Re: NAC Troubleshooting

czottmann · ‎05-11-2010

Hi!

We are now installing a OOB NAC Solution, in the Virtual Gateway mode, and we are having a hard time to get the workstations to correctly run windows GPOs, run the login scripts and finally have total access to the network.

I suppose we are having trouble with Traffic Control. We are sniffing traffic with Wireshark, configuring the correspondent rules in the NAC Cam, but no success yet. Is there a way to track the traffic the the NAC Cas is blocking, or other useful troubleshooting tips for this kind of problem?

Thanks in advance,

Carlos.

Faisal Sehbai · ‎05-11-2010

Carlos,

No tools on the CAS yet to see what's being blocked.

Make sure you have IP Fragments and ICMP allowed to your DCs. As a troubleshooting step, open all access to your DCs and see if that works. If it does, then block all access, allow ICMP/Fragments and the relevant NETBIOS ports (445,135,139,3128,636,389 etc etc - the whole list is in the AD SSO setup docs)

HTH,

Faisal

czottmann · ‎05-12-2010

Thanks, Faisal!!

We are running tests right now with all access opened, to all servers (not just our DCs) with no role-requirements enabled, but our windows login script is still not doing all its supposed to do.

As of yesterday, we had both the Clean Access Agent and the Agent Stub installed in our workstations, but, as we are running version 4.7, the Agent Stub isn´t needed, right? We removed the Agent Stub today, but I would like to know if the existence of both agents at the workstaions, on version 4.7, can be the source of any problems ....

Best regards,

Carlos.

Faisal Sehbai · ‎05-12-2010

Carlos,

You're correct in that you don't need the stub anymore with 4.7 agent.

As troubleshooting step, try opening up ALL IP in the unauthenticated role. Do you still see problems? If so, when you move the port to the Access VLAN directly, do you still see problems? Going through NAC if all IP is allowed in the unauthenticated role, it's almost equal to NAC being non-existant in the network.

Faisal

czottmann · ‎05-13-2010

Hi, Faisal!!

Things got better after removing the agent stub. Our windows login script, where we had already inserted a "ping loop" at the beginning to test network connectivity, started running ok most of the times.

Going through the Traffic Control rules, we noticed that we had a "Block all" rule at the beginning of the "temporary" role. We changed it to permit all traffic, and from this moment on, all our tests run successfully.

So, it raised a question for me. What is the CAS behaviour during the transition from the unauthenticated to the temporary role? Does it allow all traffic for a brief moment and then applies the rules configured for the temporary role?

Best regards,

Carlos.

Faisal Sehbai · ‎05-14-2010

Carlos,

I don't have a 100 percent sure answer for this, but I think what you're suggesting is what happens. Concept of roles is vital in CCA and at any given point in time, an user is always part of a role. It follows that the role policies are applied to an user when he/she becomes part of that role.

For your particular problem, if it works with allowing access to ALL in temporary/unauthenticated role, I would start clamping down to see where it breaks and then figure it out from there.

HTH,

Faisal