Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAC Out of band deployment problem

hi ,

I have implemented cisco nac solution in layer 2 Virtual Gateway out of band mode , but I have a problem with Remediation process ( I am using NAC agent),

when clients are not compliant with my security policy , they move from unauthenticated role to temporary role , the problem is users in temporary role can not ping anywhere , I want to allow users to connect to internet and download the proper file , but they can not , I create access rule and permit all thing for temporary role but it does not work ,

I think nac server does not retag traffic correctly ( I set a clan mapping rule that do mapping between my authentication and access vlan),

is it correct that nac server does vlan retagging for all remediation traffic ? if yes how can i solve this problem?

best regard

Everyone's tags (4)
26 REPLIES

Re: NAC Out of band deployment problem

You can verify this by issuing a show mac address

on the switch that the Cas is connected to and see two entries one on the untrusted vlan from the trunking interface of the downstream switch, and the other from the trusted vlan on the trusted interface. If these entries are present then check your routing to see if these subnets can get through your firewall.

Thanks,

Tarik Admani

Sent from Cisco Technical Support iPad App

Tarik Admani *Please rate helpful posts*
New Member

Re: NAC Out of band deployment problem

Thank you for your attention ,

I did not see such out put of my sho mac add command ,

I sent a image of my current topology , it may be useful , please find it.

I used router instead of cisco layer 3 switches (SVI for user access vlan is configured on router as sub interfaces) , and On my NAC Server I created a vlan mapping rule that map unauthenticated vlan to one of my access vlan ,

I have a problem with my Managed subnet !! I have to put my Managed Subnet as default gateway for my client because if I put the router SVI cisco nac agent client does not pop up at all !!!

I read different documents about that and all of them said that your client default gateway must be SVI , but it does not work,

best regard

NAC Out of band deployment problem

Hi can you please post the configuration of the port settings for the untrusted and trusted interfaces? When you issue the show mac address (macaddr of client) what entries do you see? Also when you made these changes did you reboot the CAS? Keep in mind that everytime you make a network related change on the CAS the unit must be rebooted in order for the changes to take affect.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: NAC Out of band deployment problem

Dear Tarik Admani,

Thank you for your reply ,

The out put of sho mac add for my client mac address is as follow:

Switch#sho mac address-table dynamic address 5404.a674.f220

         Mac Address Table

-------------------------------------------

Vlan   Mac Address       Type       Ports

----   -----------       --------   -----

110   5404.a674.f220   DYNAMIC     Fa0/6 (Unauthenticated vlan)

50   5404.a674.f220   DYNAMIC     Fa0/2   (Access vlan)

Total Mac Addresses for this criterion: 2


And it is my configuration for NAS ports:

interface FastEthernet0/2

description CONNECT TO TRUSTED-NAS

switchport trunk native vlan 100

switchport trunk allowed vlan 20,50

switchport mode trunk

!

interface FastEthernet0/3

description CONNECT TO UNTRUSTED-NAS

switchport trunk native vlan 101

switchport trunk allowed vlan 110

switchport mode trunk

best regard

NAC Out of band deployment problem

Hi,

Can you please post a screenshot of your temporary role traffic policies, at this point the traffic is being mapped correctly. Based on the entries provided from the mac address table. At this point we need to see where the traffic is being dropped on your network.

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: NAC Out of band deployment problem

Dear Tarik Admani -

I just mentioned that DG of my unauthenticated client is the Managed subnet in cas , Is it ok ?

Please find the attachment,

best regard

NAC Out of band deployment problem

Please uncheck the top option "Enable subnet based vlan retag" I have seen this cause issues in other deployments as well. Then try to set the default gateway for you client to the router's interface.

Thanks,

Tarik Admani

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: NAC Out of band deployment problem

Dear Tarik Admani,

I unchecked " subnet based vlan retag"  , but  it doesnt work , when I changed client DG to SVI ( because I alter my router with a C3750) , the client does not resolve the mac address of DG and it is sending ARP request for this purpose but does not get the response at all,

Does ARP Traffic retag through NAS?

Best regard

NAC Out of band deployment problem

When you made these changes did you reboot the CAS? After further research the default gateway for these users is the managed subnet found in this guide: http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_addSrvr.html#wp1060206

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: NAC Out of band deployment problem

Dear Tarik Admani ,

Yes I do that when I changed configuration on my CAS ,

I have read this document before but I also see some other document that say you must use SVI as gateway (I attache one of them ) , when I use the managed subnet as gateway cisco agent pops up but in remediation process they did not ping anywhere, client in remediation process must connect to a ftp server to download the files ( I created it in Requirement part in clean access) , but when the client placed in temporary rule they always send arp request for the ftp ip address and did not get any response , I think the problem is there , but I do not know how I should do  with it?

Re: NAC Out of band deployment problem

What is the model of the switch you are running and what is the current code? Also the vlan that you are mapping to which is 50, is it allowed through the trunk on both sides of the link. Do you see the clients mac address on vlan 50 on the router's subinterface? Is spanning tree forwarding vlan 50 on the uplink?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: NAC Out of band deployment problem

Dear Tarik Admani ,

I have two switch one of them is WS-C3750-24TS with IOS “c3750-ipservicesk9-mz.122-52.SE.bin” , I used it as core switch that NAM and NAS and my ftp server connected to it , and the other on is my access switch that clients connected to it which is WS-C2950G-24-EI with ios “c2950-i6q4l2-mz.121-22.EA14.bin” ,

Version of My Nac manager is 4.9 and it is installed on esx 4.1 , and it has a trial license.

I attached my configuration of both of the switches ,

NAC Out of band deployment problem

What vlan is the ftp server on? If it is on vlan 50 then you will have to create a static route that points this ip address through the trusted interface. This is because of the managed subnet configuration....it always assumes that all ip addresses that belong to this ip space are behind the untrusted vlan. It is best to keep network resources including the NAM on a seperate vlan to which the CAS is connected to.

Let me know if this is the case.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: NAC Out of band deployment problem

Dear Tarik Admani,

Yes my ftp server was in vlan 50 , I changed the vlan and put it in the vlan 200 , but the problem is still there and my client  in unauthenticated vlan does not connect to it, in my switches I turned debugging for arp traffic on but It shows nothing!!

Thanks .

Re: NAC Out of band deployment problem

Hi,

Can you please post a screenshot of the interface settings from the UI? Also is the CAS running in vmware also?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: NAC Out of band deployment problem

Dear  Tarik Admani ,

If you mean the ip configuration of CAS and CAM , I send it for you aan attachement ,

yes both of the NAC Manager and NAC Server are installed on esx 4.1.

best regard

New Member

Re: NAC Out of band deployment problem

Dear  Tarik Admani ,

Could you please do a favor and skim this document ?  It is for NAC 4.9 and it said that your DG must be the SVI clearly,

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cas/s_deploy.html

Thanks,

New Member

Re: NAC Out of band deployment problem

Dear Admani,

when I changed the client 's gateway to ip address of SVI in 3750,  clients Arp request was recieved by 3750 and it sends the reply but the problem is the client does not recieve these reply , But i do not know what it happens?

it is the output on C3750 :

<10.10.50.4 is client ip in untrusted part of NAS   and the 10.10.50.1 is the SVI IP in 3750)

23:02:23: IP ARP: rcvd req src 10.10.50.4 14da.e9af.9d22, dst 10.10.50.1 Vlan50

23:02:23: IP ARP: sent rep src 10.10.50.1 0013.1aeb.9748,

                 dst 10.10.50.4 14da.e9af.9d22 Vlan50

thanks,

NAC Out of band deployment problem

At this point there is much we can do when it comes to troubleshooting this setup because of the fact that you are using vmware in order to simulate the CAS appliance. It will much easier to go with ISE since you are using this in your test lab anyways. You can achieve all the same features using radius over snmp for oob management of clients, and the acls are much easier to manage and deploy for temporary network access..etc. ISE also comes with a 90 day in the iso so that should get you going.

Thanks,

Tarik Admani

Tarik Admani *Please rate helpful posts*
New Member

Re: NAC Out of band deployment problem

Dear admani ,

thank you for your reply ,

Do you think the problem caused by ESX server ?

when client can pass all the posture assessment correctly ( and not placed in temporary role) , everything works great  but when it failed the problem begins to start.

thanks,

Re: NAC Out of band deployment problem

Its hard to tell, it seems as if you have everything setup correctly. One assumption I made is that all traffic is allowed from the trusted to untrusted. If you state that the traffic works fine if the client passes all the checks, then your next option is to test the traffic in the reverse direction. In the screenshot that you posted for the temporary role, where you allowing alll tcp and udp traffic, can you drop the box down so that path shows from trusted > untrusted and make sure that all traffic is allowed?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: NAC Out of band deployment problem

Dear Tarik Admani ,

Yes I checked it , everything is allowed form both direction.

It is so strange why my clients could not get the ARP response from it is default gateway. C3750 responses to its request in corresponding VLAN  but the response will fade after that.

thanks,

Re: NAC Out of band deployment problem

Were you able to validate by running a packet capture or did you use the arp –a on the client end to see that the arp entry was incomplete? I would try to remove the rules, and reenter the rules again.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: NAC Out of band deployment problem

I am running wireshark on client and see that client send broadcast ARP for finding the mac of DG periodically and I also that the SVI on 3750 answer to these request with the INT VLAN 50 mac address , but after that I do not know what happend? It does not get to client.

thanks,

NAC Out of band deployment problem

One more item to check, and this is basic, when the client fails the requirement....are they being placed in the temporary role? Also can you make sure that you have configured any traffic policies on the local CAS, here is a guide that will show you this setting - http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cas/s_trfpol.html#wp1040154

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: NAC Out of band deployment problem

Yes I checked it via monitoring>reporting , and it said that user successfully logged in temporary role, i created permit all on Local policy but the result is the same ,

yesterday I changed the DG of my client to SVI and after that I defined the ARP Entry for DG in CCA servers>Advanced>ARP and added the arp entry for my DG on Untrusted interface , then the NAC agent client poped up , now  when client send ARP request for its DG the CAS response to it with its untrusted interface mac address and SVI ip Address ,

I do not know that it is a normal behavior or not ?

thanks

1003
Views
0
Helpful
26
Replies
CreatePlease login to create content