NAC configuration for voice network

amrishmehta · ‎09-02-2012

I am configuring out of band virtual network on Clean Access Server. CAS is successfully connected to the CAM without any issue. I am using two VLANs on my network one for data and one for Voice. My question is, do I need to create Auth VLAN for voice network and same need to map on CAS server?

Tarik Admani · ‎09-02-2012

Amrish,

Are you using Cisco phones in your deployment? If so, then you should be able to drop them right in and they will tag their traffic on the voice vlan using cdp.

If you are using a 3rd party phone then by default they will first leave their traffic untagged (data vlan) and then grab their ip address (view the dhcp attributes) and then start broadcasting dhcp on the voice vlan and then their traffic is allowed.

If you have the 2nd situation then you will have to add a device filter for all your phones so then can come through the network.

There is no need to create any additional vlans for the phones.

Thanks,

Tarik Admani
*Please rate helpful posts*

amrishmehta · ‎09-02-2012

Thanks Tarik, I am using cisco IP phones. what about the other devices like printers, do I need to filter these devices MAC address?

Tarik Admani · ‎09-02-2012

Is this a new deployment (if so, have you considered ISE)? Are these printers going to be on the same vlan as your users? Also are you running an out of band or in band setup?

Let me know these answers and we can see what the best option is for you.

thanks,

Tarik Admani
*Please rate helpful posts*

amrishmehta · ‎09-02-2012

No its not a new deployment, I just integrating the NAC into existing setup. All printers are on same VLAN as users VLAN. I am running out-of-band setup.

Thanks,

Amrish

Tarik Admani · ‎09-03-2012

If you are running an out of band setup then you will have to create device filters for each of the printers (you can also use wildcards) and map them to a out of band user role if you are using different vlans for each different user role...if you are only doing a one to one mapping then it should all take care of itself.

Here is the link on how to configured device filters:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cam/m_addSrv.html#wp1203742

You can also import them in using a csv file....

Thanks,

Tarik Admani
*Please rate helpful posts*

amrishmehta · ‎09-03-2012

Thanks Tarik, Its very help. Can you please tell me how to integrate ASA 5520 with CAS for VPN? I am using cisco VPN client for user to login from home.

Tarik Admani · ‎09-03-2012

If you are doing virtual gateway then this is a little tricky since you will have to enable layer 3 support.

The native vlans will have to be the same on the ASA and the untrusted interface of the CAS so that any arp requests for the tunneled gateway are sent on the same l2 domain as the CAS untrusted interface, that is then mapped based on the vlan mapping rules and the reply is then mapped back to the ASA.

Set the group policy for the vpn users to have the ASA tag the users on the correct vlans.
Create a floating device entry for the interface on the ASA that forwards the clients over to their default gateway (which sits on the other end of the CAS).
Create static routes so that all return traffic to the vpn users is routed to the CAS' trusted interface, on the CAS create a static route for the vpn users with the next hop ip address (ASA interface) and out of the untrusted interface.
If you want to use single sign on feature, then you will have to add the CAS as the radius accounting server.

Thanks,

Tarik Admani
*Please rate helpful posts*

amrishmehta · ‎09-03-2012

Sorry for late response. I have two CAS servers one for LAN and one for VPN. Is this make any difference to use separate server for VPN users?

Tarik Admani · ‎09-04-2012

How is your VPN cas deployed? Is it deployed as a Real-IP gateway?

Thanks,

Tarik Admani
*Please rate helpful posts*