08-26-2010 10:27 AM - edited 02-21-2020 04:03 AM
I am trying to get NAC integration with WLC working for wireless users in OOB and can't get it to work. I followed directions step by step from the Configuration Example on the Cisco web site. Without enabling NAC on the WLC I am able to associate and work fine. With NAC enabled, association works but the client stays on Quarantive VLAN and never gets switched. I can see the client as Discovered client on the CAM only when I turn off 802.1x for layer 2 security on the WLAN but still it does not get switched to Access VLAN nor do I get a web login screen. The DHCP for wireless clients is provided by the WLC itself so that traffic does not pass through the CAS. Am I doing anything wrong?
08-26-2010 11:03 AM
Shaffeel,
Check your SNMP strings. There are two places to check. One for the sending of the traps, and one for the switching of the VLANs.
Also ensure that you have the latest OIDs by updating your CAM's Check and Rules.
HTH,
Faisal
08-26-2010 11:29 AM
I have checked that. But even before the SNMP set comes into picture shouldn't my traffic flow to the untrusted interface of the CAS and my IE page get redirected to the web login?
08-27-2010 12:25 PM
Shaffeel,
You are correct. Since this is a L2 adjacent setup, can you verify that the CAS can see your client? If you go to your CAS SSH session, and type this:
cat /proc/click/intern_arpq/table
do you see your client's IP address and MAC address in that table?
Can you ping your client from the CAS, if you do see the entry in the ARP table?
Faisal
08-30-2010 11:53 AM
Faisal
I do see the wireless client in the arp table but cannot ping it. Do I need to add a static route? The Managed subnet should suffice , right?
Thanks
Shaffeel
09-01-2010 03:41 AM
Shaffeel,
Yes the MS should do it. So if you see it in the arpq, what is the behaviour on the client? Do you have an agent on that machine? If so, is the discovery host populated with an IP address living on your trusted network?
If not, can you try and browse to say the IP address of the CAM?
Faisal
09-01-2010 05:09 AM
Faisal
I haven't tried to browse to the CAS IP. I will try that when I am there next time. The laptop did have a NAC agent with a discovery host of the CAM IP as it was used as a wired client before. Looking at the routing table, I would think routing should not be an issue as the Guest subnet correctly points to the untrusted interface with no GW and that should take VLAN 201 pathw hich is the quarantine VLAN ID for WLC Guest WLAN. Just FYI the 172.16.8.0 subnet which is the guest subnet is not being routed internally for security reasons and is jus a L2 VLAN on the core switch
10.8.21.11/32 - 0 0
10.8.21.1/32 - 1 0
10.8.21.0/24 - 2 0
0.0.0.0/0 10.8.21.1 1 0
10.8.17.0/24 - 2 8
10.8.15.0/24 - 2 8
172.16.8.0/24 - 2 8
10.8.21.10/32 - 0 2
10.8.17.169/32 10.8.21.1 1 0
10.8.17.152/32 10.8.21.1 1 0
10.8.17.182/32 10.8.21.1 1 0
10.8.17.128/32 10.8.21.1 1 0
10.8.17.119/32 10.8.21.1 1 0
10.8.17.137/32 10.8.21.1 1 0
10.8.17.188/32 10.8.21.1 1 0
10.8.17.200/32 10.8.21.1 1 0
10.8.17.165/32 10.8.21.1 1 0
10.8.17.124/32 10.8.21.1 1 0
10.8.17.113/32 10.8.21.1 1 0
10.8.17.197/32 10.8.21.1 1 0
10.8.17.206/32 10.8.21.1 1 0
Thanks
Shaffeel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide