NAC Clean Access Authentication not doing anything

mamaral · ‎12-30-2010

Hi!

I have instaled an NAC solution, using oob with acl's.

When i get to the Clean Access Authentication page, using the right user and password, or an worng one, the page keeps showing up, requesting to authenticate and without any errors.

Did this happened to anyone?

TKX

Miguel

Federico Ziliotto · ‎12-30-2010

Hi Miguel,

We may need to quickly check the OOB configuration too.
How are the settings under the following pages?

Device Management > Clean Access Servers > [your CAS] > Network > IP
Device Management > Clean Access Servers > [your CAS] > Advanced > Managed Subnets
Device Management > Clean Access Servers > [your CAS] > Advanced > VLAN Mapping

Also, could you please confirm what is the subnet of the trusted vlan where the user should be getting an IP address when it connects?

Regards,

Fede

--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

mamaral · ‎12-30-2010

Hi Federico!

My configuration is using Out-of-Band Real-IP Gateway, so there is no VLAN Mapping.

My cas ip is 10.16.214.65/24

The Managment network is 10.16.0.0/24

Buy the way, i have anothor problem. The Untrusted interface as the ip 10.16.0.194. I added an route so that the cas wold talk to the authentication network of the client using the untrusted interface, but when i access the url http://10.16.0.194, it redirects to the url 10.16.214.65. Because of the route added, it does not has access. I then have to fix the url back to the ip 10.16.0.194 and then i access the authentication page.

TKX

Miguel

Federico Ziliotto · ‎12-30-2010

Thank you for all the details Miguel,

It would still be useful to have some initial details from the following screenshots:

Device Management > Clean Access Servers > [your CAS] > Network > IP
Device Management > Clean Access Servers > [your CAS] > Advanced > Managed Subnets

Also, for managed subnets, we should be configuring static routes on the L3 switch(es).

Regards,

Fede

--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

mamaral · ‎12-30-2010

Hi Federico,

Here is the screenshoots that you asked for.

TKX

Miguel

Federico Ziliotto · ‎12-31-2010

Hi Miguel,

The configuration so far looks OK.
The only test I would suggest would be to keep the clients on a vlan/subnet different from the CAS untrusted IP's subnet.

I am telling this because usually we have the following:
1. Clients are being assigned to a trusted vlan/subnet, for which we have an IP address configured in the CAS as a managed subnet and assigned to that vlan.
2. In this case, clients are getting an IP on the same subnet as the untrusted interface of the CAS, which is not doing any kind of vlan tagging.

As a further test, you could for example keep the clients on a subnet that is not the same as the one for the CAS untrusted interface and add the corresponding managed subnet for that client vlan.
Alternatively, you could configure the CAS untrusted interface to tag traffic on the same vlan where clients are getting an IP, but this is usually more tricky.

This suggestion comes from the fact that what you are experiencing (clients continuously re-prompted for authentication) is often seen when the CAS is not configured for the proper managed subnets.

One more thing to verify is that the user being authenticated is not falling under the Unauthenticated Role.

This could happen for example when configuring an Authentication Provider with the default role as Unauthenticated and mapping rules: if mapping rules are not triggered correctly, the default Unauthenticated Role will be assigned and the client will keep getting the authentication prompt.

If these further points didn't show any improvements, I would recommend to keep following this through a TAC Service Request:
http://tools.cisco.com/ServiceRequestTool/create/launch.do

Regards,

Fede

--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

mamaral · ‎12-31-2010

Hi!

I already had the clients network and vlan diferent from the managment vlan.

Managment network : 10.16.0.0/24

CLients network : 10.39.120.0/24

I have tried tagging the packets from the management vlan, but the problem presists.

TKX

Miguel

Federico Ziliotto · ‎12-31-2010

Hi Miguel,

If your clients are connecting in the 10.39.120.0/24 network, you'd then need to add an IP from this network in the managed subnets and link it to the client's vlan.

Also, you should make sure that there are static routes configured pointing to the managed subnets.

Regards,

Fede

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

mamaral · ‎12-31-2010

Hi!

In this case, the client is on an remote site. I cannot get there trought switching. I can only get there trought rounting,

TKX

Miguel

Federico Ziliotto · ‎12-31-2010

Hi Miguel,

Managed subnets may still be needed under the CAS configuration, even if clients are in L3 mode.

Apart from checking this, you may then need to have this issue followed through a TAC case as it looks like it will require some more troubleshooting:

http://tools.cisco.com/ServiceRequestTool/create/launch.do

Regards,

Fede

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.