ASK THE EXPERT -DEPLOYING AND TROUBLESHOOTING NAC APPLIANCE

Unanswered Question
Jul 27th, 2007
User Badges:
  • Gold, 750 points or more

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Syed Ghayur how to configure the Network Admission Control appliance in different modes and troubleshoot the various configurations. Syed is a technical marketing engineer in the product marketing team for the Cisco Network Access Control (NAC) Appliance. He also works on global scalability of the product, documentation, partner training, and system engineer trainings. In addition, he works closely with the Cisco Technical Assistance Center (TAC) to resolve complex issues and product related bugs. Syed started his career in Cisco as an intern in CALO labs.


Remember to use the rating system to let Syed know if you have received an adequate response.


Syed might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through August 10, 2007. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.8 (3 ratings)
Loading.
edwardwaithaka Fri, 07/27/2007 - 11:57
User Badges:

Hello,


I have successfully configured 2xCAM appliances and 2xCAS appliances in High avalability. Everything is working fine apart from "Traffic Controll". I have the following problem;


1. I have created a "Guest Role" under "Normal Login Role Type". I have tried to apply "IP Policies" to limit the guest user only to the internet (and deny access to network resources such as servers) but they dont work.


PROBLEM: When I click on the "Guest access" button on the web login page, the Guest user ends up having total access to the newtork & internet.


2. I have created a "Normal User Role" based on the "Normal Login Role Type". Basically, all users in this role should have full access to both network & internet but after being scanned using the CCA Agent.


PROBLEM: When a Normal User logs in through the web, he doent get scanned and goes directly to the network. I have made the CCA agent compulsory for Normal Users but it doesnt seem to be enforced.


NB:

- Users browse through a Squid web proxy on port 8080.

- I have done everything to the book/manual.


What am I doing wrong or right? How can I resolve the "Traffic Control" issues so as to give guests just internet and to give other users all rights but through CCA Agent.


How can I map Active Directory users to the "Normal User Role" based on the AD User Groups (Organizational Units/OU)?

I am using LDAP Auth Type connection to Windows AD 2K3.


Edward W.

sebastan_bach Fri, 07/27/2007 - 13:06
User Badges:

hi am new to cisco nac. i would to know for deploying nac solution how many nac appliances i need to buy.


what is the minimum license we get with the appliance. or do we have to buy the license seperate .


regards


sebastan

gghayur Sun, 07/29/2007 - 22:39
User Badges:

Sebastan,


For General Information on NAC, please visit


www.cisco.com/go/nac/appliance


We have a chalktalk series on NAC on this site and I would recomend you to go through Chalktalk 1 (Cisco NAC Appliance Foundation Concepts)which will help you understand Cisco NAC


http://www.cisco.com/en/US/products/ps6128/prod_presentation0900aecd80549168.html



Here is the ordering guide on NAC


http://www.cisco.com/en/US/products/ps6128/prod_bulletin0900aecd805d0358.html


You need a minimum of 1 Clean Access Server (CAS) and 1 Clean Access Manager (CAM) to test NAC in a lab environment.


Thanks,


Syed




raju.shrivastav... Fri, 08/10/2007 - 06:33
User Badges:

Hi Sebastan,


As per my knowlege, NAC is a process / service that runs on IPS. And if that is the case with you, it depends on how many devices you want to control that would determine the number of NAC you need.


Normally a single IPS with NAC running on it can control 10 interface on routers / switches (or PIX if using shun).


Let me know if this solves your querry.


thx

raju shrivastav ([email protected])

Raymond Aragon Sat, 07/28/2007 - 09:42
User Badges:

Edward,


Can you elaborate on your setup? L2 Virtual Gaetway or L3 RealIP Out of band (there are more combinations I am just listing 2 examples)?


This will help aide the troubleshooting effort.

As it is the weekend, you may not get another post, so if you have a chance check out the Chalk and Talk on the NAC appliace product page:

http://www.cisco.com/en/US/products/ps6128/prod_presentation0900aecd80549168.html


The NAC chalk and Talks are some of the best VoDs on the Cisco site!


Regards,


Ray



edwardwaithaka Sun, 07/29/2007 - 02:51
User Badges:

Hi Ray,


My setup is: OOB+VG

From the Chalk-Talks, I have seen that OOB doesn't support traffic control using the ACLs.

Now that OOB can't support ACLs, I am planning to use VACLs on the core switch. My only challenge is dynamically assigning VLANs to user roles.

From the Auth Server(LDAP)->Mapping Rules, I have created a rule+condition to map users coming from Access VLAN 20 to a Role called "Guest Role". Under User Roles->Guest Role, I have configured the "*Out-of-Band User Role VLAN" as VLAN ID: 20.

When I test the Auth, the test user ends up in the "Auth Server->Default Role" Role. which is different from the Guest Role.

I would like to assign guests (created on Active Directory LDAP not local users) to be thrown to a guest vlan which doesnt have access to the servers. I will use the same scenario to map different users to different vlans based on the 802.1q tags.


Any pointers?

Thanks.



gghayur Sun, 07/29/2007 - 22:21
User Badges:

Hi Edward,


1. I am assuming this is an InBand setup. Couple of things to check here:

a. Make sure the user is logged into the Guest Role

b. If you have restricted only IP policies for the Guest Role, you should check host policies too. Those policies might be allowing the traffic

c. Sometimes, the traffic is not actually passing through the CAS. The way to verify is to block all the traffic in the Guest Role and then test the end user.


2. Under Device Management > Clean Access > General Setup > Agent Login, Select "Window ALL" for operating system and then check the box stating

"Use 'ALL' settings for the WINDOWS OS family if no version-specific settings are specified "


This will fix your Agent requirement for Normal users.


3. You can use role mapping to put the user in a specific ROLE according to the ldap attribute. Please see the link below for the chalk talk 8 on this subject.


http://www.cisco.com/en/US/products/ps6128/prod_presentation0900aecd80549168.html


Let me know if this helps,


Thanks,


Syed




edwardwaithaka Mon, 07/30/2007 - 01:38
User Badges:

Hi Syed,


My set up is OOB+VG.

I managed to resolve the Agent requirement. I saw in the chalk talks that OOB doesnt support ACLs in Normal Login Mode.

edwardwaithaka Mon, 07/30/2007 - 01:44
User Badges:

Packet received with my own MAC address (00:0A:B8:B0:6D:3F) as source on port Gi3/24 in vlan 230


I receive the above warning in my setup (OOB+VG). Gi3/24 is the untrusted interface on the CAS and VLAN 230 is the Auth/Untrusted vlan for VLAN 30 (trusted). According to this link

http://www.cisco.com/en/US/products/hw/switches/ps4324/products_tech_note09186a008063c36f.shtml

It seems I have a Spanning tree loop.

I have configured VLAN Mapping & Subnet Management for VLAN30/230. I still dont know why it says there is a loop. Users on VLAN 30 get an error "Could not parse server response" from the Cisco Clean Access Agent. Users on other VLANs connect well. What could be the problem?

gghayur Mon, 07/30/2007 - 12:25
User Badges:

Hi Edward,


This is only warning message. You are not subjected to spanning tree loop. It is ok to have same MAC address learned on two different ports as long as the ports are in different vlans.

Can you check the certificate on the CAS for the other problem you reported on the Agent. If you are using Name in the certificate for the CAS, it should be resolvable by DNS.


Thanks,

-Syed

edwardwaithaka Tue, 07/31/2007 - 22:04
User Badges:

Hi Syed,


See the picture I have attached for the error message I am getting. It only happens on some machines in the network as others are authenticating well. The same machines that are failing can ping the CAS service ip so I am wondering why they cant communicate with the CAS. I am using IP address for the certificate.


Another pending issue is that I cant create "Source VLAN Role mappings" using Active Directory LDAP Auth Server. LDAP Attribute role mappings are working though. My setup still remains OOB+VG.


If I sort these 2 issues, then I can say my NAC deployment is good 2 go.


Rgs,

Edward W.




gghayur Tue, 07/31/2007 - 23:00
User Badges:

For the first issue,

Please turn on the agent debug. See the link below for the steps to enable the debugging.


http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca411/411rn.htm#wp113880


Send me the agent logs from the machine which is having the problem. Also, make sure that the Managed subnet is configured correctly for the unauth vlan.


For the second issue, Can you go through this link

http://www.cisco.com/en/US/products/ps6128/products_tech_note09186a0080846d7a.shtml


Thanks,


-Syed



edwardwaithaka Thu, 08/02/2007 - 22:15
User Badges:

See the attached events.log file. I tried to have a look but it doesnt make sense to me.


For the second issue, I had gone through that tech note but still couldnt create the auth mappings.



gghayur Sun, 08/05/2007 - 23:06
User Badges:

Hi Edward,


Sorry for not responding early. I missed the notification on your response. I have gone through the logs but the debug level is NOT turned on which will help me narrow down the issue.

Can you confirm that the registery key is created under

HKEY_CURRENT_USER\Software\Cisco\Clean Access Agent\


Also, you have to exit out the agent from the system tray and restart the agent after enable the key. Here is the link with all the info on the log level of the CCA agent.


http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca411/411rn.htm#wp113880


Thanks,


Syed


edwardwaithaka Wed, 08/08/2007 - 02:58
User Badges:

Hi Syed,


Find attached the updated log file. If possible, kindly guide me how to go through the CCA debug logs, they seem to be encrypted??.



Attachment: 
gghayur Wed, 08/08/2007 - 20:10
User Badges:

Hi Edward,


The event logs are encrypted. They are only used when troubleshooting with TAC. The logs are showing that the SSL communication with CAS is broken. We are not receiving the HTTPS response from CAS. The issue could be attributed to network conntectivity OR you can also clear the SSL state (tools>option>Content)on the client machine and try to logon again.



edwardwaithaka Wed, 08/08/2007 - 23:45
User Badges:

Hi Syed,


I will try and clear the SSL state and get back to you. I have seen this link and I hope it is what you mean.

http://www.auburn.edu/oit/security_center/browsers/ht_clearing_ssl_state.php


Like I had told you, the client machines can actually ping the CAS so I don't think it is a network issue, not unless it is intermittent. The funny this is that, like on my laptop I can login when in one VLAN (e.g. VLAN20) but when I connect the laptop on specifically VLAN30, I get the error ... strange. But still, some laptops on the same VLAN30 can connect without a problem.


I am hoping you will be around after 10th :o)

gghayur Wed, 08/08/2007 - 21:42
User Badges:

Ed,


One more thing to check is whether you can communicate to the DNS server on the machine where you are seeing this issue.


Thanks,


Syed

goodman_nu Sun, 07/29/2007 - 07:45
User Badges:

i have configure pix 506 for remote vpn, every thing is ok but when i try to connected clinet i am not able to access any thing neither internet nor remote server. but i am getting ip from pix.

gghayur Mon, 07/30/2007 - 07:51
User Badges:


This forum is specifically on Cisco NAC. Please post your question on Pix/ASA security forum.


From your problem description, it looks like you are missing appropiate NAT 0 statement.

ssanchez11 Sun, 07/29/2007 - 12:34
User Badges:

My company is looking to implement the ASA 5500 UTM appliance, along with the MARS and CSA appliance and software. my questions is as follows. we currently have the pix 515E In place, would we need to deploy the ASA 5500 UTM for MARS and CSA to function correctly or for them to perform adequately?


thanks

SS

mrodriguezm Tue, 07/31/2007 - 15:40
User Badges:

Hi Ghayur,


I am using CCA (single CAS/CAM) in Inband VG mode. The CAS has the two interfaces attached to a 3560, CAM has the interface to the 3560. Two 3560 are used in high-availibility using HSRP. Everything seems work ok, but, the browser page is not displayed to download the CAA when I opened the explorer, so, I installed CAA manually.

The evaluation installation worked well when I tested in NAT VG Inband.

Worst of that, when the CAA is updated to 4.1.2.0(update mandatory is set), it is downloaded and try to install the update, but this is not completed (an error telling the version CCAAgent4.1.1.0 it is not found in a tempoal directory).


Thank you very much.

gghayur Tue, 07/31/2007 - 20:37
User Badges:


Couple of things to check.


1. Do you have admin rights on the end user machine ?


2. If you uninstall 4.1.1 agent and try to download the 4.1.2 from CAM, does it work?


-Syed


sathappan Wed, 08/01/2007 - 01:21
User Badges:

Hi ghayur,


I have already done two installations with NAC 4.0.1. everthing works fine. I have upgraded them to NAC 4.1.1 and there is no problem at all.


I am trying to install another NAC appliance with4.1.1 and this time I am facing the problem in the page redirection itself. the page redirection doesnt happen.


Is there any special thing needs to be configured for NAC 4.1.1


with thanks

sathappan.s

gghayur Wed, 08/01/2007 - 13:28
User Badges:

Hi Sathappan,


What type of deployment it is ? IB/OB L2/L3. Also, the CAS certificate was generated with IP or CAS Name. If this was generated with name, you should be able resolve the name on the end user machine. For that you have to make sure that the DNS traffic is allowed in un-authenticated Role.


Thanks,


Syed


mrodriguezm Wed, 08/01/2007 - 06:55
User Badges:

1) Yes, I have admin rights on the user machine.

2) I unistalled 4.1.1 agent and the redirection page does not happen. I installed manually the 4.1.2 Agent.

gghayur Wed, 08/01/2007 - 14:44
User Badges:

In the CAS, the agent file is stored at

/perfigo/access/apache/www/perfigo_download/


You can verify whether the agent file is present there or not.


Also, on the CAS cli,

cd /perfigo/logs

tail -f perfigo-redirects-log0.log.0


Open the browser to redirect web traffic and see the message you get in the logs. This will help understand the issue.


Also, you want to check the certificate. if it is name based cert then you want to allow DNS in unauthenticated Role.

mrodriguezm Sat, 08/04/2007 - 20:10
User Badges:

Hi Syed,


I have been reviewed the files on the CAS and test for open directley the page from the client (the page is not redirected automatically).


I reinstalled the CAS. In the attachment I put the files and the log file. I dont know if there is something wrong with the message on the log file, the CAM ip address is 192.168.100.24.


If I browse the CAS (http:/192.168.50.24) the redirected page shown is on the LOGIN file. Once authentified, the page shown on the DOWNLOAD CCA file is displayed. If I install from this page the CAA, I can upgrade without problem form version 4.1.1.0 to 4.1.2.0 (the second issue).


The distribuion page on the CAM is show on the CCA DISTRIBUTION file.


Best regards.


Manuel



mrodriguezm Mon, 08/06/2007 - 10:16
User Badges:

Hi Syed,


have you had a chance to review the page redirect problem ?


Is there any information missing ?


Thank you in advance.


Manuel.

gghayur Mon, 08/06/2007 - 19:06
User Badges:

Manuel,


Thanks for providing the information. Two more things which you can confirm.


1) Managed Subnet on the CAS configured ?

2) In unauthenticated ROLE, only the DNS traffic is allowed and rest of the traffic is blocked.


If both are true and you are still having problem then I would recommend you to open a tac case where an engineer can assist you via webconference to do realtime troubleshooting. He will engage me if escalation is required.


Thanks,


Syed

WatsonBob Wed, 08/01/2007 - 11:28
User Badges:

Hello Syed -


I am trying to get AD/SSO authnetication running on an HA pair of nac CAS appliances managed by a pair of HA CAMs. I am running RealIP/OOB. SSO starts OK. When I logon the client the CCA "Performing Windows Domain automatic logon ..." screen appears. After 20 seconds or so the agent presents me with the regular "enter your user credentials" screen. Kerbtray does NOT show an ST for ccasso. How do I troubleshoot this?


-Bob




gghayur Wed, 08/01/2007 - 13:39
User Badges:

Hi Bob,


If kerbtray doesn't have Service ticket for CAS, then most probably you are not login into the domain.


One way you can verify is put this command on CLI "net time /set". The result will tell you whether you are logged into the domain or not.


Check the policies on the unauthenticated ROLE to allow the access to domain controller.


Thanks,


Syed

jstratem Wed, 08/01/2007 - 15:19
User Badges:

What is the recommended deployement model for NAC when I have approx 1000 users on the access layer coming to the Core via 10-gig.

