I need the NAC Layer 2 OOB Virtual Gateway for Wired Users design's help. On Cisco documentation only single configuration example is present but that is for wireless user which is not applicable to my case (wired users); Below are details; Please correct me if the design is wrong at any point;
1: create one vlan (241) for CAM management on Core.
2: create one vlan (240) for CAS management on Core.
3: The IPs of both E0 (10.10.240.1) and E1 (10.10.240.1) for the CAS will be from same subnet and same ip.
4: create all the Trusted vlans SVI (vlan 10,20) on the Core.
5: configure manage subnets for Untrusted vlan (100, 200) on CAS
6: create vlan mapping b/w Trusted and Untrusted (10 to 100, 20 to 200)
7: Core connected to CAS: E0, Trunk, allowed vlan 10, 20, 240
8: Core connected to CAS: E1, Trunk, allowed vlan 100, 200
9: Other feature configuration
I dont have LAB to test it. I am just confuse if i missed any thing as the implementation will be critical and i will try to avoid all risks.
Please provide me suggestion and best practices. Also please let me know if i require any addition config?
Abdul Majid Khan
1) There's no way for NAC to know whether a machine is part of domain or not. What you could do is to place certain registry keys or files on each of the domain-joined machines, and then check for them using NAC
2) That should work fine. The only thing to watch out for is to NOT make any Layer 3 interfaces for any of your Authentication subnets. They should not have any Layer 3 interfaces on any of your L3 devices (FWSM, Router, L3 switch etc)
If you find this post helpful, please rate so others can find the answer easily
Port profiles are used to determine whether a port is managed or unmanaged, so you'll need at least one port profile. You can set here what the initial VLAN of the switchports will be and what the final VLAN will be etc etc.