cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2018
Views
0
Helpful
6
Replies

Problem with OOB NAC and 5508 WLC

rchester
Level 1
Level 1

I have a 5508 wlc trunked to a 6500 switch. Also trunked to the switch on both eth0 and eth1 is the CAS. The CAM is connected with an access port.

The CAS and CAM are on seperate VLANs and the CAS was added to the CAM without issue.

I followed the example document for OOB WLAN (VLANs and mapping etc)  but I don't get any authentication going on. The client associates and the WLAN interface is the quarantine VLAN However it seems the client can connect to the network without issue (can web browse to a server internaly to the campus)

The client is shown in the wireless clients on the device page of the CAM

If i close down either of the CAS interfaces the client connectivity is broken.

Just once, randomly the Clean Access Login Page appeared on the client (battery had died and waited about an hour) but when I rebooted the CAS to check it was consistent it never came back.

I haven't configured the SSO part, should this be completed or is it a valid test so far without it?

Any ideas where to start with this issue?

Thanks

reload in 25 years
1 Accepted Solution

Accepted Solutions

Yes, it sounds like somewhere, your "quarantine/unauthenticated" vlan is bridged to the complete network, I don't see another explanation.

Try configuring the WLC for a totally new quarantine vlan that doesn't exist anywhere.

You should then not have any access at all to anything. Then try to allow that vlan progressively to reach the CAS and constantly test. You should find the point where the vlan is "leaking".

Nicolas

===

Don't forget to rate answers that you find useful

View solution in original post

6 Replies 6

rchester
Level 1
Level 1

Adding diagrams.

I have also noticed if I do a tcpdump on eth1 of the CAS I don't see a single packet!

reload in 25 years

Hi,

what do you mean with " the WLAN interface is the quarantine VLAN" ?

It's never the whole interface that is in the quarantine vlan.

Can you go to "monitor->clients" and check the details of your client and post the screenshot here ?

That will say if WLC is putting in the correct vlan and is in the correct NAC state.

Thanks.

Nicolas

Hi Nicolas and thanks for responding.

What I meant is exactly what you are asking....

In Monitor/Clients screen the client is shown to be assigned to the quarantine vlan configured for the dynamic interface on the WLC. However the client can still access servers they shouldn't from this VLAN.

I also notice that if i browse from the client to the CAS and complete a manual authentication the client is certified and the Monitor/Clients screen shows the client has moved to the access VLAN configured for  the dynamic interface configured on WLC

I think the VLAN maybe leaking?  I don't see any packets on a tcpdump on eth1 for the CAS

reload in 25 years

Yes, it sounds like somewhere, your "quarantine/unauthenticated" vlan is bridged to the complete network, I don't see another explanation.

Try configuring the WLC for a totally new quarantine vlan that doesn't exist anywhere.

You should then not have any access at all to anything. Then try to allow that vlan progressively to reach the CAS and constantly test. You should find the point where the vlan is "leaking".

Nicolas

===

Don't forget to rate answers that you find useful

Nicolas,

I was given access to the core switches and I found a "less than optimal" configuration :-) I removed the NAC VLANs from a port channel and made my switch the root for the NAC VLANs and all is now good :-)

Do you have a good resource for describing how to get the agent software to automaticaly be downloaded to the client?

Thanks again

reload in 25 years

Hi Nicolas,

I'm experiencing similar problem. When i connect to a SSID that i've configured quarantine vlan, my laptop connect directly to an access vlan, not to quarantine vlan. I'm sure the switch have defined the quarantine vlan and access vlan. And i've enabled NAC state in the WLAN.

When i checked the WLC, Monitor -> Clients, the laptop get access VLAN directly when it connects.

Maybe you can help me?

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: