NAC WLC OOB integration

Unanswered Question
Aug 26th, 2010
User Badges:

I am trying to get NAC integration with WLC working for wireless users in OOB and can't get it to work. I followed directions step by step from the Configuration Example on the Cisco web site. Without enabling NAC on the WLC I am able to associate and work fine. With NAC enabled, association works but the client stays on Quarantive VLAN and never gets switched. I can see the client as Discovered client on the CAM only when I turn off 802.1x for layer 2 security on the WLAN but still it does not get switched to Access VLAN nor do I get a web login screen. The DHCP for wireless clients is provided by the WLC itself so that traffic does not pass through the CAS. Am I doing anything wrong?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Faisal Sehbai Thu, 08/26/2010 - 11:03
User Badges:
  • Gold, 750 points or more

Shaffeel,


Check your SNMP strings. There are two places to check. One for the sending of the traps, and one for the switching of the VLANs.


Also ensure that you have the latest OIDs by updating your CAM's Check and Rules.


HTH,

Faisal

shaffeelAhmed Thu, 08/26/2010 - 11:29
User Badges:

I have checked that. But even before the SNMP set comes into picture shouldn't my traffic flow to the untrusted interface of the CAS and my IE page get redirected to the web login?

Faisal Sehbai Fri, 08/27/2010 - 12:25
User Badges:
  • Gold, 750 points or more

Shaffeel,


You are correct. Since this is a L2 adjacent setup, can you verify that the CAS can see your client? If you go to your CAS SSH session, and type this:


cat /proc/click/intern_arpq/table


do you see your client's IP address and MAC address in that table?


Can you ping your client from the CAS, if you do see the entry in the ARP table?


Faisal

shaffeelAhmed Mon, 08/30/2010 - 11:53
User Badges:

Faisal

I do see the wireless client in the arp table but cannot ping it. Do I need to add a static route? The Managed subnet should suffice , right?


Thanks


Shaffeel

Faisal Sehbai Wed, 09/01/2010 - 03:41
User Badges:
  • Gold, 750 points or more

Shaffeel,


Yes the MS should do it. So if you see it in the arpq, what is the behaviour on the client? Do you have an agent on that machine? If so, is the discovery host populated with an IP address living on your trusted network?


If not, can you try and browse to say the IP address of the CAM?


Faisal

shaffeelAhmed Wed, 09/01/2010 - 05:09
User Badges:

Faisal

I haven't tried to browse to the CAS IP. I will try that when I am there next time. The laptop did have a NAC agent with a discovery host of the CAM IP as it was used as a wired client before. Looking at the routing table, I would think routing should not be an issue as the Guest subnet correctly points to the untrusted interface with no GW and that should take VLAN 201 pathw hich is the quarantine VLAN ID for WLC Guest WLAN. Just FYI the 172.16.8.0 subnet which is the guest subnet is not being routed internally for security reasons and is jus a L2 VLAN on the core switch


10.8.21.11/32           -               0 0
10.8.21.1/32            -               1 0
10.8.21.0/24            -               2 0
0.0.0.0/0               10.8.21.1       1 0
10.8.17.0/24            -               2 8
10.8.15.0/24            -               2 8
172.16.8.0/24           -               2 8
10.8.21.10/32           -               0 2
10.8.17.169/32          10.8.21.1       1 0
10.8.17.152/32          10.8.21.1       1 0
10.8.17.182/32          10.8.21.1       1 0
10.8.17.128/32          10.8.21.1       1 0
10.8.17.119/32          10.8.21.1       1 0
10.8.17.137/32          10.8.21.1       1 0
10.8.17.188/32          10.8.21.1       1 0
10.8.17.200/32          10.8.21.1       1 0
10.8.17.165/32          10.8.21.1       1 0
10.8.17.124/32          10.8.21.1       1 0
10.8.17.113/32          10.8.21.1       1 0
10.8.17.197/32          10.8.21.1       1 0
10.8.17.206/32          10.8.21.1       1 0


Thanks


Shaffeel

Actions

This Discussion