Will one 3350 in OOB mode work or should I use a CSS to try and split the load to 2 or 3 boxes?

mkaegler Thu, 08/02/2007 - 12:32
User Badges:

We're setting up NAC with a few HA pairs. Our "A" machines are in the datacenter with gigabit connections and our "B" machines are in one of our better outfitted lanrooms with 100mbit connections.

Without a way to set a superior priority on the "A" machines, how can we be sure that our service does not suffer in the event our "A" servers blink? We'd be running on our "B" servers (on the slower 100mbit links) with our gigabit "A" servers sitting idle.


Second, we can take manually take snapshots and download those files, but we have external programs using the HTTP API constantly updating things. We'd really like to have a way to automate this snapshot/backup procedure. Any tips?


TIA!

gghayur Thu, 08/02/2007 - 14:44
User Badges:

Hi,


for first question, can you give some more detail. Is your setup L2/L3, IB/OOB?

Assuming that its L3 OOB, you are trying to see how to make the traffic go through the backup site if the primary site is down ?


For 2nd issue, we have a script /perfigo/control/bin/pg_backup on the CAM, that takes the database snapshot and backs it up on to another server using ftp.

You can setup a cron job to run this script on a regular basis and this way get regular copies of the backups

Script is executed as ./pg_backup Username Password

The script used Postgres's pg_dump utility to create an instant database snapshot and then export it to the FTP server.

This snapshot is essentially the same as what you would create manually using the GUI.

Cron job can be set to run this everyday and you should be all set.


Thanks,


Syed



mkaegler Thu, 08/02/2007 - 18:15
User Badges:

Thanks for your reply!


As to the first (HA) question, we're running the wired network in L3 OOB, but my cheif concern is for the wireless, in IB. Let me rephrase the question, hopefully its clearer:

If our first CAS (with gigabit connections) fails over to our second CAS (100mbit), when the first CAS recovers, how do we move the users from the second (slower) CAS back to the first? Do we manually reboot the second? (Again, for OOB users, 100mbit is fine. For IB wireless users, it may not be.)


For the second question; your pg_backup script is much what I was hoping to find. Will this back up all the CAM's other settings (or, I suppose the question is more "are all the CAM settings kept in postgres")?


I hope you don't mind me piling on a third question! For the wired (l3/oob) setup we're planning on using dynamic vlans... freshmen get their own vlan, faculty another, etc... We can key on LDAP attributes. Perfect. But we also have a bunch of non-nac-capable devices (access control, facilities management, wireless APs...). For management, I had planned on developing a purpose built application which hooks the HTTP API to addcleanmac these devices, but theres no way in the API to specify which vlan to put those devices into. (As you can imagine, we require that the campus money card readers must be in a different vlan than the student tivos!)

How can I get non-nac-capable devices into different vlans?

gghayur Fri, 08/03/2007 - 10:37
User Badges:

Hi,


Thanks for the detail explaination of your setup.


1) You have to manually reboot the box second (slower) CAS to make the first one active.


2) Yes. It will backup all the CAM settings.


3) When you add those devices in the filter, you have the option to associate them to a particular Role. This role can have the VLAN information.


Thanks,


Syed



vannostrandre Fri, 08/03/2007 - 08:18
User Badges:

I am integrating Wireless with LWAPP behind Clean Access (In-Band). The WLCs put users behind CCA and all is good. When WAPs are behind Clean Access and DHCP option 43 is used to provide the the WLC list, there is no easy way to configure the DHCP option on the CAS.


After messing around with the configuration in a lab, I was able to accomplish the job by doing something very tricky. I put the WLC list into a spreadsheet to convert the numbers to string values. I then put a string that looks like this "???>???" that ends up providing the hex value that is needed by the WAP. Hex F108C0A8043EC0A8043F refers to 192.168.4.62 and 192.168.4.63.


It would be nice if the CAS had a HEX selection to fill in for use with the wireless solution. If there is an easier way in the current version of Clean Access (4.1.1), can you please provide that information.


Thanks, Rob V

gghayur Fri, 08/03/2007 - 09:33
User Badges:

Hi Rob,


You can also put IP address in the CAS with custom DHCP options. Here the steps to accomplish this.


