03-18-2010 07:57 AM - edited 02-21-2020 03:54 AM
I have configured OOB Virtual Gateway. However, the CAS fail to detected and redirect to the login web page.
sometime i change the managed subnet, I work...
I wonder what exact IP address should be typed into the managed subnet?
Suppose I have 10 trust VLANs (10,11,12,13 ...) , and i create related 10 untrusted VLAN (20,21,22,23...)
IP address for VLAN 10: 192.168.10.0/24
IP address for VLAN 11: 192.168.11.0/24
IP address for VLAN 12: 192.168.12.0/24
IP address for VLAN 13: 192.168.10.0/24
I have tried 4.1.x version of CAM/CAS, the page allowed us to input subnet address.
However, in 4.5.x or above, we must input host ip address. Now i upgraded to 4.7.2 versions, what IP address and VLAN should i type into this page?
192.168.10.254/24 VLAN20
192.168.11.254/24 VLAN21
192.168.12.254/24 VLAN22
192.168.13.254/24 VLAN23
or
192.168.10.254/24 VLAN10
192.168.11.254/24 VLAN11
192.168.12.254/24 VLAN12
192.168.13.254/24 VLAN13
also, I wanna to ask the Network page of CAS. The Set management VLAN ID of untrust interface should set to "0" ,"left it blank" or "one of trust VLAN"??
I'm green hand in NAC...hope someone guide. Many Thanks
03-18-2010 10:38 AM
Hi,
Always use IP addresses for Managed Subnet entries, and never the subnet address.
As for setting management VLANs, except for some corner cases, it should be nothing on the untrusted side.
HTH,
Faisal
03-18-2010 09:26 PM
how about the VLAN in managed subnet? should be untrust or trust VLAN??
Fail to get IP address from DHCP server ..
I added vlan mapping in vlan mapping tab:
vlan 1 is trust vlan, vlan 240 is untrust vlan
vlan 110 is trust vlan, vlan 241 is untrsut vlan
also add managed subnet as following:
168.18.0.0 255.255.0.0 vlan 1
192.168.210.0 255.255.255.0 vlan 110
Traffic Crotrol as following:
unauthentication role
Default <-- DNS* Allow DHCP and DNS
the DHCP server is located in vlan 1 168.18.0.x,
vlan 110 need to go gateway with ip helper-address to 168.18.0.x
would ip helper-address make vlan 241 fail to get IP?
any special need to do in CAM/CAS so that vlan 241 could get IP from DHCP server 168.18.0.x?
03-19-2010 07:24 AM
Hi,
Change those networks to an IP in those networks, so for example 168.18.0.0 255.255.0.0 should be 168.18.0.254
Vlan tag should be of the untrusted vlan, so in this case vlan 1, and if you can please move away from vlan 1 and use something else.
There isn't anything special required for dhcp to work other than a correct managed subnet and vlan mapping.
HTH,
Faisal
03-19-2010 07:52 AM
oh..might be my explaination is not clear... It should be vlan 240 as untrust, vlan 1 is trust.
i knew from installation guide that vlan 1 is not recommended but in my case, I can't move it away from user access(trsut) vlan.
trust untrust
------ ----------
vlan1 vlan240
using any UNUSED ip address as virtual gateway in managed subnet with related untrust VLAN ID.
for example,
Managed Subnet
-------------------------
168.18.0.254 255.255.0.0 vlan 240
Should i configure ARP entry too?
Arp entries (i saw installation guide.. it mentioned the entries would be automaticatedly created ... how to verify that?? coz there're no entries in arp tab )
----------------
168.18.0.254 eth1 ????
Also, not to select "L3 enable"?!!!
03-19-2010 09:44 AM
Hello,
No need to set ARP entries. They are done automatically. If your setup is L2 only, then there's no need to enable L3 also. Enabling it won't make a difference for your L2 clients.
To see the arp entries on a CAS, use the command: cat /proc/click/intern_arpq/table (see entries on untrusted side) or cat /proc/click/extern_arpq/table (to see entries on the trusted side)
HTH,
Faisal
03-19-2010 10:11 PM
yes.. Arp could not allow me to add since it is conflicted with managed subnet..
I still have not chance down to server room and take a look on ARP entries. But i would do this next monday.
Thanks for your reply. However, I still could not get any IP from DHCP servers.
I wonder that there're NO untrust VLAN could get IP from DHCP server NOW.
The attached file is captured from real case.
I just use 2 VLAN as testing now.
pic 1 - pic6:
Only L2 is ok.. I uncheck L3 enable already.
168.18.0.0/16 = VLAN1 <--> VLAN240
192.168.210.0/24 = VLAN110 <--> VLAN241
I take 2 unused IP addresses from 168.18.1.210/16 and 192.168.210.254/24 as manage subnet.
Unauthenticated role is allowed UDP/DHCP by default..
Could explain what I wrong in configuration?
03-20-2010 11:31 AM
Uncheck the "Enable subnet-based VLAN retag" option, reboot your CAS and try again.
HTH,
Faisal
03-21-2010 07:14 PM
Help!!.. It still fail to get IP for any untrust vlan.
If i set the port as uncontrol, pc is normally received IP for the related VLAN.
so, all vlan (included "untrust") is normally configured on all switches located between paths from cas/cam.
i attached a screen dump for further help!! many thanks.
04-27-2010 09:39 AM
Successful to get IP NOW... coz some VTP set to transparent and can't learn all VLAN.
Even that... some issues i face.. Since User Flat network is big enough and cover thousand of switches. I find some characteristic ..
The big flat network is using "3750 stack" as core switch. The version of IOS is 12.2(25). I did check with doc.
Extracted as below:
For Cisco Clean Access (NAC Appliance) customers with OOB deployments running stacked Cisco Catalyst 3750 switches with Cisco IOS 12.2(25) SEC2 or lower, SNMP mac-notifications can fail, and SNMP does not report MAC addresses to the OOB Clean Access Manager and Server.
So.................... my Question is:
Although this Switches might fail to snmp notification to CAS/CAM, all other switches connected to this 3750 would fail to report snmp notification also???
My case seems like all switches connected away from the switch connected to CAS/CAM is success performing login and authentication by CAS, However, all switches connected to this core 3750 fail to perform the login ..even no login page find..
SW1 --- 3750 -- SW2 --- SW3 --CAS & CAM
SW2 and SW3 could success performing CAS login.
SW1 fail to get login page and fail to do authentication. But could get DHCP and stuck in untrust VLAN.
04-27-2010 07:05 PM
Hi,
Please post a network diagram of what you're working with. Mark the VLANs and IP addresses and post the switch configurations of the switches in question.
Thanks,
Faisal
03-19-2010 10:57 PM
get it from SSH console..
cat /proc/click/intern_arpq/table (see entries on untrusted side) <-- No entries
cat /proc/click/extern_arpq/table (to see entries on the trusted side) <-- Many Entries
Why no entries in intern_arpq/table????
and is it correct ??
fail to get IP X.X
03-19-2010 11:01 PM
Also, more info:
CAS is using vlan 228 (192.168.228.0/24)
CAM is using vlan 229 (192.168.229.0/24)
They are individual VLAN and using 3750 as inter-VLAN routing to other vlans.
07-27-2010 12:00 AM
Hi to All,
I would like to ask some help for my nac appliance. Currently im setting up the nac appliance. I just having trouble what ip address should I use for the managed subnet. I have setup trusted vlan as it is existing in our network but what about the untrusted vlan? Should i make new ip addresses for it and put it in the untrusted? I dont know if made it correct but I cannot get an ip address everytime i change the switchport to port profile I made. Please can you guys help me i just need to know it for my project. thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: