NAC Host-Based Policies Issue

Unanswered Question
Apr 30th, 2008
User Badges:

Hi

I have a problem... when I try to permit in a temporary role a web page (for example www.microsoft.com) the user can't open it and display security message but when i add the web ip the users can access.... the nac is working on real-ip layer 3...


thanks for your help


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
cleidh_mor Thu, 05/01/2008 - 05:47
User Badges:

Hi,


Have you allowed DNS traffic to a trusted DNS host?


Cheers,

asaldanab Thu, 05/01/2008 - 14:40
User Badges:

yes... i did it... :(


but its a default trusted dns policy... permit to all DNS Servers UDP port 53... is it correct? or i will type the IP address of my DNS manually?

cleidh_mor Fri, 05/02/2008 - 01:03
User Badges:

No that's fine, as long as that rule applies to the role of the PC.


Try an nslookup on the PC. What's the output?


>nslookup www.cisco.com

asaldanab Wed, 05/07/2008 - 07:40
User Badges:

hi...


in this moment im not in the company... the next friday i will try


thanks a lot!

ramkumar-b Wed, 05/07/2008 - 00:15
User Badges:

Are u using a proxy server in your network?

Try enabling Parse Proxy checkbox under

CCA Servers-->Filter--> Roles--> Allowed hosts.


Try putting proxy server IP address and port number under CCA Servers---> Advanced ---> Proxy

asaldanab Wed, 05/07/2008 - 07:42
User Badges:

hi


no... i dont have access to internet by proxy server... i have a firewall


:(


the nac server is working in layer 3 real ip gateway... when i put the ip address of the page for example www.symantec.com the users can access... but when i permit the access by host .symantec.com in all options like ends, contain, etc can't access...



asaldanab Wed, 05/14/2008 - 09:37
User Badges:

Hi


The result of the dns lookup in the host is the next:

*** Can't find server name for address 172.16.48.253: Non-existent domain

*** Default servers are not available

Server: UnKnown

Address: 172.16.48.253


Non-authoritative answer:

Name: com.com.mx

Address: 74.52.164.242

Aliases: www.cisco.com.com.mx



The result of the nslookup in the CAS is the next


[[email protected]-MTY ~]# nslookup www.cisco.com

Server: 172.16.48.253

Address: 172.16.48.253#53


Non-authoritative answer:

Name: www.cisco.com

Address: 198.133.219.25


Help me

asaldanab Fri, 05/16/2008 - 14:56
User Badges:

Additionally, I'd like to say that my configuration is Out-of-Band Real-IP Gateway, Does anybody knows if there's a restriction to manage host-based policies?


Regards

gojericho0 Sun, 05/18/2008 - 05:10
User Badges:
  • Bronze, 100 points or more

Thats how mine was setup as well and it should not make a difference. What happens if you try to allow 'all traffic' in your policy. Does it resolve then?

cleidh_mor Mon, 05/19/2008 - 01:21
User Badges:

Additionally, could you post a screenshot of your traffic policy and the output from an ipconfig /all on the client?


Thanks,

Actions

This Discussion