NAC L2 OOB VG Design for wired

Answered Question
Aug 28th, 2010

Hi all,

I need the NAC Layer 2 OOB Virtual Gateway for Wired Users design's help. On Cisco documentation only single configuration example is present but that is for wireless user which is not applicable to my case (wired users); Below are details; Please correct me if the design is wrong at any point;

1: create one vlan (241) for CAM management on Core.

2: create one vlan (240) for CAS management on Core.

3: The IPs of both E0 (10.10.240.1) and E1 (10.10.240.1) for the CAS will be from same subnet and same ip.

4: create all the Trusted vlans SVI (vlan 10,20) on the Core.

5: configure manage subnets for Untrusted vlan (100, 200) on CAS

6: create vlan mapping b/w Trusted and Untrusted (10 to 100, 20 to 200)

7: Core connected to CAS: E0, Trunk, allowed vlan 10, 20, 240

8: Core connected to CAS: E1, Trunk, allowed vlan 100, 200

9: Other feature configuration

I dont have LAB to test it. I am just confuse if i missed any thing as the implementation will be critical and i will try to avoid all risks.

Please provide me suggestion and best practices. Also please let me know if i require any addition config?

Regards,

Abdul Majid Khan

I have this problem too.
0 votes
Correct Answer by Faisal Sehbai about 6 years 1 month ago

Majid,

1) There's no way for NAC to know whether a machine is part of domain or not. What you could do is to place certain registry keys or files on each of the domain-joined machines, and then check for them using NAC

2) That should work fine. The only thing to watch out for is to NOT make any Layer 3 interfaces for any of your Authentication subnets. They should not have any Layer 3 interfaces on any of your L3 devices (FWSM, Router, L3 switch etc)

HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

Correct Answer by Faisal Sehbai about 6 years 3 months ago

Abdul,

Port profiles are used to determine whether a port is managed or unmanaged, so you'll need at least one port profile. You can set here what the initial VLAN of the switchports will be and what the final VLAN will be etc etc.

More details here: http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_oob.html#wp1083087

HTH

Faisal

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Faisal Sehbai Sat, 08/28/2010 - 11:22

Abdul,

Looks good. Without a lab or some testing time before hand, you're taking a big risk in just implementing it blindly. NAC has so many places where it can go wrong during the implementation phase that it should be mandatory to have a mock setup first.

HTH,

Faisal

ABDUL MAJID KHAN Sat, 08/28/2010 - 23:55

Hi Faisal,

Thnx for the reply.

The problem with lab testing is that nac require integration with Active Directory, DHCP, DNS, switches etc. I can arrange all to test it accept DHCP and DNS and AD.

2nd during implementation i'll be testing it on a test vlan, if its successful, i'll than migrate all the rest vlans.

Please let me know in my case, will i require PORT PROFILES?

Also i will be providing the below features;

  1. AD authentication, if passed, check windows/antivirus updats, if passed provide all previledges;
  2. AD authentication, if failed, dont check any updats etc, and just allow it to internet, but dont allow it to specific servers subnet (eg 192.168.1.0/24).

I think this both options are doable without any issues??????? Please suggest???????

Faisal Sehbai Sun, 08/29/2010 - 09:57

Abdul,

You'll require at least one port profile. For your other requirements, 1st one is easy, 2nd one tricky. If you want anyone who fails the authentication to have access to the internet, then you'll need to open access to the internet in the Unauthenticated role while blocking traffic to your servers. If however you're looking to do AD SSO, that requires having access to the servers also in the Unauthenticated role, so you might have to do AD authentication using LDAP.

HTH,

Faisal

ABDUL MAJID KHAN Sun, 08/29/2010 - 10:15

Faisal,

I didn't get your point ragarding port profile. I read some where in the Cisco documentations that port profiles are only required for Real IP.

I even have done one project for OOB VG for Wireless users and i have not used the Port profiles.

Please Explain step by step and i appreciate if you can provide any link or example that will be helpful to me. In my case i have about 15 Authentication vlans and same 15 Access Vlans.

AND yes the 2 requirements are clear. For second i'll edit the unauthenticated role.

Regards

Majid

ABDUL MAJID KHAN Sun, 08/29/2010 - 11:35

Thanks Faisal,

I really appreciate. Atleast some 1 on cisco forum is there who is responding to the NAC queries. Because NAC deployment usually is critical and challenging..

During implementation, if i get any issue, i'll post. Thanks.

Regards,

Majid

Faisal Sehbai Sun, 08/29/2010 - 18:47

Majid,

You're quite welcome. I'd also suggest to keep your contract numbers and TAC's number handy since the response on the forum can be delayed at times.

Good luck on your rollout.

Faisal

ABDUL MAJID KHAN Tue, 10/19/2010 - 12:00

Hi,

Please let me know if the below two points are supported in the NAC;

1.       The NAC should check the users if it is joined to the domain or not?

(My proposed solution was to check the username and passwords entered by users on the NAC agent with Active directory, If the user exist in the Active directory, we will assume that the machine is joined to the domain.

Issue: Suppose that user enter someone else credentials (that already exist in the Active directory), than in this case our propose solution will fail).

Please let me know if there is any NAC policy that can check for the machines if it is joined to the domain or not?

2.       All my Vlans (SVIs) are created on the FWSM (means the gateway of all the vlans is FWSM). Now while implementing NAC OOB VG, I will create additional vlans for NAC Manager and NAC server on the FWSM. Will the NAC OOB VG will still work without any issues (will the vlans that will be controlled by the NAC be still layer 2 adjacent to the NAC)?

Correct Answer
Faisal Sehbai Tue, 10/19/2010 - 13:17

Majid,

1) There's no way for NAC to know whether a machine is part of domain or not. What you could do is to place certain registry keys or files on each of the domain-joined machines, and then check for them using NAC

2) That should work fine. The only thing to watch out for is to NOT make any Layer 3 interfaces for any of your Authentication subnets. They should not have any Layer 3 interfaces on any of your L3 devices (FWSM, Router, L3 switch etc)

HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

ABDUL MAJID KHAN Tue, 11/02/2010 - 02:15

Faisal,

I think changing register in an environment like University (3000 to 4000 users) will not be applicable and recommended.

Regarding opening a TAC case please let me know if we can open any generalize case with Cisco to help in multiple issues or design guidance. Usually these TAC engineers use to tackle one issue per TAC case.

Regards,

Majid

Faisal Sehbai Tue, 11/02/2010 - 06:59

Majid,

TAC does have a policy of using one case per issue. This is for your benefit since it makes tracking, searching and ultimately solving your problems faster.

Regarding the registry key, you have to have something on the machine which you can make NAC search on. It can be a file or a registry key etc.

HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

netlinkin Wed, 01/26/2011 - 22:38

Hi faisal,

I perticularly asking for hlp as ,no one has replied me...

I am trying to implement NAC in my network in( L2 transparent mode)  mainly because i have I dont want to do chnages in otther devices, I  have  CAM(3315) & CAS(3315) i have completed licensing on CAM , I  see  license as (CAM Lite which supports 3 srvs),

pls suggest topology designs ....currently i m bit confiuse where to put CAS/CAM in network...?

I have gone through the initial configuration of CAM & CAS.(connected via cross cable)  >>> pls comment if wrong
Config <<
CAM(Eth0=192.168.200.15/24) &
CAS(Eth0=192.168.200.16/24 & Eth1=192.168.215.10/24),
preshared key : cisco, & allowed packets to flow from trusted to untrusted interface & vice -wersa. 

& , now i am trying to ping 192.168.200.16(CAS) from CAM(192.168.200.15) but not sucessful.
hence unable to have connectivity between them  I can take a webconsole of CAM &  tried to add CAS to CAM,

but it fails & gives error  { Failed to add server: Maximum limit  for Clean Access Servers supported has been reached. } strange ? as  this afresh device , Also i have reinstalled License at least 3-4  times...but no result...(dont know why this is so...)


I  have gone through the pdf's but there is  no guideline how to configure  from basic(like how to connect....which  interface shld be connected to  where..)

Kindly share your comments /documents for the same from basic.

Xavier Lloyd Fri, 01/21/2011 - 06:51

Hello to you both,

I'm actually having a problem with my NAC deployment and I saw your post was relatively recent.

Would it be ok if I asked a few questions? I can't find any information in the configuration guides or examples...

I made a thread a few days ago in the network management section but just moved it here:

https://supportforums.cisco.com/message/3272905#3272905

(I didn't want to just hijack your thread without your permission especially since it's been solved for so long)

Is this ok with you?

~Xavier.

Actions

This Discussion

Related Content