I am trying to get a NAC demo running and am having some issues with a Layer 2 OOB, Virtual GW configuration. Currently I have 3560G switches and would like to assign ports to a vlan based on user roles.
My Auth VLAN is 110 and maps to VLAN 11
Guest VLAN is 11 (172.16.1.0/24)
Employee VLAN is 1
NAS Mgmt VLAN is 20 - CAS is 10.10.20.5 (this ip is setup on both eth0 and eth1 per documentation for L2 OOB Virtual GW)
NAM Mgmt VLAN is 30 - CAM is 10.10.30.5
Untrusted (Eth1) switchport is setup as a trunk allowing only vlan 110 and has a native vlan 999 to blackhole traffic.
Trusted (Eth0) switchport is setup as a trunk allowing vlan 1, 11, 20 and has a native vlan 998 to blackhole traffic.
I also setup a Managed Subnet on the CAS with IP 172.16.1.254 and VLAN 110.
Switchport controlled by NAC is access vlan 110. When a machine connects an snmp trap is sent to CAM and is forced into vlan 110. If I try to put the port in another vlan CAM puts it back to 110 immediately. This all seems to be working well.
The machine connected to the port gets a DHCP address from VLAN 11. When I initiate traffic from this machine, everything is blocked. If I open a web browser I do not get an authentication page. I also installed CCA 4.1.10 on the machine but it does not find a discovery host and the Login option is grayed out. The only way to get this machine to send traffic is to add a filter for it and force it to the ALLOW option. I did setup a default web login page but I seem to be missing something to get authentication to work.
I am new to this and any help is greatly appreciated. I am running version 4.1.8 with a demo license. The host running CCA is Windows Vista.
Can you ping your default gateway that you get on the client? If so, can you try to browse to the cas IP address directly from a browser? What's the behaviour then? Do you get a timed-out response or a authentication page?
Thanks for the reply. I cannot ping the default gateway that I get on the client (it is on the other side of the CAS). I've tried to browse and ping the CAS ip also but just get timeouts. Should the client be able to ping/browse to the IP address of the CAS? The management IP of the CAS is in a different vlan than the client. The managed subnet IP is in the same vlan & subnet of the client but still I am unable to ping/browse to that address.
The client should be able to browse to the IP address of the CAS and get a redirect page. Make sure you're using the IP address as the URL in your browser and not the name (assuming DNS isn't working yet)
Also make sure you don't have any L3 SVI's for your managed subnet on your core switch.
Have you changed any of the default settings in the traffic policies on this CCA setup?
I do not have any SVI's created for the 110 Auth vlan which is also a managed subnet on the CAS. I did discover that I can go to the webpage for the CAS Management (10.10.20.5) and I do get the web login page from a machine that is already on the trusted Employee vlan. I need to be able to get to this from the Auth vlan 110 I would think.
Does the NAC Manager see you as a Discovered Client? I would guess yes, since this is based on SNMP Traps.
At this stage of NAC you should be in the Unauthenticated Role - what traffic policy do you have on that? I mean, would it allow ping to your gateway?
Hi Grant, I do see the host as a discovered client. I added a policy to the Unauthennticated Role to allow ALL IP traffic but still have the same result with no traffic being allowed.
Can someone tell me their VLAN/IP scheme for a L2 OOB Virtual gateway deployment? I tried to follow straight out of the cisco press book with no luck. I feel like I have an address missing or an address assigned to the wrong interface/managed subnet.