CAS/CAM Out-of-Band Noob

Unanswered Question
Jul 23rd, 2009

Hello,

We have just acquired a CAS and a CAM on 3310s running 4.6.1. We have remote (all over the country) Windows clients who presently connect to our home offices via Cisco AnyConnect Client. I am struggling to understand the best way to set this up, however there is one requirement:

1.If the CAS or CAM becomes unavailable users should still be able to connect to the network where they need to go. We don't want these boxes to stop users from doing their job and we see the added security they offer as highly valuable but NOT mandatory.

With that in mind I think I should be looking at OOB setups. Questions:

1.Do I assume correctly that an OOB setup is what I want?

2.What type of Clean Access Server type should I be using? Real-IP Gateway or Virtual Gateway?

3.I have seen a Configuration Example (Doc ID 71573) for In-Band Virtual Gateway for Remote Access VPN, but not an example of an Out-of-Band setup. Anyone know where I might find that?

Any help is much appreciated,

Pedro

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pener1963 Wed, 07/29/2009 - 13:13

OK I am comming back to this question because I have found out a few things. First of all the remote VPN users will be doing Single Sign On with our ASA firwall. This setup makes In-Band mandatory. Also we will be doing Virtual Gateway on the CAS as I see this as the least disruptive to the existing network. They call it a bump-in-the line.

My business requirement has lossened up as well. We will now get another CAS for fault-tolerence. If the CAM goes down the CAS will fail open, but before with the one CAS down, we were dead in the water. Now with two CAS I am hoping my chanced of both dying isnt too great.

So I am trying to follow Doc ID 71573 and I cant get it to work for me.

The problem starts when I set the Management VLAN IDs (see attchment CAS_VLAN1.gif)

As soon as I do that and then do Vlan Map (see attchment CAS_VLAN_MAP.gif)and reboot the CAS I loose access to the CAS.

I made sure not to phsically connect the eth1 (untrusted) port until all that was done, yet there is no way and I have to do reconfig of the CAS.

Questions:

1. Do the management VLAN IDs need to be the same as the VLANs that these ports are on the switch?

2. Do both ports on the CAS go to the same switch?

3. What would the switch setup look like (vlan wise)

Confused,

Pedro

Attachment: 
pener1963 Thu, 07/30/2009 - 07:43

OK I have some of this working.

What I did:

1. The trusted eth0 on the CAS is is configured as so on the switch:

interface FastEthernet0/15

description eth0(trusted) on Clean Access Server

switchport trunk native vlan 997

switchport trunk allowed vlan 30,702

switchport mode trunk

spanning-tree portfast

Where VLAN 30 is where the RADIUS server lives and VLAN 702 is the Management VLAN for the trusted.

Once I did that I could see the CAS again and manage it.

I dont know if I mentioned this but this is a TEST environment still. I am including a diagram of the topology as it is right now.

I still dont know what to do with the untrusted interface of the CAS. What VLAN? What Switch?

Also the TESTASA needs to go to the same switch as well no? What VLANs does it talk on?

Getting closer. PLease advise. I am going a little nuts.The diagram lacks the RADIUS server which is in VLAN 30 with the CAM

pener1963 Mon, 08/03/2009 - 11:43

One more time:

Here is the way I have it set up now and I have played with variations of this and I am not getting this to work. Please look over the diagram and see what the problem is.

Thank you very much,

Pedro

Just a reminder. I am trying to do an In-Band Virtual Gateway for VPN users.

pszczola1 Mon, 08/03/2009 - 16:14

Hello,

Please verify the following:

1 Are you able to add CAS to CAM?

2.In CAS do you have the same IP for trusted and untrusted interface ?

3. In CAS do you have diffrent management VLANs for trusted and untrusted interface ?

4. In CAS do you have Enable for L3 support ?

5. Did you map the management Vlan of the untrusted interface to management Vlan of the trusted interface ( Under CCA Server>Advanced>Vlan MApping)?

6. Did you create a filter for ASA (Under Device Management>Filters>Device>New with option "allow")?

7. I thing you should add ASA as well as a floating device.

8 Are CAS and CAM on diffrent subnets?

As for the switch port you should do VLAN prunning on the trunk ports, allow untrusted management VLAN on the untrusted interface and trusted management VLAN on trusted interface.

And of course keep native vlans. Make sure native Vlans have No layer 3 interface on the Core. Untrusted management VLAN should NOT have layer 3 interface on the Core either.

Please let me know if it helps

pener1963 Mon, 08/03/2009 - 16:57

THANK YOU for answering my post. I was starting to think I was the only person to have ever tried this. Please look at my diagram in the last post. Now I will answer your questions:

>>1. Are you able to add CAS to CAM?<<

Yes. No problem there.

>>2.In CAS do you have the same IP for trusted and untrusted interface ? <<

Yes. Please see attachments in this post.

>>3. In CAS do you have diffrent management VLANs for trusted and untrusted interface ? <<

This is what I don't understand. What is the Manarment VLAN compared to Dummy VLAN compared to Allowed VLAN compared to Native VLAN??

>>4. In CAS do you have Enable for L3 support ? <<

Yes see attachments.

>>5. Did you map the management Vlan of the untrusted interface to management Vlan of the trusted interface ( Under CCA Server>Advanced>Vlan MApping)?<<

Same answer as number 3

>>6. Did you create a filter for ASA (Under Device Management>Filters>Device>New with option "allow")? <<

Yes, see attachemnts

>>7. I think you should add ASA as well as a floating device.<<

Done. See attachments

>>8 Are CAS and CAM on diffrent subnets?<<

Yes, please see attachment from priorpost

As for the last thing you mentioned. How can I do a VLAN without a VLAN interface on the core??

As you can see my biggest problem is understanding the VLAN assignments for each interface.

Thank you ,, thank you ,,, thank you for your help!!

Pedro

Attachment: 
pszczola1 Mon, 08/03/2009 - 18:48

Please try the following setting:

ASA-to-2960 switch port:

switchport access vlan 30

On the core and access switch:

conf term

vlan 30

On the core

conf term

vlan 30

vlan 702

interface vlan 702

ip address 10.1.7.9 255.255.255.248

no shut

for dummy vlans ( native vlans)

On the core:

conf term

vlan XY1 (Dummy 1)

vlan XY2 (Dummy 2)

for untrusted interface:

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 30

switchport trunk native vlan XY1

for trusted

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 702

switchport trunk native vlan XY2

Just VLAN 702 has a layer 3 interface. Interface VLAN with an IP address on the Core

You need of course layer 3 interface for CAM VLAN and other regular subnets.

pener1963 Tue, 08/04/2009 - 08:27

Hi There once again. I am getting closer ...I think. I have attached the latest configs.

I am assuming management VLAN is the the same as its IP subnet. So in my case, the management VLAN for the Trusted interface is 702, and the management VLAN for the Untrusted is 30.

1. Do I assume correctly?

You said that the Untrusted Management VLAN cannot have a VLAN interface. It does. VLAN 30 has an interface of 10.1.7.9/29

2. How do I fix this? This is a production VLAN and I dont want to mess anything up. Everything else I can change since its only a test setup.

You say I need to create the dummy VLANS on the core router. In my case I assume that is the 4507.

3. Do I assume correctly?

I appreciate this help very much,

Pedro

pszczola1 Tue, 08/04/2009 - 11:52

Hello,

You need just to allow 702 vlan on trusted CAS.

10.1.7.9 should be IP of vlan 702 not vlan 30, since you have 702 on the trusted side.

To remove interface vlan 30

conf term

no interface vlan 30

then

interface vlan 702

ip address ( the same address you removed from interface vlan 30 I'm assuming)

pener1963 Tue, 08/04/2009 - 12:15

Hi,

Please have a look at this latest setup:

http:[email protected]/3789143167/sizes/o/

As you can see in the diagram, I cannot remove vlan 30 from core switch. It is in production as a authentication vlan. Thats the vlan where the Radius server lives.

