cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1050
Views
0
Helpful
9
Replies

CAS managed subnet and vlan mapping

ralicaway
Level 1
Level 1

Hi to All,

I would like to ask some help for my nac appliance. Currently im setting up the nac appliance. I just having trouble what ip address should I use for the managed subnet. I have setup trusted vlan as it is existing in our network but what about the untrusted vlan? Should i make new ip addresses for it and put it in the untrusted? I dont know if made it correct but I cannot get an ip address everytime i change the switchport to port profile I made. Please can you guys help me i just need to know it for my project. thanks.

2 Accepted Solutions

Accepted Solutions

Faisal Sehbai
Level 7
Level 7

Richard,

This looks correct - assuming that 10.1.10 and 10.1.20 are the IP subnets associated with VLAN 10 and 20.

Do you have VLANs 100 and 200 trunked to your untrusted interface of your CAS?

Faisal

View solution in original post

Richard,

For DHCP to work you need the managed subnets (which you have), VLAN mapping (which you have) and absolutely no L3 SVIs for your unauthenticated VLANs, so make sure that on all your L3 devices there are no VLAN interfaces for VLAN 100 or 200. Then make sure that the VLAN 100/200 are trunked to the untrusted interface, and VLAN 10/20 are trunked to the trusted interface of the CAS.

If you haven't rebooted your CAS after making these managed subnet and/or VLAN mapping changes, suggest you reboot it too, and then test.

HTH,

Faisal

View solution in original post

9 Replies 9

Faisal Sehbai
Level 7
Level 7

Richard,

This looks correct - assuming that 10.1.10 and 10.1.20 are the IP subnets associated with VLAN 10 and 20.

Do you have VLANs 100 and 200 trunked to your untrusted interface of your CAS?

Faisal

Yes, there are vlan 100, 200 trunked to my L3 switch connected to the untrusted eth1 in the CAS. These vlan 100, 200 serves as a authentication vlan. With this setup the workstation cannot acquire an IP address from the DHCP server(windows server).  And from the Ports Management page of the CAS, it is showing that the access vlan 10 of the switch (where the workstation is connected) was changed to authentication vlan 100.

Faisal, can you please give me more info about how does authentication vlan works and where does the unauthenticated users gets an IP Address during the time it is not yet mapped to the trusted vlans? Thanks.

Richard,

For DHCP to work you need the managed subnets (which you have), VLAN mapping (which you have) and absolutely no L3 SVIs for your unauthenticated VLANs, so make sure that on all your L3 devices there are no VLAN interfaces for VLAN 100 or 200. Then make sure that the VLAN 100/200 are trunked to the untrusted interface, and VLAN 10/20 are trunked to the trusted interface of the CAS.

If you haven't rebooted your CAS after making these managed subnet and/or VLAN mapping changes, suggest you reboot it too, and then test.

HTH,

Faisal

Faisal, that is correct.The workstation can get now ip address from the dhcp server although it has an authentication vlan from the CAS.

One thing more how can I know that the port profile is applying to the switchport, basically I did not allowed the traffic from the user role that I made for testing. I'm expecting that after I get an ip address from the dhcp server it will go for posture assessment or blocking the traffic. What happen is I can able to access the internet from the network and it doesnt require any web login or agent login although I enable it from the device management. Can you please tell me how does it work? Please see attachment. Thanks.

Richard,

If it's able to get to the internet in the unauthenticated role, then it's bypassing the CAS somehow. Some things to check in that situation would be whether you have L3 SVIs for your untrusted VLANs anywhere, since the traffic could be taking that path. Also please check your CAS specific traffic policies to see if you have them allowed there by chance. You can view those by going to CCA Servers -> Manage -> Filter -> Roles. Also using the Block All at the top is sort of redundant since the default policy in the unauthenticated role is to allow DNS only and block all traffic.

HTH,

Faisal

Hi Faisal,

Good day.

I dont have any interface vlan for the authentication in the untrusted. But I have the authentication vlan in the vlan database of the switch and allowed it to the switchport trunk. What I notice also I opened all the ports in the traffic policies thats why in the unauthenticated role the workstation could access the internet. When I limit the traffic it redirects to the domain but it is still cannot pass to the web login agent although I created an account to the local of the cam. Can you please tell what port should I put in the traffic policies for unauthenticated role? Is there something wrong with the ip address that im using or the certificate(Full domain name or ip:  MOD.local  ---> should it be ip address?). Thanks again your a great help.

Richard,

Can you confirm whether your certificates are issued to DNS names or IP addresses? If names, can the CAS and CAM resolve each others names? Can the client resolve these names?

Faisal

Its the service ip address of the cam eth0 I used for generating the certificates. The same with the cas the service ip address trusted network used for certificates. The cam can able to add the cas from the device management.

I tested it again after I generated a new certificate for both the cam and cas, now the error is invalid provider name when I opened the browser. Though I created a local user for testing. Allowing in the traffic control (port 80 and 443). Is there any other problem with the configuration of the certificates or traffic control? Thanks Faisal.

Richard,

Please post the screen shots of your Auth servers, and your user pages.

Faisal

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: