CAS managed subnet and vlan mapping

Answered Question
Jul 26th, 2010

Hi to All,

I would like to ask some help for my nac appliance. Currently im setting up the nac appliance. I just having trouble what ip address should I use for the managed subnet. I have setup trusted vlan as it is existing in our network but what about the untrusted vlan? Should i make new ip addresses for it and put it in the untrusted? I dont know if made it correct but I cannot get an ip address everytime i change the switchport to port profile I made. Please can you guys help me i just need to know it for my project. thanks.

I have this problem too.
0 votes
Correct Answer by Faisal Sehbai about 6 years 4 months ago

Richard,

For DHCP to work you need the managed subnets (which you have), VLAN mapping (which you have) and absolutely no L3 SVIs for your unauthenticated VLANs, so make sure that on all your L3 devices there are no VLAN interfaces for VLAN 100 or 200. Then make sure that the VLAN 100/200 are trunked to the untrusted interface, and VLAN 10/20 are trunked to the trusted interface of the CAS.

If you haven't rebooted your CAS after making these managed subnet and/or VLAN mapping changes, suggest you reboot it too, and then test.

HTH,

Faisal

Correct Answer by Faisal Sehbai about 6 years 4 months ago

Richard,

This looks correct - assuming that 10.1.10 and 10.1.20 are the IP subnets associated with VLAN 10 and 20.

Do you have VLANs 100 and 200 trunked to your untrusted interface of your CAS?

Faisal

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Correct Answer
Faisal Sehbai Tue, 07/27/2010 - 05:01

Richard,

This looks correct - assuming that 10.1.10 and 10.1.20 are the IP subnets associated with VLAN 10 and 20.

Do you have VLANs 100 and 200 trunked to your untrusted interface of your CAS?

Faisal

ralicaway Tue, 07/27/2010 - 08:52

Yes, there are vlan 100, 200 trunked to my L3 switch connected to the untrusted eth1 in the CAS. These vlan 100, 200 serves as a authentication vlan. With this setup the workstation cannot acquire an IP address from the DHCP server(windows server).  And from the Ports Management page of the CAS, it is showing that the access vlan 10 of the switch (where the workstation is connected) was changed to authentication vlan 100.

Faisal, can you please give me more info about how does authentication vlan works and where does the unauthenticated users gets an IP Address during the time it is not yet mapped to the trusted vlans? Thanks.

Correct Answer
Faisal Sehbai Tue, 07/27/2010 - 09:39

Richard,

For DHCP to work you need the managed subnets (which you have), VLAN mapping (which you have) and absolutely no L3 SVIs for your unauthenticated VLANs, so make sure that on all your L3 devices there are no VLAN interfaces for VLAN 100 or 200. Then make sure that the VLAN 100/200 are trunked to the untrusted interface, and VLAN 10/20 are trunked to the trusted interface of the CAS.

If you haven't rebooted your CAS after making these managed subnet and/or VLAN mapping changes, suggest you reboot it too, and then test.

HTH,

Faisal

ralicaway Tue, 07/27/2010 - 23:26

Faisal, that is correct.The workstation can get now ip address from the dhcp server although it has an authentication vlan from the CAS.

One thing more how can I know that the port profile is applying to the switchport, basically I did not allowed the traffic from the user role that I made for testing. I'm expecting that after I get an ip address from the dhcp server it will go for posture assessment or blocking the traffic. What happen is I can able to access the internet from the network and it doesnt require any web login or agent login although I enable it from the device management. Can you please tell me how does it work? Please see attachment. Thanks.

Faisal Sehbai Wed, 07/28/2010 - 21:20

Richard,

If it's able to get to the internet in the unauthenticated role, then it's bypassing the CAS somehow. Some things to check in that situation would be whether you have L3 SVIs for your untrusted VLANs anywhere, since the traffic could be taking that path. Also please check your CAS specific traffic policies to see if you have them allowed there by chance. You can view those by going to CCA Servers -> Manage -> Filter -> Roles. Also using the Block All at the top is sort of redundant since the default policy in the unauthenticated role is to allow DNS only and block all traffic.

HTH,

Faisal

ralicaway Thu, 07/29/2010 - 03:34

Hi Faisal,

Good day.

I dont have any interface vlan for the authentication in the untrusted. But I have the authentication vlan in the vlan database of the switch and allowed it to the switchport trunk. What I notice also I opened all the ports in the traffic policies thats why in the unauthenticated role the workstation could access the internet. When I limit the traffic it redirects to the domain but it is still cannot pass to the web login agent although I created an account to the local of the cam. Can you please tell what port should I put in the traffic policies for unauthenticated role? Is there something wrong with the ip address that im using or the certificate(Full domain name or ip:  MOD.local  ---> should it be ip address?). Thanks again your a great help.

Faisal Sehbai Fri, 07/30/2010 - 23:27

Richard,

Can you confirm whether your certificates are issued to DNS names or IP addresses? If names, can the CAS and CAM resolve each others names? Can the client resolve these names?

Faisal

ralicaway Sat, 07/31/2010 - 23:10

Its the service ip address of the cam eth0 I used for generating the certificates. The same with the cas the service ip address trusted network used for certificates. The cam can able to add the cas from the device management.

I tested it again after I generated a new certificate for both the cam and cas, now the error is invalid provider name when I opened the browser. Though I created a local user for testing. Allowing in the traffic control (port 80 and 443). Is there any other problem with the configuration of the certificates or traffic control? Thanks Faisal.

Faisal Sehbai Tue, 08/03/2010 - 10:15

Richard,

Please post the screen shots of your Auth servers, and your user pages.

Faisal

Actions

This Discussion