03-19-2010 09:15 AM - edited 02-21-2020 03:54 AM
SCENARIO :
· I have simple NAC setup with 1 NAC MGR “CAM” and 1 NAC SRVR “CAS”
· My users are running network 192.168.10.x/24 , and I wanna implement in L2 VG mode. Both NAC MGR and NAC SRVR can ping each other.
· CAM VLAN 55 = 192.168.55.x/24 , and CAS VLAN 66 = 192.168.66.x/24
· NAC MGR “CAM” has only 1 cable going to the core switch and NAC SRVR has 2 cables going to the core switch ( one is trusted trunk end and another is untrusted trunk end) . Created two VLANS 999 and 998 and put each of them on each link as blackhole prevention mechanism described in Cisco docs.
· I have a Windows 2008 DHCP Server who is giving the pool of IPs for users from 192.168.10.x/24 and it is working fine. Routing in the core switch is also ok.
· I have SSH and web access to both CAM and CAS boxes. They are also updating online smoothly.
· From the GUI, I have created the AV Rules also and CAM shows CAS as connected as well !!!! My version is 4.1.8 (upgraded from 4.1.3 )
INT VLAN 10 (USER VLAN) SVI is on core switch = 192.168.10.254 /24
INT VLAN 55 ( MGMT ) SVI is on core switch = 192.168.55.254/24
INT VLAN 66 (MGMT) SVI is on core switch = 192.168.66.254/24
PROBLEM :-
1. I am not able to download or get the NAC Client software MSI or stub file or ActiveX prompt to download ….
2. I don’t know how to start troubleshooting at this stage. Please note that My client PC is windows XP machine and the port is already configured to VLAN 100.
I have 1 CORE switch only and my NAC boxes and client are connected to the same CORE switch.
03-19-2010 01:36 PM
Hello,
What's your untrusted vlan, and do you have the vlan mapping set in the CAS yet?
Faisal
03-20-2010 01:36 AM
VLANS Mapping is done in CAM, i didnt find any field in CAS...
Also, i am copying the switch port configs... ( a simple logical connectivity diagram was attached also to this discussion already )
VLANS DATABASE
==============
vlan 10
name AuthVLAN
vlan 11
name TEST_VLAN_USER
vlan 55
name NAM_mgmt
vlan 998
name DummyVLAN998
vlan 999
name DummyVLAN999
*** Only SVI is VLAN 10 with network = 192.168.11.x/24 , there is no SVI for VLAN 11 ***
Following ports are configured as follows :-
============================================
interface GigabitEthernet2/9
description ** NAS's untrusted interface **
switchport
switchport trunk native vlan 999
switchport trunk allowed vlan 11
switchport mode trunk
no ip address
!
interface GigabitEthernet2/10
description **** NAS Mgmt interface IP 192.168.66.1 *****
switchport
switchport trunk native vlan 998
switchport trunk allowed vlan 10,66
switchport mode trunk
no ip address
!
interface GigabitEthernet2/11
description *** Test User Acess Port ***
switchport
switchport access vlan 11
switchport mode access
no ip address
!
interface GigabitEthernet2/12
description ***** Connected to Eth0 NAM on IP 192.168.55.1 ***
switchport
switchport access vlan 55
switchport mode access
no ip address
spanning-tree portfast
spanning-tree bpduguard enable
*** FROM THIS core switch I can ping 192.168.66.1 and also 192.168.55.1 with comfort ***
** Please note that actual IPs are 192.168.x.y and not 10.10.x.y respectively
03-20-2010 11:57 AM
Click on CCA Servers, Manage my server, and post the screen shots of all tabs for your CAS.
Faisal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide