cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
312
Views
0
Helpful
3
Replies

Problem With Clean Access in L3 OOB

mnlatif
Level 3
Level 3

Hi,

We are testing Clean Access in L3-OOB mode. The Users are at a remote site behind a 3845 Router. This remote site connects to the central site through a WAN\VPN Link.

CAS is hosted at the Central Site. We have the VRF\PBR setup correctly and the communication is working between the Remote Un-Authenticated Hosts (In Auth VLAN) and the CAS. They can also ping the CAS.

The problem is with DNS (Or any traffic that is supposed to be forwarded by the CAS on the behalf of the Remote Users.

SetUp is similar to below

PC-->Rt2(Remote)<--WAN-->Rt1-->CAS-->Trusted Network(DNS Servers etc)

I sniffed Packets on both the Un-Trusted and Trusted Interface when the Remote Client issues a DNS Query with the below results

Packet on Un-Trusted Interface:

Source MAC --> Rt1 Interface MAC (Interface towards CAS)

Dst MAC --> Un-Trusted CAS Interface

2. Packet "leaving" trusted Interface (i.e. DNS packet forwarded by CAS)

Source MAC --> Rt1 Interface MAC (Interface towards CAS)

Dst MAC --> Un-Trusted CAS Interface

i.e. NO Change in the Source\Dst MAC...!

So it seems that CAS forwards the Packet without even changing the Source\Dst MAC. I know that it is not supposed to change the Source\Dst IP but since it doesn't even change the Dst MAC, so no Device on the Trusted Site Picks up the packet.

What is going on ?

Just as a side note the communication between the PC and CAS itself (over the un-trusted interface) is Working fine and PC can even get to the Re-direct\Auth Page on the CAS (Ofcourse I have to type the IP in the URL since DNS doesn't work)

Thanks,

Naman

1 Accepted Solution

Accepted Solutions

Hi Naman -

I believe you should update the User Page with the new provider that you have setup. This should affect both clientless and CCA users.

CAM --> Administration --> User Pages --> Edit

Check off Provider Label (which you already may have done) and Check off your Available Provider, which should include the Radius Server you want to use.

If you want to simply use the Radius, then just change the Default Provider.

Let us know if this helps,

peter

View solution in original post

3 Replies 3

pcomeaux
Cisco Employee
Cisco Employee

Hi Naman -

How is the CAS configured in the CAM when you click on Clean Access Servers? i.e. What role?

thxs

peter

Hi Peter,

It is configured as "Out-of-Band Virtual Gateway ".

However i was able to fix the problem by assuming that this is the way, it is supposed to work.

In the problem configuration i had the default route on Rt1 (For CAS bound traffic) pointing towards the IP Address of the Untrusted CAS interface.

I changed this to an IP address available on the Trusted Site of the CAS (i.e. a Router that connects the CAS to the trusted Network e.g. DNS Servers etc). Since CAS transparently forwards packets\ARP from Un-trusted to Trusted, so this seems to be working now.

However I do have another question. When using CCA Agent, we want to used a Secure ACS Server as the Authentication Database. I added this ACS Server as a "RADIUS Server" in CAM-->Auth Servers. And also successfully ran a Auth Test.

However somehow this option does Not appear on the CCA Agent on the Users PCs (It only has "LocalDB" as the only option.

Any ideas ?

Thanks,

Naman

Hi Naman -

I believe you should update the User Page with the new provider that you have setup. This should affect both clientless and CCA users.

CAM --> Administration --> User Pages --> Edit

Check off Provider Label (which you already may have done) and Check off your Available Provider, which should include the Radius Server you want to use.

If you want to simply use the Radius, then just change the Default Provider.

Let us know if this helps,

peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: