.215.10/24),
preshared key : cisco  & connected via cross cable,
Now i tried to ping CAS(.16) from CAM(.15) it fails...(dont know)
but not able to have connectivity between them :cry:  Is it neccesary to have CAM on diffent subnet ?
further  I took a webconsole of CAM & I tried to add CAS to CAM,but it fails & gives error like "Reached maximum limits for server"... strange ? As this NEW device , Also i have reinstalled License at least 3-4  times...but no result...
I have gone through the pdf's but there is no guideline how to configure from basic(like how to connect....which interface shld be connected to where eg which inteface should be trusted/untrusted.)


Kindly share your comments /design/documents for the same from basic.

12 Replies 12

Xavier Lloyd
Level 1
Level 1

Hi netlinkin,

Based on your post in the other thread, I understand you're doing a layer 2 virtual gateway deployment. Is this supposed to be inband or out-of-band?

Hi Xavier,

I want to use in INBOUND.

These are the steps which i have gone through.(pls guide if i m wrong)

1. Connected PC(192.168.200.20) to CAM(192.168.200.15) >>
Results : configured CAM as per process with service perfigo config  command...used defaults certificate..able to ping CAM from PC & Vice wersa..able to take webconsole...

2. Connected to CAS (192.168.200.16) & PC(192.168.200.20) configured As above,,,results>> able to ping


3. Now i need to add CAS to CAM managemnet domain >>>

hence i connected eth0 CAM & eth0 CAS via cross cable...& tried to ping CAS from CAM it failed....(it shld ping as the devices r in same subnet & connected to Eth0 trusted interafce)

Problem >>>> unable to find MAC entries of CAM in CAS & vice wersa.

Hi netlinkin,

The CAS and the CAM need to be on different subnets. This means that you'll need a router or a layer 3 switch to separate them. Once you do this then you'll have to generate SSL certificates on both the CAS and CAM and add them to each other. Once you do this, they'll be able to communicate fine.


Try this and shoot me back if you have any other issues

Hope that helps,

Xavier

Hi Xavier,

As suggested I have connected CAM , Router & CAS

1, Connected Router Eth0/0(192.168.100.151/24) to CAM Eth0 (192.168.100.150)
     Results >>> Able to ping vice-wersa
     Findings >>> All is ok as can ping.

2. Connected Router Eth0/1(192.168.200.151/24) & CAS  Eth0  (192.168.200.150)
    Results >>> Not able to ping to router IP(192.168.200.151) & vice wersa.
    findings>>>> checked CAS config . It shows
                         
                           Interface Fake0 >> 192.168.200.150  (wonder about FAKE0 interafce )  & arp table also shows the same.
I configured 2-3 times just in case i may i have made mistake...but all the times the interface after configuration interface status is FAKE0.

3. Is it necessary to have SSL certificate ,Bcoz currently i am testing it on TEST LAB setup.

Pls suggets further

Hey Pravin,

I'm not sure what fake0 is but I've seen it too and it doesn't interfere with my config at all. You will need the SSL certificate eventually but not for now.

The CAS can't ping the router interface...

  1. are you sure you are plugging the cable into the right port on the CAS? (I got a bit confised with the ports when I first did it)
  2. are you sure the router interface is up? (Try to ping the 200.151 interface from the CAM and see if you get a response)
  3. are you sure the CAS interface is up? (type this command at the SSH/Console prompt: "ifup eth0")
  4. have you turned on management VLAN tagging on the eth0 trusted interface? If so then the CAS would have difficulty communicating unless a VLAN is assigned to the same port on the router...but then again the router interface should act as a trunk but I dunno. Ensure that management VLAN tagging and VLAN ID passthrough are turned off on both eth0 and eth1 for now until initial setup is done.

Try these and tell me what you get,

~Xavier

>>>Hi Xavier

  i have resolved the issue by making fake interface down.

Now able to ping from router to CAM & router to CAS. but still failing to have connectivity between CAM & CAS. further I tried to add CAS to CAM, still facing error ("Reached maximum limits for server"..)

Once you add the manager licence to the CAM that error should go away

When you say that communication has failed between them...do you mean that they can't ping each other or that you can't add the CAS to the CAM?

If they can't ping each other, can you post the config of your router please? Leave out confidential things like passwords and the like.

Hi Xavier,

Please find the config.

--------------------

NAC-TEST#sh run
Building configuration...

Current configuration : 2554 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname NAC-TEST
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
ip cef
!
!
no ip domain lookup
ip domain name yourdomain.com
multilink bundle-name authenticated
!
!
!
archive
log config
  hidekeys
!
!
!
!
!
interface FastEthernet0/0
description Connected to CAM
ip address 192.168.100.151 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description Connected to CAS
ip address 192.168.200.151 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 23 permit 10.10.10.0 0.0.0.7
!
!
control-plane
!
-----------------------------------------------------------------------
^^C
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
-------------------------------------------------------------------  END ---------------------------------

Once you add the manager licence to the CAM that error should go away

>>> while adding i m getting this error,

When you say that communication has failed between them...do you mean that they can't ping each other or that you can't add the CAS to the CAM?>>> Cant ping CAM(100.150) from CAS(200.150) & vice wersa.

"while adding i m getting this error"

>     I'm not talking about adding the CAS to the CAM. I'm talking about adding the licence key to the server. You should have gotten instructions on how to get it when you bought the product. It is a .lic file and you add it by going to CCA Manager -> Licensing

As for the communication...I'm completely stumped. The config is fine...run these two commands from the router and tell me which succeeds and/or fails:

ping 192.168.100.150 source 192.168.200.151

ping 192.168.200.150 source 192.168.100.151

Also...I know I must be grabbing at thin air here but it's better for me to be safe than sorry. Ensure that the CAS and the CAM are plugged in via the second port from the right around the back of the devices. There are 4 ports on each device, two on the left and two on the right. The ones on the right are eth0 and eth1. The left one of the pair is eth0 and the right one is eth1. Make sure that they are both connected via eth0.

Dear Xavier,

Thanks for the vlauable thoughts, regarding the license i"ll check with the CISCO, but again i told you that i made the fake interface down, then only i  can ping the CAS,but strange things again, next day i came & the server was rebooted ,( the server didnt stored the fake interafce down config.)..

.also as u suggeted the physical connection is same (CAM left port eth0 & CAS left port Eth0) only connected,others are not connected. but CAM config remain unchanged even though the CAM is rebooted. but CAS dosent stores the Config .

so i again made the interace down & ping works from Router to CAM(100.150) & Router to CAS(200.150)

Whats next step ...

NAC-TEST#ping 192.168.200.150

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.200.150, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms


NAC-TEST#ping 192.168.100.150

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.150, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
NAC-TEST#
----------------------------------------------------------------------------------------------

NAC-TEST#ping 192.168.100.150 source 192.168.200.151  <<<< Ping to CAM

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.150, timeout is 2 seconds:
Packet sent with a source address of 192.168.200.151
.....
Success rate is 0 percent (0/5)


NAC-TEST#ping 192.168.200.150 source 192.168.100.151 <<<< Ping to CAS

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.200.150, timeout is 2 seconds:
Packet sent with a source address of 192.168.100.151
.....
Success rate is 0 percent (0/5)
NAC-TEST#
--------------------------------------------------------------

Hmm...this really is weird.

Let me see the output of show ip route please.

Also copy and paste the network config of the CAS and CAM from both the GUIs please

Those fake interfaces are used for the routing process, so they definitely need to be up and happy

From the CAS CLI, could you please get me the outputs of the following commands:

ifconfig

more /proc/click/real_routing_table/table

Thanks,

Lauren