cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1006
Views
4
Helpful
4
Replies

NAC implementation wi thout DHCP Server

nayanpanchal
Level 1
Level 1

Dear Experts,

Is it possible to deploy NAC without having DHCP server in the network? We have some 300-400 users in the campus and want to enable NAC for them.

As per my understanding Cisco NAC cannot be deployed without DHCP server in the network, however it is not documented anywhere on the site. Currently all users' machines are configured with static IP.

We want to do user authentication, AV remediation and Patch deployment through NAC. Is it possible to deploy NAC without DHCP server??

Thanks in advance.

nayan       

4 Replies 4

Tarik Admani
VIP Alumni
VIP Alumni

Hi,

You need a dhcp server in order to have the broadcast packet flow through the clean access server. The help the cas build the mac add to ip mapping it needs.

You can consider using ise since it provide more flexibilty.

Thanks,

Thanks Tarik for the quick answer.

Can you suggest some URL where it is mentioned that DHCP is mandatory pre-requisite for NAC deployment?

Thanks in advance.

Hi,

Here is the basic flow of clean access for both inband and out of band: (http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_white_paper0900aecd802bdc42.html)

Figure 1. Laptop Attempts to Access the Internal Network

1.  When the laptop first accesses the network, the Cisco Clean Access  Server determines that the computer's MAC address is not in the list of  certified devices, and that laptop is placed into an unauthenticated  role. While in this role, only User Datagram Protocol (UDP) Port 53  (Domain Name System [DNS]) and Dynamic Host Control Protocol (DHCP)  traffic (via DHCP and VLAN passthrough) is allowed.

2. The laptop gets an IP address from the DHCP server, but cannot get past the Clean Access Server acting as an IP filter.

3.  The laptop user opens a browser and is redirected to an SSL-based Web  login page where she enters her credentials, which in turn map her into  the "employee" role.

4. As an "employee," she is asked to download the Clean Access Agent.

5.  The Clean Access Agent performs the posture assessment and forwards the  results to the Clean Access Server to make the network admissions  decision.

Tarik Admani
*Please rate helpful posts*

Here is some additional information for wireless that requires disabling the dhcp proxy configuration, this is needed so that clean access will inspect the dhcp broadcasts in order the build it's internal Mac address table.

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_woob.html#wp1320606

Sent from Cisco Technical Support iPad App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: