NAC implementation wi thout DHCP Server

Unanswered Question
Aug 24th, 2012
User Badges:

Dear Experts,


Is it possible to deploy NAC without having DHCP server in the network? We have some 300-400 users in the campus and want to enable NAC for them.


As per my understanding Cisco NAC cannot be deployed without DHCP server in the network, however it is not documented anywhere on the site. Currently all users' machines are configured with static IP.


We want to do user authentication, AV remediation and Patch deployment through NAC. Is it possible to deploy NAC without DHCP server??


Thanks in advance.


nayan       

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Tarik Admani Fri, 08/24/2012 - 03:49
User Badges:
  • Green, 3000 points or more

Hi,


You need a dhcp server in order to have the broadcast packet flow through the clean access server. The help the cas build the mac add to ip mapping it needs.


You can consider using ise since it provide more flexibilty.


Thanks,

nayanpanchal Fri, 08/24/2012 - 03:56
User Badges:

Thanks Tarik for the quick answer.


Can you suggest some URL where it is mentioned that DHCP is mandatory pre-requisite for NAC deployment?

Thanks in advance.

Tarik Admani Fri, 08/24/2012 - 08:33
User Badges:
  • Green, 3000 points or more

Hi,


Here is the basic flow of clean access for both inband and out of band: (http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_white_paper0900aecd802bdc42.html)




Figure 1. Laptop Attempts to Access the Internal Network





1.  When the laptop first accesses the network, the Cisco Clean Access  Server determines that the computer's MAC address is not in the list of  certified devices, and that laptop is placed into an unauthenticated  role. While in this role, only User Datagram Protocol (UDP) Port 53  (Domain Name System [DNS]) and Dynamic Host Control Protocol (DHCP)  traffic (via DHCP and VLAN passthrough) is allowed.



2. The laptop gets an IP address from the DHCP server, but cannot get past the Clean Access Server acting as an IP filter.



3.  The laptop user opens a browser and is redirected to an SSL-based Web  login page where she enters her credentials, which in turn map her into  the "employee" role.



4. As an "employee," she is asked to download the Clean Access Agent.



5.  The Clean Access Agent performs the posture assessment and forwards the  results to the Clean Access Server to make the network admissions  decision.



Tarik Admani
*Please rate helpful posts*

Tarik Admani Sat, 08/25/2012 - 11:07
User Badges:
  • Green, 3000 points or more

Here is some additional information for wireless that requires disabling the dhcp proxy configuration, this is needed so that clean access will inspect the dhcp broadcasts in order the build it's internal Mac address table.


http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_gui...


Sent from Cisco Technical Support iPad App

Actions

This Discussion