Re: Login page issue

fahaddubai · ‎08-22-2010

Hi,

When I open a webpage , NAC login page does not display or hit. I have enabled the login page in CAM, I dont have DNS server in this setup.

Folllowing things i have done :-

1, Trunk link to Untrusted Port of CAS allowed only Authentication vlan(eg 9)

2, Trunk Link to Trusted Port of cas allowed only Access vlans and management Vlan of CAS.(99,218)

3,

eth0: IP is 10.10.10.252

DG:10.10.10.1(ip address of SVI218)

eth1:-ip is 1.1.1.1

DG:1.1.1.2 ( there is no SVI with tis ip address)

3, Added CAS to CAM with L2OOB Virtual Gateway and configured managed Subnet and Vlan mapping.

4, Enabled user login page in CAM.

5, Switch management :-SNMP configuration on CAM and Switch( working fine)

I used to type CAS management ip address in Address bar of Internet Explorer from Untrusted side, but no responds . any thing im missing ???

Faisal Sehbai · ‎08-22-2010

Fahad,

VGW setups usually have the same IP address on both eth0 and eth1 of the CAS. You say login page isn't displaying. Are you getting DHCP on your client? What IP is being assigned to it?

Can you post your config screenshots from the CAS? Specifically, the network config, managed subnets and vlan mapping pages?

Faisal

fahaddubai · ‎08-22-2010

Dear Faisal,

many thanks for your responds

I am getting ip address from DHCP on client (authentication vlan9, access vlan99 and ip address got from dhcp is 10.10.99.11). when we assign same subnet ip address for eth0 and eth1(OOB virtual gatway), we will loose access to CAS. We can have same subnet ip addresses, if CAS in IB virtual gateway. i have configured following things in Manged subnet and Vlan mapping.

Managed subnet :-

ip address :10.10.99.4

subnetmask : 255.255.255.0

vlan : 9

Vlan Mapping:-

Vlan mapping is enabled

Untrusted vlan:- 9

Trusted Vlan :- 99

Thanks & Regards,

Fahad Salim.

Faisal Sehbai · ‎08-22-2010

Fahad,

That is the recommended/supported design, to have the same IP on the CAS's both interfaces. When you say you will lose access to the CAS, what do you mean by that?

Can you also verify that what the status of the "Enable subnet-based VLAN retag" is? Is it checked or unchecked?

Faisal

fahaddubai · ‎08-22-2010

Dear faisal,

"Enable subnet-based VLAN retag" is unchecked . when i made both interfaces

(eth0 and eth1) in same subnet, Cam was not able to reach CAS. So I put

them in different subnet.

Thanks & Regards,

Fahad Salim.

On Sun, Aug 22, 2010 at 10:13 PM, fasehbai <

Faisal Sehbai · ‎08-23-2010

Fahad,

Is your CAM in the same VLAN as your CAS? If so, move your CAM to a different VLAN, and then assign same IP to the CAS.

Faisal

fahaddubai · ‎08-25-2010

Dear Faisal,

I have configured as per your instruction. Im able to configure both interfaces of CAS with same ip address. But still i have problem with login page. please find attached files for your reference.

Thanks & Regards,

Fahad Salim

Faisal Sehbai · ‎08-26-2010

Fahad,

Okay, so one step at a time then.

- Does your client get an IP address?

- If so, can he ping his default gateway?

- If so, can he resolve any names?

x If not, can you try to browse the CAM's IP address from the client? What happens when you try that?

x If it can resolve names, can you try to browse to google? What happens with this?

- Can you try and browse to the CAS IP address from your client? What happens with this test?

Faisal

fahaddubai · ‎08-26-2010

Dear Faisal,

Client is getting ip address and not able to ping default gateway( client

in authentication vlan). There is no DNS server in this scenario, so if I

brows CAM ip address or CAS ip address, I will receive error message

'Internet Explorer cannot display the webpage'.

Thanks & Regards,

Fahad Salim.

Faisal Sehbai · ‎08-28-2010

Fahad,

That sounds wrong. Can you do a capture on the untrusted interface of the CAS and see if you're seeing the client traffic hitting it?

Faisal