Figure 1. Laptop Attempts to Access the Internal Network
1. When the laptop first accesses the network, the Cisco Clean Access Server determines that the computer's MAC address is not in the list of certified devices, and that laptop is placed into an unauthenticated role. While in this role, only User Datagram Protocol (UDP) Port 53 (Domain Name System [DNS]) and Dynamic Host Control Protocol (DHCP) traffic (via DHCP and VLAN passthrough) is allowed.
2. The laptop gets an IP address from the DHCP server, but cannot get past the Clean Access Server acting as an IP filter.
3. The laptop user opens a browser and is redirected to an SSL-based Web login page where she enters her credentials, which in turn map her into the "employee" role.
4. As an "employee," she is asked to download the Clean Access Agent.
5. The Clean Access Agent performs the posture assessment and forwards the results to the Clean Access Server to make the network admissions decision.
Here is some additional information for wireless that requires disabling the dhcp proxy configuration, this is needed so that clean access will inspect the dhcp broadcasts in order the build it's internal Mac address table.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...