I need help for deploying Cisco NAC on remote branch. i did all the necesary steps & configs but still no luck, On main site we have OOB-Real IP Gateway deployment. all the campus is deployed but for remote branch it is not working, we have inbetween firewalls & routers(offcorse) i have allowed IP any to NAC Server & Manager. but still no luck.
Is there any point i am missing do i have to do some extra config for remote branch ?
Can you give us a brief example of your current setup? Do you have PBR setup in order to force the users through the CAS during posture assessment, also do you have the static routes configured on the CAS that will route the traffic back to the clients? Also do you have the static routes configured so that if any response that needs to reach these clients are set to go through the trusted ip address of the CAS?
If you can post a visio please do so, it will make it much easier to see what the path is for the clients and the CAS'
sorry i cannot paste visio, i will giv you brief, All of the answers Yes i did.
1. NAC CAM & CAS both in Datacenter.
2. Our campus is big, so we have routing within Campus, and on each branch within campus we configured PBR on Branch Core Switches. whic is working fine for within the Campus.
3. The remote branch which is connected through IPVPN & Leased Lines, i have configured PBR on Core Switch as we did in Campus. Forced the Cient subnet to communicate only with CAS if in unauthenticated VLAN, and routed to CAS IP.
4. Did the Static route in CAS for this Branch Subnet.
5. Configured ACLs on ASA from any to CAS & CAM All IPs (Trust,Untrust,Virtual,real)
Is there anything else required ?
is it spossible the default vlan creating problem ?? that Branch is using Default VLAN, the Normal VLAN is default VLAN1 & have created Vlan 10 for un-authenticated users.
Without understanding your network this is a little challenging to troubleshoot what you are facing. All clients must be on the unauthenticated vlan for their traffic to be isolated till they are authorized by the manager, where snmp is used to reassign the clients on the appropriate vlan.
We need to verify that your routing for the unauthenticated clients is symmetric and flows through the cas. You also want to configure the correct static routes.
From the remote branch are you forwarding all the tunneled traffic to the CAS virtual ip? Also with respect to static routes on the CAS are you pointing the untrusted clients subnets to the interface on the firewall?
When you open a web page to google for example what happens?
1 From the remote branch are you forwarding all the tunneled traffic to the CAS virtual ip?
All traffic passing through tunnel, but un-authenticated traffic to CAS Virtual IP. through Policy.
2 Also with respect to static routes on the CAS are you pointing the untrusted clients subnets to the interface on the firewall.
No, its been routed to SVI on our core switches. we have CAS & CAM in Seprate VLAN, so routing those traffic to This interface on CoreSW.
Its not connected to internet. we hav no connection to internet, so anyway when it is in authenticated VLAN we cannot do anything, though i can reach to CAS & CAM IPs from clients but it is not shifted to normal VLAN,
Basically here is the traffic flow for example:
I hope this makes senses, if it doesnt then you will need to contact your partner or open a TAC case so they can take a better look at your topology.
On your core switch you have a static route that points 10.0.0.0/24 to 172.16.1.1 (trusted CAS interface)
You talking about the route in core switch of remote branch right???
i do not understand, first you are routing untrusted ip to untrusted interface of CAS then same traffic to trusted IP of CAS ?
I apologize for the confusion. The traffic needs to be routed to the untrusted interface, where the CAS will then inspect the traffic and then route the interface through to its trusted interface, where it will hit the core. Your static routes in the core need to send any responses for these untrusted subnets back through the trusted interface, where the routing table inside the CAS will then send the traffic back out to the subnet for these clients. This is because the CAS do not support routing protocols.
I hope that clears up the confusion.
thanks Tarik for clearification.
These all have already been done, as i said from the Clients, either in Untrusted VLAN or trusted VLAN i can reach to CAS & CAM Ip addresses. All untrusted traffic for clients been forwarded to CAS untrusted IP using policy map in core of remote site. but still not working.
Can you share the issue you are having? Is the traffic being dropped at the server?
How are you able to verify that all the traffic is symmetrically routing through the Cas?
What ports do you have opened for the unauthenticate role? In real ip mode all dns traffic isn't allowed unless you allow it.
Sent from Cisco Technical Support iPad App
The issue is after installing the Agent on client, it switches to untrusted vlan, but NAC agent seems to be dead, no activity or not showing anything, may be not communicating with CAS or CAM.
in firewall there is access-list for IP any to CAM & CAS. so it means no blocks from firewall. even CAM is able to Manage remote switches (changing vlan, assigning port profiles etc)
Did you generate the CAS certificate from the untrusted inteface?
Also what is the discovery host for the agent set to?
Also do you have L3 support enabled on the CAS and also make sure that you do not have a managed subnet configured for these clients since that will break the L3 discovery mechanisms for these end users.
Please post a few screenshots of your static routes that are defined on the CAS.
for the above questions.
1. Yes CAS certificate generated.
2. Yes L3 Suppor tenabled.
3. discovery host is the CAM IP.
4. make sure that you do not have a managed subnet configured for these clients
How & Where to verify this ?
5. here is a Static route for remote branch.
Subnet 22.214.171.124/255.255.255.0 - > 126.96.36.199 (gateway) untrusted
Did you generate the certificate on the CAS so it resolved to the untrusted interface?
You can find the managed subnet configuration here:
Also keep in mind, any changes you make related to certificates or network settings, you must reboot the CAS for thoses changes to take into effect. Please reboot the CAS and see if that restore your issue.
I also wanted to verify how you were able to get the download page? The reason is that if you are not being automatically redirected to the page then most likely all the client traffic isnt being redirect either. For troubleshooting you may want to change the discovery host of the agent to the untrusted ip of the CAS and see if that causes the agent to pop up.