This makes me wonder how I am going to get this working if the untrusted vlan of the CAS cannot have a vlan interface anywhere in the network.

Confused,

Pete

Philip James Thu, 08/06/2009 - 12:56

If you want to keep VLAN 30 the authentication VLAN, move the RADIUS server to the same subnet as the CAM. The only thing that should be on your VLAN 30 is the inside interface of your ASA and your Untrusted interface of the CAS.

Philip-

CCIE#19950

pener1963 Fri, 08/07/2009 - 08:40

Philip,

Thanks for getting in touch with me. I have gone back to square one with my test lab. I trying to make it as simple as possible and then add things as I go.

Here is the lastest setup:

http:[email protected]/3797827289/sizes/o/

I hope this in right for the In-Band senerio that we are faced with since users will be coming in over a VPN.

My problem now is nothing is happening. I assume I am in the Unauthenticated Role since the trafic policies I tweak for Unauthenicated Role affect the laptop user in the diagram. I can ping the CAM for example, and by disabling ICMP for the Unauthenticated Role blocks pings after that.

So I tried to create a filter that would force the laptop into a test role based on Mac Address but that didnt work. It stays in the Unauthenticated role which makes me think I might have a network problem.

Thanks again to all for any help

Philip James Fri, 08/07/2009 - 08:56

Hey man, there is no doubt it is confusing, so the simpler the better.

I have added a link at the end to a remote access configuration example from CCO, pretty easy to follow. Remember that the three biggest problems you will run into will be.

1. DNS - Make sure your client can resolve the CAS and CAM, make sure CAS can resolve CAM and CAM can resolve CAS. (use host file entries if you have to)

2. Time - If your time is off, it will not work.

3. Certificates - if you are using self signed certs, make sure they replaced when you go into production.

4. Discovery host on NAC agent- Set it to the CAM (try browse to the CAM also from the client)

Your new lab setup looks good. Here are a few questions.

Can you add CAS to CAM?

Does your user get an IP address? (dhcp)

Is user being directed to login page?

Are you using the Clean Access Agent? (Does it pop up with an error? Does it pop up at all?)

You can also tail the nac_server.log located on the CAS (see user guide for exact location) it usually has some great information.

Let me know how you do.

http://www.cisco.com/en/US/customer/products/ps6128/products_configuration_example09186a008074d641.shtml

Philip-

pener1963 Fri, 08/07/2009 - 10:28

Philip,

Wow! Thanks for the mail. Now to answer your questions:

>>Can you add CAS to CAM?<<

Yes, no problem there.

>>Does your user get an IP address? (dhcp)<<

Not now. The laptop has a static address 10.1.7.12

>>Is user being directed to login page? <<

Yes it gets there. I try and login and I get:

Network Error:

Clean Access Server could not establish a secure connection to Clean Access Manager at nac.com

>>Are you using the Clean Access Agent? (Does it pop up with an error? Does it pop up at all?) <<

No but I want to. I assume once I get logged in it will force me to install the agent.

Here is the hosts file of the CAS:

127.0.0.1 localhost localhost

10.1.7.10 cas cas.nac.com

172.16.5.222 cam cam.nac.com

Here is the hosts file for the CAM:

127.0.0.1 localhost localhost

172.16.5.222 cam cam.nac.com

10.1.7.10 cas cas.nac.com

The time on both is the same. I amn using self signed certs for now.

>>4. Discovery host on NAC agent- Set it to the CAM (try browse to the CAM also from the client)<<

Not too sure what you mean here.

Thanks a million

Philip James Fri, 08/07/2009 - 10:37

Okay for your error 'Network Error:

Clean Access Server could not establish a secure connection to Clean Access Manager at nac.com '

Regenerate the certificates on the CAS and CAM, reboot and try again.

Then turn logging on your CAS to the highest level, ssh to the CAS and tail-f /perfigo/control/tomcat/logs/nac_server.log ---look for something interesting, usually pretty well spelled out.

Philip-

pener1963 Fri, 08/07/2009 - 10:48

Philip,

Its working now. All I did was add nac.com to the hosts file on the CAS:

127.0.0.1 localhost localhost

10.1.7.10 cas cas.nac.com

172.16.5.222 cam cam.nac.com

172.16.5.222 nac nac.com

Which is weird because I had to add an entry on the laptops hosts file:

10.1.7.1 nac.com

To get the laptop to be able to talk to the CAS.

It works but how can we have two nac.com with different IPs???

A little happier,

Pedro

pener1963 Mon, 08/10/2009 - 06:58

OK so I decided to go back to this setup:

http:[email protected]/3797409565/sizes/o/

Because this more resembles what I will eventually do.

What happens:

1. Users get logged on using the Radius Server.

2. The CAS reconizes the user logged on as a VPN user.

3. The user opens a corporate webpage and gets the redirect message.

4. The page times out with a error message.

The VPN users are in the network 192.168.212.0. They can ping servers in the 172.16.3.0 network. They cannot ping 10.1.7.10 (the CAS).

Layer 3 support has been enabled on the CAS. The NAT statements on the ASA are the following:

global (outside) 101 interface

nat (inside) 0 access-list no_NAT

nat (inside) 1 10.1.7.0 255.255.255.0

access-list no_NAT extended permit ip 192.168.212.0 255.255.255.0 any

The VPN users need to see the CAS as a L2 device no?

I know I am so close but it seems to me I need to do something on the ASA but I dont knwo what.

Philip James Mon, 08/10/2009 - 08:24

Okay, you say the CAS recognizes the user logged on as VPN, are you doing single sign on via radius accounting?

So when you get redirected to the CAS, pay careful attention to the URL in the redirect. You have to make sure you can reach this via DNS, other wise it will not work. You can also try browsing to the CAS IP address from your client when you are connected. If you can reach the CAS you should be good.

Also again, you need to be looking at the NAC_Server.log file to see if you are seeing anything interesting. Refer to the CAS user guide to help decipher the messages.

There is also a step-by-step guide to VPN integration with NAC appliance in the CAS user guide.

Philip-

pener1963 Mon, 08/10/2009 - 09:13

Hi Philip!

I was right about the ASA. WHen I removed the nat entry:

nat (inside) 1 10.1.7.0 255.255.255.0

Suddenly I was able to ping the CAS at 10.1.7.10 from the logged in VPN client from the 192.168.212.0 network.

SSO works! When I open a corporate web page I am told I need to install the NAC agent. It installs, does the posturing, and voila, I am off to the races. I dont get prompted to log in again to the CAS. Great!

But the only why to get the NAC agent installed is by trying to open a corporate web site. My users typically would not be doing that. They would be connecting via AnyConnect and then launching Terminal Server Client. I have tried this and I dont get prompted to install the NAC agent. In the best of all possible worlds they would get prompted. Is there a way I could do that??

Also I forgot to mention that the DNS entries I had to put on the CAS to get it to recognize nac.com (see earlier post) disapeered after a reboot. Are entries made to hosts file only temporary or was it me who forgot to save his changes?? I mean I can touch files on the CAS/CAM that will be permanant no?

Philip James Mon, 08/10/2009 - 09:24

Great! Yes, they only way they will get prompted to download the client is by opening a browser to something that is on the trusted side of the CAS.

What I have recommended in the past to clients is to either have written instructions for the users, to have them open the browser the first time of use or to have the NAC agent installed on the machines prior to the first time they connect. Unfortunately there is not a lot of options right now.

About your DNS entries, they will disappear on reboot. For production deployment you need to have all the devices in DNS and use a trusted certificate authority.

Glad you got it working.

Actions

This Discussion