12-09-2008 01:08 PM - edited 02-21-2020 03:09 AM
Hi,
I am trying to setup a NAC OOB Virtual GW Scenario (attached is the visio schematic of the setup):
Switch: 3550 (ios 12.2(46) adv ip serv)
NAC 4130 appliances: v4.1.6 (also tried v4.5)
Switch Configuration of the trunks to the CAS):
- int f0/23 (connected to CAS e0) -> dot1q trunk with native vlan 999 and allowed vlans 199 (mgt vlan of cas) and 10 (hosts access vlan)
- int f0/21 (connected ro CAS e1) -> dot1q trunk with native vlan 998 and allowed vlans 100 (hosts authentication vlan)
- SVIs on switch: 199, 10, 200 (CAM mgt vlan), 99 (dns, dhcp)
The problem I am facing is that the host once connected to a managed port is able to acquire an ip from the access vlan from the dhcp server but is not redirected to the login page. I tried to follow some hints provided in previous posts but none of them worked for me. I configured the following:
- Login Page
- Configured IP based traffic control on the unautheticated role to permit all traffic (also host based to permit https://192.168.199.1 -> cas' ip with trusted dns my dns server 192.168.99.1)
- Managed subnet with unused ip in access vlan (192.168.10.253) and vlan id that of the auth vlan (100)
- vlan mapping between untrusted vlan 100 and trusted vlan 10
- tried to access a resolvable website by my dns from the host (as per the suggestion from a previous post for someone who was facing the same prob)
- also tried to access the cas' login page from the host with vain, eventhough it is accessible from trusted subnets
Note: I followed the configuration guide of both v4.1.6 and v4.5 and with both versions I was facing the same problem.
I would be very thankful for any hints to help me solve this issue.
Questions: When the host is connected to a managed host (assigned to the managed vlan 100) and it is assigned an ip from the a access vlan 10. Shouldn't I be able to access the managed subnet case I configured ip traffic control policy to permit all traffic from untrusted to trusted? also shouldn't I be able to resolve website's ip with "nslookup x.com" since dns traffic is by default configured and also trusted dns server 192.168.99.1 is configured?
Thanks in advance for any help.
12-09-2008 06:22 PM
Try this
Connect your test machine to vlan 10
do you get DHCP and DNS and can you browse to a dns resolvable web site
If so move on to
" Configured IP based traffic control on the unautheticated role to permit all traffic (also host based to permit https://192.168.199.1 -> cas' ip with trusted dns my dns server 192.168.99.1)
"
Rip this out and only allow udp bootpc and bootps as well as ICMP traffic (and the DNS Trusted host in host policy) for the Unauthenticated role
then make sure you recieve the dhcp address
and ping your Gateway through the CAS (should work as its allowed by policy)
Move your pc to port on vlan 100
Then open your browser to https:\\192.168.199.1 do you get the login page yes/no? if yes then
Flush your dns cache on your machine
Then open your browser to the dns resolvable web site you were able to resolve before (make sure the dns was not cached your trying to send a 53 request which the cas will reply with it's own redirect.
12-09-2008 11:56 PM
Hi,
The tests are successful on clan 10.
When I connect the host to the managed subnet (vlan 100) I am not able to access the login page https://192.168.199.1, neither am I able to ping the gateway's ip (svi 10 on switch) eventhough I permitted icmp any to any from the ip traffic control policy. Also I tried to enable the allow any for layer 2 traffic on the Ethernet traffic control policy for the unauthenticated role but it didn't work.
(attached are configuration snapshots of my unauthenticated role traffic control policies and ip config of CAS)
12-10-2008 03:29 AM
hi there,
but if you want to connect to the cas. you should type https://ipaddress/admin
otherwhise you could not reach the login page of CAS
12-10-2008 06:30 AM
It arised to be that the 3550/3560/3750 are not supported for Central Deployment. The problem is solved.
Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment
For Cisco Clean Access (NAC Appliance) in In-Band Central Deployment mode, when a Cisco Catalyst 3560/3750 series switch is used as a Layer 3 switch and if both ports of the Clean Access Server (CAS) are connected to the same 3560/3750 switch, the minimum switch IOS code required is Cisco IOS release 12.2(25)SEE.
Because caveat CSCdu27506 is not fixed on the Catalyst 3550 series switch, when the Catalyst 3550 is used as a Layer 3 switch, it cannot be used in NAC Appliance In-Band Central Deployment.
For further details, refer to switch IOS caveat CSCdu27506:
See also Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB).
Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB)
Table 6 describes Cisco Catalyst switch model support for the Virtual Gateway VLAN Mapping feature of the Clean Access Server for either in-band (IB) or out-of-band deployments (OOB). This table is intended to clarify CAS network deployment options when connecting the CAS in Virtual Gateway (bridge) mode to the switches listed.
Table 6 Switch Support for CAS Virtual Gateway In-Band/OOB VLAN Mapping Feature
Cisco Catalyst Switch Model Virtual Gateway
Central Deployment
(both interfaces into same switch) Edge Deployment
(each interface into different switch)
6000/6500 Yes Yes
4000/4500 Yes Yes
3750/3560 (L3 switch) Yes with 12.2(25) SEE and higher 1
Yes
3550 (L3 switch) No 1
Yes
3750/3560 (L2 switch) Yes Yes
3550 (L2 switch) Yes Yes
2950/2960 Yes Yes
2900XL No 2
Yes
3500XL Yes Yes
28xx NME Yes with 12.2(25) SEE and higher 1
Yes
1 Due to switch caveat CSCdu27506. See Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment for details.
2 2900 XL does not support removing VLAN 1 from switch trunks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: