NAC OOB VIRTUAL GW PROBLEM

jad.sadek · ‎12-09-2008

Hi,

I am trying to setup a NAC OOB Virtual GW Scenario (attached is the visio schematic of the setup):

Switch: 3550 (ios 12.2(46) adv ip serv)

NAC 4130 appliances: v4.1.6 (also tried v4.5)

Switch Configuration of the trunks to the CAS):

- int f0/23 (connected to CAS e0) -> dot1q trunk with native vlan 999 and allowed vlans 199 (mgt vlan of cas) and 10 (hosts access vlan)

- int f0/21 (connected ro CAS e1) -> dot1q trunk with native vlan 998 and allowed vlans 100 (hosts authentication vlan)

- SVIs on switch: 199, 10, 200 (CAM mgt vlan), 99 (dns, dhcp)

The problem I am facing is that the host once connected to a managed port is able to acquire an ip from the access vlan from the dhcp server but is not redirected to the login page. I tried to follow some hints provided in previous posts but none of them worked for me. I configured the following:

- Login Page

- Configured IP based traffic control on the unautheticated role to permit all traffic (also host based to permit https://192.168.199.1 -> cas' ip with trusted dns my dns server 192.168.99.1)

- Managed subnet with unused ip in access vlan (192.168.10.253) and vlan id that of the auth vlan (100)

- vlan mapping between untrusted vlan 100 and trusted vlan 10

- tried to access a resolvable website by my dns from the host (as per the suggestion from a previous post for someone who was facing the same prob)

- also tried to access the cas' login page from the host with vain, eventhough it is accessible from trusted subnets

Note: I followed the configuration guide of both v4.1.6 and v4.5 and with both versions I was facing the same problem.

I would be very thankful for any hints to help me solve this issue.

Questions: When the host is connected to a managed host (assigned to the managed vlan 100) and it is assigned an ip from the a access vlan 10. Shouldn't I be able to access the managed subnet case I configured ip traffic control policy to permit all traffic from untrusted to trusted? also shouldn't I be able to resolve website's ip with "nslookup x.com" since dns traffic is by default configured and also trusted dns server 192.168.99.1 is configured?

Thanks in advance for any help.

ROBERT WATSON · ‎12-09-2008

Try this

Connect your test machine to vlan 10

do you get DHCP and DNS and can you browse to a dns resolvable web site

If so move on to

" Configured IP based traffic control on the unautheticated role to permit all traffic (also host based to permit https://192.168.199.1 -> cas' ip with trusted dns my dns server 192.168.99.1)

"

Rip this out and only allow udp bootpc and bootps as well as ICMP traffic (and the DNS Trusted host in host policy) for the Unauthenticated role

then make sure you recieve the dhcp address

and ping your Gateway through the CAS (should work as its allowed by policy)

Move your pc to port on vlan 100

Then open your browser to https:\\192.168.199.1 do you get the login page yes/no? if yes then

Flush your dns cache on your machine

Then open your browser to the dns resolvable web site you were able to resolve before (make sure the dns was not cached your trying to send a 53 request which the cas will reply with it's own redirect.

jad.sadek · ‎12-09-2008

Hi,

The tests are successful on clan 10.

When I connect the host to the managed subnet (vlan 100) I am not able to access the login page https://192.168.199.1, neither am I able to ping the gateway's ip (svi 10 on switch) eventhough I permitted icmp any to any from the ip traffic control policy. Also I tried to enable the allow any for layer 2 traffic on the Ethernet traffic control policy for the unauthenticated role but it didn't work.

(attached are configuration snapshots of my unauthenticated role traffic control policies and ip config of CAS)

tuan-nguyen · ‎12-10-2008

hi there,

but if you want to connect to the cas. you should type https://ipaddress/admin

otherwhise you could not reach the login page of CAS

jad.sadek · ‎12-10-2008

It arised to be that the 3550/3560/3750 are not supported for Central Deployment. The problem is solved.

Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment

For Cisco Clean Access (NAC Appliance) in In-Band Central Deployment mode, when a Cisco Catalyst 3560/3750 series switch is used as a Layer 3 switch and if both ports of the Clean Access Server (CAS) are connected to the same 3560/3750 switch, the minimum switch IOS code required is Cisco IOS release 12.2(25)SEE.

Because caveat CSCdu27506 is not fixed on the Catalyst 3550 series switch, when the Catalyst 3550 is used as a Layer 3 switch, it cannot be used in NAC Appliance In-Band Central Deployment.

For further details, refer to switch IOS caveat CSCdu27506:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCdu27506

See also Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB).

Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB)

Table 6 describes Cisco Catalyst switch model support for the Virtual Gateway VLAN Mapping feature of the Clean Access Server for either in-band (IB) or out-of-band deployments (OOB). This table is intended to clarify CAS network deployment options when connecting the CAS in Virtual Gateway (bridge) mode to the switches listed.

Table 6 Switch Support for CAS Virtual Gateway In-Band/OOB VLAN Mapping Feature

Cisco Catalyst Switch Model Virtual Gateway

Central Deployment

(both interfaces into same switch) Edge Deployment

(each interface into different switch)

6000/6500 Yes Yes

4000/4500 Yes Yes

3750/3560 (L3 switch) Yes with 12.2(25) SEE and higher 1

Yes

3550 (L3 switch) No 1

Yes

3750/3560 (L2 switch) Yes Yes

3550 (L2 switch) Yes Yes

2950/2960 Yes Yes

2900XL No 2

Yes

3500XL Yes Yes

28xx NME Yes with 12.2(25) SEE and higher 1

Yes

1 Due to switch caveat CSCdu27506. See Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment for details.

2 2900 XL does not support removing VLAN 1 from switch trunks.