NAC OOB Virtual IP GTW Deployment

Unanswered Question
Apr 6th, 2009

Good Day!

Hello Net Pros,

My name is Daniel Yamashita and I'm in charge of the deployment of the CCA in one of our customers. I've already made a couple of deployments using the 3350 and 3310 Cisco appliances, both in HA FO and Single modes and in SW versions 4.1 and 4.5.

I'm facing some functionality issues and I was wondering if you guys could help me. Here is the scenario:

- The LAN isn't segmented, there is only ONE Access L3 VLAN, which has ID 20 , NAME Corp and IP belonging to the 172.20.0.0/16 subnet. There is a VLAN 1000 which is device management only.

-There is only 3 Requirements on the CCA solution: McAfee Installation verifier, McAfee Virus Definition(McAfee Server managed locally) verifier and Windows Hot-fixes,Updates verifier(WSUS Server managed locally).

-Logical Plan:

VLAN ID: 777

VLAN NAME: NAC-CAM-MGT

Network: 10.10.20.0/29

Standby IP: 10.10.20.1

VLAN ID: 778

VLAN NAME: NAC-CAP

Network: L2 only

VLAN ID: 779

VLAN NAME: NAC-CAS-MGT

Network: 10.10.10.0/28

Standby IP: 10.10.10.1

VLAN ID: 20

VLAN NAME: CORP

Network: 172.20.0.0/16

Standby IP: 172.20.3.1

VLAN ID: 1000

VLAN NAME: MGMT

Network: 192.168.100.0/24

Cisco Clean Access Manager(CAM) v.4.1.6 @ Appliance Cisco 3310

Eth0 IP: 10.10.20.4

CAM Management VLAN: 777 (NAC-CAM-MGT)

Cisco Clean Access Server(CAS)#01 v.4.1.6 @ Appliance Cisco 3310

(Trusted) Eth0 IP: 10.10.10.4

(Untrusted) Eth1 IP: 10.10.10.4

CAS Management VLAN: 778

VLAN MAPPING ENABLED

MGT VLAN PASSTRHOUGH DISABLED

Cisco Clean Access Server(CAS)#02 v.4.1.6 @ Appliance Cisco 3310

(Trusted) Eth0 IP: 10.10.10.5

(Untrusted) Eth1 IP: 10.10.10.5

CAS Management VLAN: 778

VLAN MAPPING ENABLED

MGT VLAN PASSTRHOUGH DISABLED

Cisco Clean Access Server(CAS)#03 v.4.1.6 @ Appliance Cisco 3310

(Trusted) Eth0 IP: 10.10.10.6

(Untrusted) Eth1 IP: 10.10.10.6

CAS Management VLAN: 778

VLAN MAPPING ENABLED

MGT VLAN PASSTRHOUGH DISABLED

-Deployment: OOB Virtual IP Gateway

I opted for the OOB VIP Gtw deployment mainly because some of the employee working stations have statically assigned IP addresses and there are 3 CASs appliances since there is 800+ stations that will work with CCA Agent locally installed.

-Attached to this follows a Logical Topology of the deployment, IP addresses and trunk configs as well.

-Problems:

1)Instability: If all 3 instances of CAS are up and running, I get a “Not Connected” randomly in any of CASs. After a HW reboot the appliance returns to answering pings.

2)SSO: I've deployed the CCA Agent in one employee desktop controlled via Port Profile @ CAM. The SSO process, starts, no error message is displayed but the Local DB authentication screen comes in sequence, which doesn't work as well.

3)Authentication: As soon as the auth process starts, the Cisco 4509 HSRP Switch-CORE starts to run towards High CPU Process, it stays at almost 80%.

4)IP: The station gets an IP from the DHCP Server at the Acess VLAN 20 but can ping only one of the CASs and nothing else.

5)All ports and IP addresses regarding the SSO process are open and permitted to go through the CASs on ALL User Roles via Traffic Control Settings - including the Unauthenticated Role.

6)Managed Subnets @ CASs: 10.10.10.15/24 @ VLAN 778 && 172.20.255.254/16 @ VLAN 778

7)VLAN Mapping @ CASs: Untrusted 778 > Trusted 20

- By these symptons, I feel like there is a VLAN L2 and/or L3 issue but I can't tell what the problem is since I've deployed other CCA solutions just like that.

-There are NO INTF VLAN 998 nor 999 whatsoever.

Can somebody help me here? What do you think might be happening?

Thanks for your attention and time in advance.

Best Regards, Daniel Yamashita

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Daniela Herrera Wed, 04/08/2009 - 06:21

Hi,

I understand then that the clients are not connecting through local or SSO mode, is that correct?

I would suggest 3 things so far:

1. Check the logs on the switches where the CAS's are connected, I had a similar problem where CAS would stop responding and the switches would complain about vlan mismatch or mac flapping, if you notice errors on the switches verify that you have:

* Vlan mapping enabled correctly

* Different native VLAN on the switch interface for trusted and untrusted CAS ethx.

* The correct vlans configured on each port: for untrusted just the authentication (layer 2) vlans, for trusted interface the access vlan (20) and the management vlan.

2. Enable the management vlan tag on the trusted interface of the CAS and use your CAS management vlan.

3. On the CAM go to the Clean access server section, manage one of your CAS's, the first window will show the services currently running on the CAS, verify if the SSO service is running, if it's not running, verify the configuration. If it's not allowing you to enable it, verify the time settings on your devices, the AD user and all the other settings needed for this to work.

Hope this helps,

Regards,

Daniela Herrera Wed, 04/08/2009 - 06:27

One more thing :)

You mention :

6)Managed Subnets @ CASs: 10.10.10.15/24 @ VLAN 778 && 172.20.255.254/16 @ VLAN 778

7)VLAN Mapping @ CASs: Untrusted 778 > Trusted 20

So.. you have 2 network segments on the same authentication vlan and only one mapping???

I'm not sure this is possible... for what I've tested I believe you should have 2 auth vlans (one for each subnet) and 2 mappings to 2 different access vlans...

You could confirm this testing with only one network and removing the configuration for the other managed subnet and see if you notice any difference. That would help us all know if that's possible or not.

regards,

juancarlosorellana Fri, 01/08/2010 - 11:42

It is possible to implement SSO in a NAC scheme in which the CAS this OOB LAN switch into a manageable pace so if I set the CAS and CAM or switches case are similar to those applied to wireless and VPN users , if any can provide me documentation.

Actions

This Discussion