NAC Host-Based Policies Issue

Unanswered Question
Apr 30th, 2008

Hi

I have a problem... when I try to permit in a temporary role a web page (for example www.microsoft.com) the user can't open it and display security message but when i add the web ip the users can access.... the nac is working on real-ip layer 3...

thanks for your help

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
asaldanab Thu, 05/01/2008 - 14:40

yes... i did it... :(

but its a default trusted dns policy... permit to all DNS Servers UDP port 53... is it correct? or i will type the IP address of my DNS manually?

cleidh_mor Fri, 05/02/2008 - 01:03

No that's fine, as long as that rule applies to the role of the PC.

Try an nslookup on the PC. What's the output?

>nslookup www.cisco.com

asaldanab Wed, 05/07/2008 - 07:40

hi...

in this moment im not in the company... the next friday i will try

thanks a lot!

ramkumar-b Wed, 05/07/2008 - 00:15

Are u using a proxy server in your network?

Try enabling Parse Proxy checkbox under

CCA Servers-->Filter--> Roles--> Allowed hosts.

Try putting proxy server IP address and port number under CCA Servers---> Advanced ---> Proxy

asaldanab Wed, 05/07/2008 - 07:42

hi

no... i dont have access to internet by proxy server... i have a firewall

:(

the nac server is working in layer 3 real ip gateway... when i put the ip address of the page for example www.symantec.com the users can access... but when i permit the access by host .symantec.com in all options like ends, contain, etc can't access...

asaldanab Wed, 05/14/2008 - 09:37

Hi

The result of the dns lookup in the host is the next:

*** Can't find server name for address 172.16.48.253: Non-existent domain

*** Default servers are not available

Server: UnKnown

Address: 172.16.48.253

Non-authoritative answer:

Name: com.com.mx

Address: 74.52.164.242

Aliases: www.cisco.com.com.mx

The result of the nslookup in the CAS is the next

[[email protected]-MTY ~]# nslookup www.cisco.com

Server: 172.16.48.253

Address: 172.16.48.253#53

Non-authoritative answer:

Name: www.cisco.com

Address: 198.133.219.25

Help me

asaldanab Fri, 05/16/2008 - 14:56

Additionally, I'd like to say that my configuration is Out-of-Band Real-IP Gateway, Does anybody knows if there's a restriction to manage host-based policies?

Regards

gojericho0 Sun, 05/18/2008 - 05:10

Thats how mine was setup as well and it should not make a difference. What happens if you try to allow 'all traffic' in your policy. Does it resolve then?

cleidh_mor Mon, 05/19/2008 - 01:21

Additionally, could you post a screenshot of your traffic policy and the output from an ipconfig /all on the client?

Thanks,

Actions

This Discussion