Good day! I would like to ask about the L3 deployment approach using OOB Virtual Gateway. What I did was enabled the L3 support and applied static routes. When I tried to connect a client workstation I cannot get an ip address. The cisco switch that Im using to the remote site were already discovered in the devices in NAC. When I check the ports it change to authentication vlan 100 but cannot passthrough. The IP block for the site is 10.19.x.x. Do I have to put a managed subnet and vlan mapping? But what I've read from the manual no need to configure the managed subnet instead a static route need to apply.
For the L2 deployment OOB Virtual gateway its working now, the IP block im using is 10.1.x.x. I want add the L3 deployment for the remote sites also for the users to authenticate through the nac. I'm thinking to apply 2 approach for the nac one for L2 deployment for the main site and L3 deployment for the remote site. Faisal, am I doing it correctly? Please let me know what should I apply for it and see attachment. Thanks.
That's the thing. You need to force the traffic from that subnet to go to the CAS's untrusted interface. You can do that by using PBRs or using the ACL method.
Both are talked about in this chalk-talk series in the third chalk-talk. Look at slides 54 onwards.
I don't think this will work. You're using VGW and trying to NAC subnets L3 hops away. In VGW CAS is acting as a bridge. How are you going to extend your VLAN tags from multiple hops away to the untrusted interface of the CAS?
Almost always we see customers who have a need for NAC L3 hop away subnets use RIP since it is easier to segregate and force the unauthenticated traffic to the untrusted side of the CAS.