cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
595
Views
0
Helpful
3
Replies

NAC - wanna test the basic setup - does not work !!!!

game123
Level 1
Level 1

SCENARIO :

·         I have simple NAC setup with 1 NAC MGR “CAM” and 1 NAC SRVR “CAS”

·         My users are running network 192.168.10.x/24 , and I wanna implement in L2 VG mode. Both NAC MGR and NAC SRVR can ping each other.

·         CAM VLAN 55 = 192.168.55.x/24 , and CAS VLAN 66 = 192.168.66.x/24

·         NAC MGR “CAM”  has only 1 cable going to the core switch and NAC SRVR has 2 cables going to the core switch ( one is trusted trunk end and another is untrusted trunk end) . Created two VLANS 999 and 998 and put each of them on each link as blackhole prevention mechanism described in Cisco docs.

·         I have a Windows 2008 DHCP Server who is giving the pool of IPs for users from 192.168.10.x/24 and it is working fine. Routing in the core switch is also ok.

·         I have SSH and web access to both CAM and CAS boxes.  They are also updating online smoothly.

·         From the GUI, I have created the AV Rules also and CAM shows CAS as connected as well !!!!  My version is 4.1.8  (upgraded from 4.1.3 )

INT VLAN 10 (USER VLAN)  SVI is on core switch = 192.168.10.254 /24

INT VLAN 55 ( MGMT ) SVI is on core switch = 192.168.55.254/24

INT VLAN 66 (MGMT) SVI is on core switch = 192.168.66.254/24

PROBLEM :-

1.       I am not able to download or get the NAC Client software MSI or stub file or ActiveX prompt to download ….

2.       I don’t know how to start troubleshooting at this stage. Please note that My client PC is windows XP machine and the port is already configured to VLAN 100.

I have 1 CORE switch only and my NAC boxes and client are connected to the same CORE switch.

3 Replies 3

Faisal Sehbai
Level 7
Level 7

Hello,

What's your untrusted vlan, and do you have the vlan mapping set in the CAS yet?

Faisal

VLANS Mapping is done in CAM, i didnt find any field in CAS...

Also, i am copying the switch port configs...  ( a simple logical connectivity diagram was attached also to this discussion already )

VLANS DATABASE

==============

vlan 10

name AuthVLAN

vlan 11

name TEST_VLAN_USER

vlan 55

name NAM_mgmt

vlan 998

name DummyVLAN998

vlan 999

name DummyVLAN999

*** Only SVI is VLAN 10 with network = 192.168.11.x/24 , there is no SVI for VLAN 11  ***

Following ports are configured as follows :-

============================================

interface GigabitEthernet2/9

description ** NAS's untrusted interface **

switchport

switchport trunk native vlan 999

switchport trunk allowed vlan 11

switchport mode trunk

no ip address

!

interface GigabitEthernet2/10

description **** NAS Mgmt interface IP 192.168.66.1 *****

switchport

switchport trunk native vlan 998

switchport trunk allowed vlan 10,66

switchport mode trunk

no ip address

!

interface GigabitEthernet2/11

description *** Test User Acess Port ***

switchport

switchport access vlan 11

switchport mode access

no ip address

!

interface GigabitEthernet2/12

description ***** Connected to Eth0 NAM on IP 192.168.55.1 ***

switchport

switchport access vlan 55

switchport mode access

no ip address

spanning-tree portfast

spanning-tree bpduguard enable

*** FROM THIS core switch I can ping 192.168.66.1 and also 192.168.55.1 with comfort ***

** Please note that actual IPs are 192.168.x.y  and not 10.10.x.y respectively

Click on CCA Servers, Manage my server, and post the screen shots of all tabs for your CAS.

Faisal

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: