08-24-2010 02:19 AM - edited 03-09-2019 11:07 PM
Hi Faisal,
Good day! I would like to ask about the L3 deployment approach using OOB Virtual Gateway. What I did was enabled the L3 support and applied static routes. When I tried to connect a client workstation I cannot get an ip address. The cisco switch that Im using to the remote site were already discovered in the devices in NAC. When I check the ports it change to authentication vlan 100 but cannot passthrough. The IP block for the site is 10.19.x.x. Do I have to put a managed subnet and vlan mapping? But what I've read from the manual no need to configure the managed subnet instead a static route need to apply.
For the L2 deployment OOB Virtual gateway its working now, the IP block im using is 10.1.x.x. I want add the L3 deployment for the remote sites also for the users to authenticate through the nac. I'm thinking to apply 2 approach for the nac one for L2 deployment for the main site and L3 deployment for the remote site. Faisal, am I doing it correctly? Please let me know what should I apply for it and see attachment. Thanks.
Richard
Solved! Go to Solution.
08-25-2010 03:36 AM
Richard,
I don't think this will work. You're using VGW and trying to NAC subnets L3 hops away. In VGW CAS is acting as a bridge. How are you going to extend your VLAN tags from multiple hops away to the untrusted interface of the CAS?
Almost always we see customers who have a need for NAC L3 hop away subnets use RIP since it is easier to segregate and force the unauthenticated traffic to the untrusted side of the CAS.
HTH,
Faisal
08-28-2010 11:19 AM
Richard,
That's the thing. You need to force the traffic from that subnet to go to the CAS's untrusted interface. You can do that by using PBRs or using the ACL method.
Both are talked about in this chalk-talk series in the third chalk-talk. Look at slides 54 onwards.
HTH,
Faisal
08-25-2010 03:36 AM
Richard,
I don't think this will work. You're using VGW and trying to NAC subnets L3 hops away. In VGW CAS is acting as a bridge. How are you going to extend your VLAN tags from multiple hops away to the untrusted interface of the CAS?
Almost always we see customers who have a need for NAC L3 hop away subnets use RIP since it is easier to segregate and force the unauthenticated traffic to the untrusted side of the CAS.
HTH,
Faisal
08-25-2010 05:44 AM
Thanks dude, I'll try to figure out the Real-IP gateway mode. That's what I'm also thinking, anyway thanks for your information. I will contact you once there is a issue on that one.
Richard
08-26-2010 03:52 AM
Hi Faisal,
I changed the server type from OOB Virtul GW to OOB RIP. The thing is the client cannot get an IP address from the windows DHCP server though I put the dhcp type in the cas as DHCP relay. The DHCP relay is pointing to the address of the DHCP server. Is there anything I need to add in the configuration? Do I have also to add managed subnet for the authentication vlan? Please let me know. Thanks.
Richard
08-26-2010 03:57 AM
Richard,
Okay. How is traffic getting to the CAS from your unauthenticated subnets? You said they're L3 hops away, so how are you forcing them to the CAS?
Generally in L3 setups like these you do DHCP locally (on the switch perhaps) and then when the clients initiate traffic, you can force that to the CAS untrusted side to force authentication/posture.
Faisal
08-26-2010 04:30 AM
I have setup windows dhcp server locally in the L3 hops away network. Basically the network from the main site (where the NAC is installed) and the remote site were already connected and talking because of the static route. The remote site has always dhcp server locally where the clients get ip address. Also I created the dhcp scope for the authentication vlan as what I see in the manual though in the example they're using L3 switch. I configured the static route in the cas. What else do need in the configuration?
In the OOB virtual gateway there is no problem using the windows dhcp server but the thing it cannot do L3 hops away it just in the main site. Thats why I change to OOB RIP. Please see the attachment.
08-28-2010 02:24 AM
Hi Faisal,
I can acquire now IP address from the authentication vlan that I made in the DHCP server, but the issue it doesnt remediate and go posture assessment. When I open the IE browser it goes directly to the internet. I have the static route for the L3 OOB RIP. I want it to be redirecting to the NAC untrusted network to ask for login account and go remediation. Can you please tell me what should be added to the configuration? Thanks.
Richard
08-28-2010 11:19 AM
Richard,
That's the thing. You need to force the traffic from that subnet to go to the CAS's untrusted interface. You can do that by using PBRs or using the ACL method.
Both are talked about in this chalk-talk series in the third chalk-talk. Look at slides 54 onwards.
HTH,
Faisal
08-29-2010 02:16 AM
Hi Faisal,
I cannot find this presentation file: prod_presentation0900aecd80549168 Is there any other way how to get that file? thanks....
08-29-2010 10:59 AM
Richard,
I'll post those here shortly.
Thanks
Faisal
08-29-2010 10:49 PM
Faisal,
I can able to authenticate and go posture assessment but when I check the ip address still in Authentication vlan. It doesnt change to access vlan. I applied the ACL's in the router. I have the port profile defining the auth and access vlan too. What else do I have to configure in the nac or router in order to switch the auth to access vlan after remediation? Thanks.
Richard
08-30-2010 11:46 AM
09-01-2010 09:12 PM
Thanks Faisal, the ACL works for me. The only thing I cannot able to force to pop up is the NAC Agent it seems something blocking it, I dont have idea what is it. But Web agent works fine, only scanning based on the requirement, so I have to manually satisfy the requirement but no remediation happen. If you could tell me what is the thing blocking the NAC agent why is it not doing pop up after installed, it doesnt ask for login also. Thanks for the help.
09-02-2010 09:35 AM
Richard,
In ACL method, you have to originate traffic towards the CASs untrusted interface, because you're allowing traffic to the CAS's untrusted interface, but you're not *forcing* it (as is the case in PBRs) so go to the IP address of the CAS from your unauth subnet, and it should redirect and ask you to authenticate. Once authenticated CAM should switch the port to your Access VLAN and you should have unfettered access to your network then.
HTH,
Faisal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide