Clean Access - Real IP - OOB - L3 and L2

Unanswered Question
Mar 9th, 2009


Version: 4.5

My question is I have had Real IP/OOB/L3 working successfully.

If I now attach a client L2 adjacent to the CAS so Real IP/OOB/L2 the agent does not 'pop up'.

The docs say that L3 functions do not work if you have managed subnets configured and yet you need managed subnets for L2 adjacent clients.

So the question is : Are L2 and L3 clients supported when 'L3 support' is enabled ?

If so why does the CCA not respond, event log is empty. What troubleshooting tools are available.

Thanks in advance


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Daniel Laden Mon, 03/09/2009 - 16:06

The Cisco NAC solution can support L2 and L3 at the same time. L2 is represented by the managed subnets, L3 is represented by static routes.

You can support L3 or L2 exclusively with the strict option.

What is the L2 clients using for default gateway. Is it send it traffic away from the NAC Server. Run a network capture and look for UDP 8905/8906 traffic to and from the client.

-Dan Laden

plearmouth Tue, 03/10/2009 - 08:10


The popup issue appears to be a client build, tried with a non customer laptop and the window popped up without a hitch.

I have a second more pressing issue and probably worth a separate discussion, but the customer has two AD's which I have established a two-way trust between and authentication works.

However, we were performing role mapping based on AD groups. I have had the lookup server working on the initial AD but there is no obvious way to specify a second LDAP server.

If it is not possible to have two separate LDAP queries, would converting to RADIUS(ACS) as an authentication service be the answer, however, we do want SSO capability so is RADIUS and SSO compatible?

I will try it in the mean time.

Many thanks in advance



This Discussion