Hello,

Thanks for your reply.

For the moment, we're using NAC ver4.1.1 (no xml file).

We'd like to use the NAC for both L2 and L3 OOB, Real Ip Gateway.

The configuration we did is as follow :

- The untrusted interface of NAS is connected to a trunk switch port and the trusted to an access switch port.

- The NAS is configured as DHCP server for Auth VLAN

- A route to the IP address of unauthenticated L3 adjacent user is added on the NAS.

- A PBR is configured on the CORE switch and on the edge router to send trafic from unauthenticated user to the untrusted interface of NAS.

what we noticed is that we can ping the IP address of NAS'untrusted interface from L3 adjacent user only after launching ping to this IP on the CORE and the Agent pops up (if no ping, no pop-up).

Could you please tell if there's something wrong or missing on the above steps?

how can we fix this issue.

Well I dont think both layer 2 and layer 3 are going to work. When you add your CAS to the Nac manager it will ask the type of deployment. I am using layer 3 OOB. You also do not need a trunk port with this type of deployment. I would make the untrusted network a SVI Vlan off your core and then lock things down via an ACL. You will need to allow the 8906, 8906 TCP,UDP & 8910 TCP. You will also need to allow all of the MS ports DHCP, DNS. Here is an example of the ACL I use.

    10 permit icmp any any echo-reply

    15 permit icmp any 10.20.1.0 0.0.0.255

    20 permit udp any any eq bootpc

    30 permit udp any any eq bootps

    40 permit udp any any eq domain

    50 permit tcp any 10.20.1.0 0.0.0.255 range 49152 65535

    60 permit udp any 10.20.1.0 0.0.0.255 range 49152 65535

    70 permit udp any 10.20.1.0 0.0.0.255 eq 389

    80 permit tcp any any eq 8905 (116 matches)

    90 permit udp any any eq 8905 (370 matches)

    100 permit udp any any eq 8906

    110 permit tcp any 10.20.1.0 0.0.0.255 eq 389

    120 permit tcp any any eq 8910

    130 permit tcp any host 10.20.1.1 eq 443

    140 permit tcp any host 10.20.1.1 eq www

    150 permit tcp any 10.20.1.0 0.0.0.255 eq 88

    160 permit tcp any 10.20.1.0 0.0.0.255 range 135 139

    170 permit tcp any 10.20.1.0 0.0.0.255 range 1025 1026

    180 permit tcp any 10.20.1.0 0.0.0.255 eq 3268

    190 permit tcp any 10.20.1.0 0.0.0.255 eq 445

    200 permit udp any 10.20.1.0 0.0.0.255 range 135 netbios-ss

    999 deny ip any any

Thanks for your reply.

Do you mean we cannot use one NAS for both RIP L2 and L3 ?

I thought L3 could be enabled with L2 RIP by checking the corresponding check box.

Do we need to add static route or ARP on the NAS (for IP address of non-authenticated users) ?

We are using OSPF, we'd like to ask if network IP address of NAS untrusted interface ,NAS trusted interface and non-authenticated users should be configured for OSPF ?

Hello Bobby,

After some labs, we noticed that it is not a problem of vlan or trunk/access.

After adding static route on the NAS, we need to ping NAS'IP address from the switch before we can ping it from L3 adjacent user.

We don't know what's wrong or missing in the conf.

We tried to remove the static route and add ARP on the NAS, we can ping the NAS from L3 user.

Could you please help, what should be done to fix it?