OK I have some of this working.

What I did:

1. The trusted eth0 on the CAS is is configured as so on the switch:

interface FastEthernet0/15

description eth0(trusted) on Clean Access Server

switchport trunk native vlan 997

switchport trunk allowed vlan 30,702

switchport mode trunk

spanning-tree portfast

Where VLAN 30 is where the RADIUS server lives and VLAN 702 is the Management VLAN for the trusted.

Once I did that I could see the CAS again and manage it.

I dont know if I mentioned this but this is a TEST environment still. I am including a diagram of the topology as it is right now.

I still dont know what to do with the untrusted interface of the CAS. What VLAN? What Switch?

Also the TESTASA needs to go to the same switch as well no? What VLANs does it talk on?

Getting closer. PLease advise. I am going a little nuts.The diagram lacks the RADIUS server which is in VLAN 30 with the CAM

One more time:

Here is the way I have it set up now and I have played with variations of this and I am not getting this to work. Please look over the diagram and see what the problem is.

Thank you very much,

Pedro

Just a reminder. I am trying to do an In-Band Virtual Gateway for VPN users.

Hello,

Please verify the following:

1 Are you able to add CAS to CAM?

2.In CAS do you have the same IP for trusted and untrusted interface ?

3. In CAS do you have diffrent management VLANs for trusted and untrusted interface ?

4. In CAS do you have Enable for L3 support ?

5. Did you map the management Vlan of the untrusted interface to management Vlan of the trusted interface ( Under CCA Server>Advanced>Vlan MApping)?

6. Did you create a filter for ASA (Under Device Management>Filters>Device>New with option "allow")?

7. I thing you should add ASA as well as a floating device.

8 Are CAS and CAM on diffrent subnets?

As for the switch port you should do VLAN prunning on the trunk ports, allow untrusted management VLAN on the untrusted interface and trusted management VLAN on trusted interface.

And of course keep native vlans. Make sure native Vlans have No layer 3 interface on the Core. Untrusted management VLAN should NOT have layer 3 interface on the Core either.

Please let me know if it helps

THANK YOU for answering my post. I was starting to think I was the only person to have ever tried this. Please look at my diagram in the last post. Now I will answer your questions:

>>1. Are you able to add CAS to CAM?<<

Yes. No problem there.

>>2.In CAS do you have the same IP for trusted and untrusted interface ? <<

Yes. Please see attachments in this post.

>>3. In CAS do you have diffrent management VLANs for trusted and untrusted interface ? <<

This is what I don't understand. What is the Manarment VLAN compared to Dummy VLAN compared to Allowed VLAN compared to Native VLAN??

>>4. In CAS do you have Enable for L3 support ? <<

Yes see attachments.

>>5. Did you map the management Vlan of the untrusted interface to management Vlan of the trusted interface ( Under CCA Server>Advanced>Vlan MApping)?<<

Same answer as number 3

>>6. Did you create a filter for ASA (Under Device Management>Filters>Device>New with option "allow")? <<

Yes, see attachemnts

>>7. I think you should add ASA as well as a floating device.<<

Done. See attachments

>>8 Are CAS and CAM on diffrent subnets?<<

Yes, please see attachment from priorpost

As for the last thing you mentioned. How can I do a VLAN without a VLAN interface on the core??

As you can see my biggest problem is understanding the VLAN assignments for each interface.

Thank you ,, thank you ,,, thank you for your help!!

Pedro

Please try the following setting:

ASA-to-2960 switch port:

switchport access vlan 30

On the core and access switch:

conf term

vlan 30

On the core

conf term

vlan 30

vlan 702

interface vlan 702

ip address 10.1.7.9 255.255.255.248

no shut

for dummy vlans ( native vlans)

On the core:

conf term

vlan XY1 (Dummy 1)

vlan XY2 (Dummy 2)

for untrusted interface:

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 30

switchport trunk native vlan XY1

for trusted

switchport mode trunk

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 702

switchport trunk native vlan XY2

Just VLAN 702 has a layer 3 interface. Interface VLAN with an IP address on the Core

You need of course layer 3 interface for CAM VLAN and other regular subnets.

Hi There once again. I am getting closer ...I think. I have attached the latest configs.

I am assuming management VLAN is the the same as its IP subnet. So in my case, the management VLAN for the Trusted interface is 702, and the management VLAN for the Untrusted is 30.

1. Do I assume correctly?

You said that the Untrusted Management VLAN cannot have a VLAN interface. It does. VLAN 30 has an interface of 10.1.7.9/29

2. How do I fix this? This is a production VLAN and I dont want to mess anything up. Everything else I can change since its only a test setup.

You say I need to create the dummy VLANS on the core router. In my case I assume that is the 4507.

3. Do I assume correctly?

I appreciate this help very much,

Pedro

Hello,

You need just to allow 702 vlan on trusted CAS.

10.1.7.9 should be IP of vlan 702 not vlan 30, since you have 702 on the trusted side.

To remove interface vlan 30

conf term

no interface vlan 30

then

interface vlan 702

ip address ( the same address you removed from interface vlan 30 I'm assuming)

Hi,

Please have a look at this latest setup:

http://www.flickr.com/photos/31154535@N07/3789143167/sizes/o/

As you can see in the diagram, I cannot remove vlan 30 from core switch. It is in production as a authentication vlan. Thats the vlan where the Radius server lives.

This makes me wonder how I am going to get this working if the untrusted vlan of the CAS cannot have a vlan interface anywhere in the network.

Confused,

Pete

If you want to keep VLAN 30 the authentication VLAN, move the RADIUS server to the same subnet as the CAM. The only thing that should be on your VLAN 30 is the inside interface of your ASA and your Untrusted interface of the CAS.

Philip-

CCIE#19950

Philip,

Thanks for getting in touch with me. I have gone back to square one with my test lab. I trying to make it as simple as possible and then add things as I go.

Here is the lastest setup:

http://www.flickr.com/photos/31154535@N07/3797827289/sizes/o/

I hope this in right for the In-Band senerio that we are faced with since users will be coming in over a VPN.

My problem now is nothing is happening. I assume I am in the Unauthenticated Role since the trafic policies I tweak for Unauthenicated Role affect the laptop user in the diagram. I can ping the CAM for example, and by disabling ICMP for the Unauthenticated Role blocks pings after that.

So I tried to create a filter that would force the laptop into a test role based on Mac Address but that didnt work. It stays in the Unauthenticated role which makes me think I might have a network problem.

Thanks again to all for any help

Hey man, there is no doubt it is confusing, so the simpler the better.

I have added a link at the end to a remote access configuration example from CCO, pretty easy to follow. Remember that the three biggest problems you will run into will be.

1. DNS - Make sure your client can resolve the CAS and CAM, make sure CAS can resolve CAM and CAM can resolve CAS. (use host file entries if you have to)

2. Time - If your time is off, it will not work.

3. Certificates - if you are using self signed certs, make sure they replaced when you go into production.

4. Discovery host on NAC agent- Set it to the CAM (try browse to the CAM also from the client)

Your new lab setup looks good. Here are a few questions.

Can you add CAS to CAM?

Does your user get an IP address? (dhcp)

Is user being directed to login page?

Are you using the Clean Access Agent? (Does it pop up with an error? Does it pop up at all?)

You can also tail the nac_server.log located on the CAS (see user guide for exact location) it usually has some great information.

Let me know how you do.

http://www.cisco.com/en/US/customer/products/ps6128/products_configuration_example09186a008074d641.shtml

Philip-

Philip,

Wow! Thanks for the mail. Now to answer your questions:

>>Can you add CAS to CAM?<<

Yes, no problem there.

>>Does your user get an IP address? (dhcp)<<

Not now. The laptop has a static address 10.1.7.12

>>Is user being directed to login page? <<

Yes it gets there. I try and login and I get:

Network Error:

Clean Access Server could not establish a secure connection to Clean Access Manager at nac.com

>>Are you using the Clean Access Agent? (Does it pop up with an error? Does it pop up at all?) <<

No but I want to. I assume once I get logged in it will force me to install the agent.

Here is the hosts file of the CAS:

127.0.0.1 localhost localhost

10.1.7.10 cas cas.nac.com

172.16.5.222 cam cam.nac.com

Here is the hosts file for the CAM:

127.0.0.1 localhost localhost

172.16.5.222 cam cam.nac.com

10.1.7.10 cas cas.nac.com

The time on both is the same. I amn using self signed certs for now.

>>4. Discovery host on NAC agent- Set it to the CAM (try browse to the CAM also from the client)<<

Not too sure what you mean here.

Thanks a million

Okay for your error 'Network Error:

Clean Access Server could not establish a secure connection to Clean Access Manager at nac.com '

Regenerate the certificates on the CAS and CAM, reboot and try again.

Then turn logging on your CAS to the highest level, ssh to the CAS and tail-f /perfigo/control/tomcat/logs/nac_server.log ---look for something interesting, usually pretty well spelled out.

Philip-