NAC - wanna test the basic setup - does not work !!!!

Unanswered Question
Mar 19th, 2010

SCENARIO :

·         I have simple NAC setup with 1 NAC MGR “CAM” and 1 NAC SRVR “CAS”

·         My users are running network 192.168.10.x/24 , and I wanna implement in L2 VG mode. Both NAC MGR and NAC SRVR can ping each other.

·         CAM VLAN 55 = 192.168.55.x/24 , and CAS VLAN 66 = 192.168.66.x/24

·         NAC MGR “CAM”  has only 1 cable going to the core switch and NAC SRVR has 2 cables going to the core switch ( one is trusted trunk end and another is untrusted trunk end) . Created two VLANS 999 and 998 and put each of them on each link as blackhole prevention mechanism described in Cisco docs.

·         I have a Windows 2008 DHCP Server who is giving the pool of IPs for users from 192.168.10.x/24 and it is working fine. Routing in the core switch is also ok.

·         I have SSH and web access to both CAM and CAS boxes.  They are also updating online smoothly.

·         From the GUI, I have created the AV Rules also and CAM shows CAS as connected as well !!!!  My version is 4.1.8  (upgraded from 4.1.3 )

INT VLAN 10 (USER VLAN)  SVI is on core switch = 192.168.10.254 /24

INT VLAN 55 ( MGMT ) SVI is on core switch = 192.168.55.254/24

INT VLAN 66 (MGMT) SVI is on core switch = 192.168.66.254/24

PROBLEM :-

1.       I am not able to download or get the NAC Client software MSI or stub file or ActiveX prompt to download ….

2.       I don’t know how to start troubleshooting at this stage. Please note that My client PC is windows XP machine and the port is already configured to VLAN 100.

I have 1 CORE switch only and my NAC boxes and client are connected to the same CORE switch.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Faisal Sehbai Fri, 03/19/2010 - 13:36

Hello,

What's your untrusted vlan, and do you have the vlan mapping set in the CAS yet?

Faisal

game123 Sat, 03/20/2010 - 01:36

VLANS Mapping is done in CAM, i didnt find any field in CAS...

Also, i am copying the switch port configs...  ( a simple logical connectivity diagram was attached also to this discussion already )

VLANS DATABASE

==============

vlan 10

name AuthVLAN

vlan 11

name TEST_VLAN_USER

vlan 55

name NAM_mgmt

vlan 998

name DummyVLAN998

vlan 999

name DummyVLAN999

*** Only SVI is VLAN 10 with network = 192.168.11.x/24 , there is no SVI for VLAN 11  ***

Following ports are configured as follows :-

============================================

interface GigabitEthernet2/9

description ** NAS's untrusted interface **

switchport

switchport trunk native vlan 999

switchport trunk allowed vlan 11

switchport mode trunk

no ip address

!

interface GigabitEthernet2/10

description **** NAS Mgmt interface IP 192.168.66.1 *****

switchport

switchport trunk native vlan 998

switchport trunk allowed vlan 10,66

switchport mode trunk

no ip address

!

interface GigabitEthernet2/11

description *** Test User Acess Port ***

switchport

switchport access vlan 11

switchport mode access

no ip address

!

interface GigabitEthernet2/12

description ***** Connected to Eth0 NAM on IP 192.168.55.1 ***

switchport

switchport access vlan 55

switchport mode access

no ip address

spanning-tree portfast

spanning-tree bpduguard enable

*** FROM THIS core switch I can ping 192.168.66.1 and also 192.168.55.1 with comfort ***

** Please note that actual IPs are 192.168.x.y  and not 10.10.x.y respectively

Faisal Sehbai Sat, 03/20/2010 - 11:57

Click on CCA Servers, Manage my server, and post the screen shots of all tabs for your CAS.

Faisal

Actions

This Discussion