Solved: Re: NAC In-band Real IP Gateway process

Xavier Lloyd · ‎03-14-2011

Hi all,

I've been doing a lot of research and I still can't find good answers to some of my questions. All the big questions are answered for out-of-band configuration but I find that it's assumed that understanding in-band is taken for granted lol...I guess I'm slow =P

How does In-band Real-IP Gateway work?
What is the point of the /30 subnets?
Are there access/auth VLAN pairs in in-band configurations?
How does quarantining work?
I read that the NAC Server can only send traffic out the untrusted port in one VLAN and that you aren't allowed to trunk that port. Does this mean that there's no support for multiple untrusted VLANs mapped to a single NAC Server?
Can you do role-mapping with in-band configurations?

Any help with any or all of these questions would be GREATLY appreciated!

Thanks much =]

~ Xavier.

Federico Lovison · ‎03-25-2011

Hi Xavier,

let me try to answer your questions

1.How does In-band Real-IP Gateway work?

The CAS works in routed mode, so you have different IP addresses (on different subnets) on the trusted and untrusted interfaces. Since the CAS doesn't support routing protocols, all the routing has to be configured through static routes

2. What is the point of the /30 subnets?

The idea is to have small subnets for your clients so that with this IP config the clients in the authentication VLAN need to go through the CAS even to talk to other clients in the same L2 subnet.

Check here for some explaination:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/47/cas/s_dhcp.html#wp1057889

3. Are there access/auth VLAN pairs in in-band configurations?

If you ask if there's VLAN mapping, then the answer is NO, as the aim of the VLAN mapping is to *bridge* traffic between the trusted and untrusted mapped VLANs, but in Real-IP the CAS does L3 routing of the traffic.

4. How does quarantining work?

When a client is quarantined, this works in the same way as in OOB, as in this phase the client is still inline to the CAS.

So the concept is that the CAS assigns the user to the temporary or quarantine role and it applies a traffic policy that you configured for the temporary or quarantine role.

5. I read that the NAC Server can only send traffic out the untrusted port in one VLAN and that you aren't allowed to trunk that port. Does this mean that there's no support for multiple untrusted VLANs mapped to a single NAC Server?

The "single" VLAN restriction for Real-IP CAS applies only to the *trusted* side. The CAS can be the default gateway for multiple VLANs/IP Subnets on the *untrusted* side.

You configure additional VLAN/IP addresses on the untrusted side using the "managed subnet" configuration.

This is also mentioned here:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cas/s_deploy.html#wp1050938

The Clean Access Server can manage one or more subnets, with its untrusted interface acting as a gateway for the managed subnets. For details on setting up managed subnets, see Configuring Managed Subnets or Static Routes, page 5-26.

6. Can you do role-mapping with in-band configurations?

Yes, you can do it! However, you cannot assign VLANs as you do in OOB but you can assign different access level based on the IP traffic policies and bandwidth restrictions you assign to the specific role.

Check for instance here for more details:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_users.html#wp1040231

In a nutshell, irrespective of the use of InBand vs. OutOfBand:

- the clients are InBand to the CAS during the CAS discovery, authentication, posture assessment and remediation phases.

The main difference occurs when the user is authorized to have access to the network and you perform role assignment both in IB and OOB but..:

- in IB the client traffic keeps on flowing inline to the CAS, so you can apply different access policies (ACL) and bandwidth control policies depending on the role (but you cannot assign VLAN);

- in OOB the client traffic bypasses the CAS once it's authorized: in this case you can apply different VLANs but (since the CAS is no longer along the path) you can't apply ACLs and/or traffic shaping policies in this case.

I hope this answers your questions.

Regards,

Federico

--
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

View solution in original post

Federico Lovison · ‎03-25-2011

Hi Xavier,

let me try to answer your questions

1.How does In-band Real-IP Gateway work?

