cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1445
Views
0
Helpful
3
Replies

Cisco NAC Discovery Host Field Usage in both L3 OOB and L2 OOB

dumlutimuralp
Level 1
Level 1

Hi all,

We are in the project initiation phase in a huge Cisco NAC deployment. 

Customer has 8 regional offices which are gonna be deployed in L2 OOB mode with its own NAC Servers.

Customer also hast 25 small offices which are gonna be deployed in L3 OOB mode (with aid of Access Control List) with two central NAC servers.

NAC Agent will be deployed centrally through Microsoft Windows Domain Services to each computer in the domain. However, users could be moving from a small office to a regional office occasionally.

I was wondering how we should use the Discovery Host Field in Agent XML file ?

My opinion is setting the Discovery Host field to the IP address of the central NAC servers. This setting will be used when the user is in a small office  and when in a regional office, L2 OOB mode NAC server will already intercept the user traffic and the IP address in discovery host field wont matter in that case ?

Am I correct ?
Any help extremely appreciated.

Dumlu

1 Accepted Solution

Accepted Solutions

Hi Dumlu,

if your concern is about L2 users, then this is going to work irrespective of the configured discovery host address.

This is the case as the Agent will try the configured discovery host address on top of the default gateway address.

In L2, the NAC Server is in between the host and the default gateway, so the L2 discovery process will work anyway.

Consider that for L3 users, the discovery packet sent to the discovery host address has just to hit the NAC Server, it doesn't really matter if then the agent can reach this address; the point is making sure that the NAC server receives this packet so to reply with the specific NAC Server info.

I hope this answers your question.

Regards,

Federico

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

View solution in original post

3 Replies 3

Federico Lovison
Cisco Employee
Cisco Employee

Hi Dumlu,

The discovery host address will be used by the agent as a probe packet to discover the NAC Server.

It's not strictly necessary for this address to be neither the one of the NAC Server nor the one of the NAC Manager, but you need to make sure that the packet will hit/cross the CAS from all your locations when the clients are in the unauth VLAN. Given this, the address has to belong to the trusted network.

By default it's set as the NAC Manager address (i.e. when you install it by downloading from the web login page), so this will work in most cases.

You can find more info on the config guide, i.e.:

https://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_addSrvr.html#wp1124243

I hope this helps.

Regards,

Federico

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

Hi,

I have already gone through that document. The problem is,

I got two options in order to redirect the NAC agents traffic from the small offices to the NAC server which is located at HQ.

  1. Using PBR
  2. Using ACL and Discovery Host Field

We prefer the second approach. PBR is difficult to manage for the customer.

So we will put the central NAC Servers' IP address onto Discovery Host Field. (By the way, in NAC Manager GUI it is already said that this setting applies to L3 users)

The thing is, the endpoints with NAC agents usually hang out at small offices, however, from time to time, they visit the regional offices. So when they are in the regional offices, if the setting above would cause any problems. In regional offices the NAC agent traffic has to go through NAC server since that is gonna be a L2 OOB deployment. But since we did not test this, I have doubts if the NAC agent has its Discovery Host Field populated with central NAC server IP, and its traffic going through regional office local NAC server ... If this is gonna work smoothly.

Or are you saying that, even with the second approach I mentioned above, I could still leave the discovery host field as the NAC manager IP ? Cause when the client is at small office and has NAC manager ip in its discovery host field, then when its traffic tries to reach NAC manager IP that traffic would not be going through the central NAC server at all.

Dumlu

Hi Dumlu,

if your concern is about L2 users, then this is going to work irrespective of the configured discovery host address.

This is the case as the Agent will try the configured discovery host address on top of the default gateway address.

In L2, the NAC Server is in between the host and the default gateway, so the L2 discovery process will work anyway.

Consider that for L3 users, the discovery packet sent to the discovery host address has just to hit the NAC Server, it doesn't really matter if then the agent can reach this address; the point is making sure that the NAC server receives this packet so to reply with the specific NAC Server info.

I hope this answers your question.

Regards,

Federico

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: