cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2088
Views
0
Helpful
13
Replies

L3 Deployment OOB Virtual Gateway

ralicaway
Level 1
Level 1

Hi Faisal,

Good day! I would like to ask about the L3 deployment approach using OOB Virtual Gateway. What I did was enabled the L3 support and applied static routes. When I tried to connect a client workstation I cannot get an ip address. The cisco switch that Im using to the remote site were already discovered in the devices in NAC. When I check the ports it change to authentication vlan 100 but cannot passthrough. The IP block for the site is 10.19.x.x. Do I have to put a managed subnet and vlan mapping? But what I've read from the manual no need to configure the managed subnet instead a static route need to apply.

For the L2 deployment OOB Virtual gateway its working now, the IP block im using is 10.1.x.x. I want add the L3 deployment for the remote sites also for the users to authenticate through the nac. I'm thinking to apply 2 approach for the nac one for L2 deployment for the main site and L3 deployment for the remote site. Faisal, am I doing it correctly? Please let me know what should I apply for it and see attachment. Thanks.

Richard

2 Accepted Solutions

Accepted Solutions

Faisal Sehbai
Level 7
Level 7

Richard,

I don't think this will work. You're using VGW and trying to NAC subnets L3 hops away. In VGW CAS is acting as a bridge. How are you going to extend your VLAN tags from multiple hops away to the untrusted interface of the CAS?

Almost always we see customers who have a need for NAC L3 hop away subnets use RIP since it is easier to segregate and force the unauthenticated traffic to the untrusted side of the CAS.

HTH,

Faisal

View solution in original post

Richard,

That's the thing. You need to force the traffic from that subnet to go to the CAS's untrusted interface. You can do that by using PBRs or using the ACL method.

Both are talked about in this chalk-talk series in the third chalk-talk. Look at slides 54 onwards.

http://www.cisco.com/en/US/partner/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html

HTH,

Faisal

View solution in original post

13 Replies 13

Faisal Sehbai
Level 7
Level 7

Richard,

I don't think this will work. You're using VGW and trying to NAC subnets L3 hops away. In VGW CAS is acting as a bridge. How are you going to extend your VLAN tags from multiple hops away to the untrusted interface of the CAS?

Almost always we see customers who have a need for NAC L3 hop away subnets use RIP since it is easier to segregate and force the unauthenticated traffic to the untrusted side of the CAS.

HTH,

Faisal

ralicaway
Level 1
Level 1

Thanks dude, I'll try to figure out the Real-IP gateway mode. That's what I'm also thinking, anyway thanks for your information. I will contact you once there is a issue on that one.

Richard

Hi Faisal,

I changed the server type from OOB Virtul GW to OOB RIP. The thing is the client cannot get an IP address from the windows DHCP server though I put the dhcp type in the cas as DHCP relay. The DHCP relay is pointing to the address of the DHCP server. Is there anything I need to add in the configuration? Do I have also to add managed subnet for the authentication vlan? Please let me know. Thanks.

Richard

Richard,

Okay. How is traffic getting to the CAS from your unauthenticated subnets? You said they're L3 hops away, so how are you forcing them to the CAS?

Generally in L3 setups like these you do DHCP locally (on the switch perhaps) and then when the clients initiate traffic, you can force that to the CAS untrusted side to force authentication/posture.

Faisal

I have setup windows dhcp server locally in the L3 hops away network. Basically the network from the main site (where the NAC is installed) and the remote site were already connected and talking because of the static route. The remote site has always dhcp server locally where the clients get ip address. Also I created the dhcp scope for the authentication vlan as what I see in the manual though in the example they're using L3 switch. I configured the  static route in the cas. What else do need in the configuration?

In the OOB virtual gateway there is no problem using the windows dhcp server but the thing it cannot do L3 hops away it just in the main site. Thats why I change to OOB RIP. Please see the attachment.

Hi Faisal,

I can acquire now IP address from the authentication vlan that I made in the DHCP server, but the issue it doesnt remediate and go posture assessment. When I open the IE browser it goes directly to the internet.  I have the static route for the L3 OOB RIP. I want it to be redirecting to the NAC untrusted network to ask for login account and go remediation. Can you please tell me what should be added to the configuration? Thanks.

Richard

Richard,

That's the thing. You need to force the traffic from that subnet to go to the CAS's untrusted interface. You can do that by using PBRs or using the ACL method.

Both are talked about in this chalk-talk series in the third chalk-talk. Look at slides 54 onwards.

http://www.cisco.com/en/US/partner/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html

HTH,

Faisal

Hi Faisal,

I cannot find this presentation file: prod_presentation0900aecd80549168     Is there any other way how to get that file? thanks....

Richard,

I'll post those here shortly.

Thanks

Faisal

Faisal,

I can able to authenticate and go posture assessment but when I check the ip address still in Authentication vlan. It doesnt change to access vlan. I applied the ACL's in the router. I have the port profile defining the auth and access vlan too. What else do I have to configure in the nac or router in order to switch the auth to access vlan after remediation? Thanks.

Richard

Richard,

Here's the document I was mentioning: https://supportforums.cisco.com/docs/DOC-12822

Faisal

Thanks Faisal, the ACL works for me. The only thing I cannot able to force to pop up is the NAC Agent it seems something blocking it, I dont have idea what is it. But Web agent works fine, only scanning based on the requirement, so I have to manually satisfy the requirement but no remediation happen. If you could tell me what is the thing blocking the NAC agent why is it not doing pop up after installed, it doesnt ask for login also. Thanks for the help.

Richard,

In ACL method, you have to originate traffic towards the CASs untrusted interface, because you're allowing traffic to the CAS's untrusted interface, but you're not *forcing* it (as is the case in PBRs) so go to the IP address of the CAS from your unauth subnet, and it should redirect and ask you to authenticate. Once authenticated CAM should switch the port to your Access VLAN and you should have unfettered access to your network then.

HTH,

Faisal

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: