cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1239
Views
0
Helpful
26
Replies
Advocate

Re: NAC Out of band deployment problem

Hi,

Can you please post a screenshot of the interface settings from the UI? Also is the CAS running in vmware also?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*
Beginner

Re: NAC Out of band deployment problem

Dear  Tarik Admani ,

If you mean the ip configuration of CAS and CAM , I send it for you aan attachement ,

yes both of the NAC Manager and NAC Server are installed on esx 4.1.

best regard

Beginner

Re: NAC Out of band deployment problem

Dear  Tarik Admani ,

Could you please do a favor and skim this document ?  It is for NAC 4.9 and it said that your DG must be the SVI clearly,

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cas/s_deploy.html

Thanks,

Beginner

Re: NAC Out of band deployment problem

Dear Admani,

when I changed the client 's gateway to ip address of SVI in 3750,  clients Arp request was recieved by 3750 and it sends the reply but the problem is the client does not recieve these reply , But i do not know what it happens?

it is the output on C3750 :

<10.10.50.4 is client ip in untrusted part of NAS   and the 10.10.50.1 is the SVI IP in 3750)

23:02:23: IP ARP: rcvd req src 10.10.50.4 14da.e9af.9d22, dst 10.10.50.1 Vlan50

23:02:23: IP ARP: sent rep src 10.10.50.1 0013.1aeb.9748,

                 dst 10.10.50.4 14da.e9af.9d22 Vlan50

thanks,

Advocate

NAC Out of band deployment problem

At this point there is much we can do when it comes to troubleshooting this setup because of the fact that you are using vmware in order to simulate the CAS appliance. It will much easier to go with ISE since you are using this in your test lab anyways. You can achieve all the same features using radius over snmp for oob management of clients, and the acls are much easier to manage and deploy for temporary network access..etc. ISE also comes with a 90 day in the iso so that should get you going.

Thanks,

Tarik Admani

Tarik Admani
*Please rate helpful posts*
Beginner

Re: NAC Out of band deployment problem

Dear admani ,

thank you for your reply ,

Do you think the problem caused by ESX server ?

when client can pass all the posture assessment correctly ( and not placed in temporary role) , everything works great  but when it failed the problem begins to start.

thanks,

Advocate

Re: NAC Out of band deployment problem

Its hard to tell, it seems as if you have everything setup correctly. One assumption I made is that all traffic is allowed from the trusted to untrusted. If you state that the traffic works fine if the client passes all the checks, then your next option is to test the traffic in the reverse direction. In the screenshot that you posted for the temporary role, where you allowing alll tcp and udp traffic, can you drop the box down so that path shows from trusted > untrusted and make sure that all traffic is allowed?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*
Beginner

Re: NAC Out of band deployment problem

Dear Tarik Admani ,

Yes I checked it , everything is allowed form both direction.

It is so strange why my clients could not get the ARP response from it is default gateway. C3750 responses to its request in corresponding VLAN  but the response will fade after that.

thanks,

Advocate

Re: NAC Out of band deployment problem

Were you able to validate by running a packet capture or did you use the arp –a on the client end to see that the arp entry was incomplete? I would try to remove the rules, and reenter the rules again.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*
Highlighted
Beginner

Re: NAC Out of band deployment problem

I am running wireshark on client and see that client send broadcast ARP for finding the mac of DG periodically and I also that the SVI on 3750 answer to these request with the INT VLAN 50 mac address , but after that I do not know what happend? It does not get to client.

thanks,

Advocate

NAC Out of band deployment problem

One more item to check, and this is basic, when the client fails the requirement....are they being placed in the temporary role? Also can you make sure that you have configured any traffic policies on the local CAS, here is a guide that will show you this setting - http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cas/s_trfpol.html#wp1040154

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*
Beginner

Re: NAC Out of band deployment problem

Yes I checked it via monitoring>reporting , and it said that user successfully logged in temporary role, i created permit all on Local policy but the result is the same ,

yesterday I changed the DG of my client to SVI and after that I defined the ARP Entry for DG in CCA servers>Advanced>ARP and added the arp entry for my DG on Untrusted interface , then the NAC agent client poped up , now  when client send ARP request for its DG the CAS response to it with its untrusted interface mac address and SVI ip Address ,

I do not know that it is a normal behavior or not ?

thanks