The CAS works in routed mode, so you have different IP addresses (on different subnets) on the trusted and untrusted interfaces. Since the CAS doesn't support routing protocols, all the routing has to be configured through static routes

2. What is the point of the /30 subnets?

The idea is to have small subnets for your clients so that with this IP config the clients in the authentication VLAN need to go through the CAS even to talk to other clients in the same L2 subnet.

Check here for some explaination:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/47/cas/s_dhcp.html#wp1057889

3. Are there access/auth VLAN pairs in in-band configurations?

If you ask if there's VLAN mapping, then the answer is NO, as the aim of the VLAN mapping is to *bridge* traffic between the trusted and untrusted mapped VLANs, but in Real-IP the CAS does L3 routing of the traffic.

4. How does quarantining work?

When a client is quarantined, this works in the same way as in OOB, as in this phase the client is still inline to the CAS.

So the concept is that the CAS assigns the user to the temporary or quarantine role and it applies a traffic policy that you configured for the temporary or quarantine role.

5. I read that the NAC Server can only send traffic out the untrusted port in one VLAN and that you aren't allowed to trunk that port. Does this mean that there's no support for multiple untrusted VLANs mapped to a single NAC Server?

The "single" VLAN restriction for Real-IP CAS applies only to the *trusted* side. The CAS can be the default gateway for multiple VLANs/IP Subnets on the *untrusted* side.

You configure additional VLAN/IP addresses on the untrusted side using the "managed subnet" configuration.

This is also mentioned here:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cas/s_deploy.html#wp1050938

The Clean Access Server can manage one or more subnets, with its untrusted interface acting as a gateway for the managed subnets. For details on setting up managed subnets, see Configuring Managed Subnets or Static Routes, page 5-26.

6. Can you do role-mapping with in-band configurations?

Yes, you can do it! However, you cannot assign VLANs as you do in OOB but you can assign different access level based on the IP traffic policies and bandwidth restrictions you assign to the specific role.

Check for instance here for more details:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_users.html#wp1040231

In a nutshell, irrespective of the use of InBand vs. OutOfBand:

- the clients are InBand to the CAS during the CAS discovery, authentication, posture assessment and remediation phases.

The main difference occurs when the user is authorized to have access to the network and you perform role assignment both in IB and OOB but..:

- in IB the client traffic keeps on flowing inline to the CAS, so you can apply different access policies (ACL) and bandwidth control policies depending on the role (but you cannot assign VLAN);

- in OOB the client traffic bypasses the CAS once it's authorized: in this case you can apply different VLANs but (since the CAS is no longer along the path) you can't apply ACLs and/or traffic shaping policies in this case.

I hope this answers your questions.

Regards,

Federico

--
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

Xavier Lloyd · ‎03-25-2011

Thank you Frederico! This is exactly what I wanted =]

I have a follow up question though...

Why then would people use, say, a L2 In-band RGW compared to a L2 in-band VGW?

In my head, the only reason would be because in RGW mode, you can prevent people on the same VLAN from speaking to each other without being authenticated before. Is this right? Is there any other reason?

Also with the in-band role-mapping...it's not done by a VLAN re-tagging (I see that they're phasing out that option) but with access controls on the NAC Server. So what VLAN is the traffic in when it hits the protected network? Is it that there's still an auth-access pair...but your access isn't goverened by what VLAN you're in? If that's right...then in theory all VLANs would have access to everything as far as the network sees things (so no ACLs)...but access control is enforced by the NAC box. So Mary wouldn't care if she's in [untrusted] VLAN 200, 300, or 400 and the network doesn't care whether the traffic is in [trusted] VLAN 20, 30, or 40 because the NAC is the one to worry about who can access what based on their role assigned after authentication. OK if all that is correct then I think I understand =).

I guess it's difficult for me 'cause we have a L2 OOB VG deployment that I've learned to understand almost inside-out...so it's hard thinking outside of what I understand lol.

Vinay Sharma · ‎03-30-2011

Thanks Fed for your expert advice. As i always says, you are the "NAC GURU" :-).

Regards,

Vinay

Thanks & Regards