NAC Implementation

Unanswered Question
Feb 20th, 2009

We terminate vpn users on an ASA. That is working. The problem is running the remote users through the NAC appliance while not checking other traffic. We have tried restricting all vpn users to a vlan to layer 3 with PBR. None of these options seem to work. What is the best way to run remote users through NAC before allowing access to the network??? Layer 3, Layer 2, InBand, Out of Band, or ???


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
maximcasseus Fri, 02/20/2009 - 11:42

The recommended way to run your VPN users through the NAC appliance(s) is to implement the L3 InBand deployment.



ursshared Fri, 02/20/2009 - 12:02

Will this work having the remote users restricted to one vlan on the ASA separate from my inside interface? Or will all traffic have to pass through the nac and exempt everything but the vpn traffic?

maximcasseus Fri, 02/20/2009 - 14:24

yes and yes

As you're only inserting the NAC appliance into the existing traffic flow.

The traffic you want to interrogate can be specified via your manage subnets list as well.

if your vpn is not setup yet, you should get it up and working through that dedicated interface and then insert the NAC appliance.

srue Fri, 02/20/2009 - 18:29

if your NAC appliance is more than 1 hop away from your vpn appliance, you can policy route the VPN ip pool through the NAC servers. all other traffic will be routed normally, w/o going through NAC.


This Discussion