Go to Device Management > CCA Servers > Manage [CAS_IP] > Network > DHCP > Global Options.


Click the Enable button (User-Specified DHCP Options).


Click the New Option link for the Root Global Option List.


Type 43 in the ID field.


Select IP-Address from the Type dropdown menu.


Click the Create Custom Option button.


Let me know if this helps.


Thanks,


Syed

balsheikh Sat, 08/04/2007 - 19:54
User Badges:

Hi Syed,


I had a NAC appliance running in L2 VGW mode, SSO had been configured and worked perfectly ONLY (checking for Windows & antivirus updates) for users with administrative privilege credentials resided on AD.

Once I created a user as a member of my local domain with user privilege he wasn?t able to fetch the patches and execute it on the machine.


Any suggestion !!


Regards,

Belal


gghayur Sun, 08/05/2007 - 19:53
User Badges:

Hi Belal,


When in temporary role, we allow the user to fetch the AV/AS patch but the user needs necessary privileges to install the patch which is independent of NAC.

As far as the Clean Access Agent installation is concerned without Admin Privileges, we give the option to pre-install Clean Access Agent Stub. Please see the link for more info on CCA Stub.


http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cam/m_agntd.html#wp1234900


Let me know if this helps,


Thanks,


Syed

wiluszm Sat, 08/04/2007 - 22:42
User Badges:
  • Bronze, 100 points or more

Syed,


Is it possible to use the CAS as a DHCP server in L3 OOB (R/IP GW) mode. We'll point our Cisco routers to the CAS for DHCP lookups. In trying to set this up, the CAS is stating we need to build in managed subnets first. This shouldn't be necessary as that only affect L2 setups. Can we use our CAS in the above mode for DHCP? Thanks in advance.


-Mike

gghayur Sun, 08/05/2007 - 19:17
User Badges:

Hi Mike,


Yes. You can use the DHCP server option of the CAS when in R/IP Gateway mode. This is one of the advantages of using RealIP GW mode vs. Virtual GW. However, allocated addresses must fall within the ranges specified to be managed by the CAS.

This can be either:


?The address space of its untrusted interface managed network (set in the Network> IP page)

?A managed subnet specified in the Managed Subnet form of the Advanced tab


If you try to create an address pool from a subnet that is not managed, an error message notifying you of the condition appears in the admin console and the pool is not created.


Thanks,


Syed

wiluszm Mon, 08/06/2007 - 05:10
User Badges:
  • Bronze, 100 points or more

Syed,


The issue we're running into is that the CAS is in L3 mode. Once we start to add managed subnets (we're adding the AUTH and ACCESS subnets to be managed), our L3 OOB users stop receiving agent popups to login. Is this a mis-configuration on our side? Thanks for the help.


-Mike

sathappan Mon, 08/06/2007 - 06:00
User Badges:

Hi Syed,


I am trying a L2 OOB NAC deployment and I am running ver 4.1.1. The problem is I am not getting the page redirection.


I have the following things in place.

1. I have an untrusted vlan for the trusted vlan

2. I have managed subnets configured.

3. I have Vlan Mapping.

4. I have created the SSL certificate using the IP address.


can you suggest me what is the reason, I am not getting the page redirected.


with thanks

sathappan.s

gghayur Mon, 08/06/2007 - 10:09
User Badges:

Sathappan,


Couple of things to check:


1) Try to reach the IP address of the CAS directly and see if you can get to redirect page.


2) Confirm that all the traffic is hitting the CAS. Check the output of the logs on the CAS to confirm

cd /perfigo/logs

tail -f perfigo-redirects-log0.log.0


3) Confirm Auth VLAN doesn't have an SVI on the switch


Let me know the results.


Thanks,


Syed


sathappan Tue, 08/07/2007 - 01:16
User Badges:

Hi Syed,


Thanks for the reply.

1. I can reach the CAS IP directly and I can go to the CAS page.

2. The client is changed from access VLAN to auth VLAN.

3. The SVI for the auth VLAN is not created on the switch.


what else I need to do?


with thanks

sathappan.s

Actions

This Discussion