I've been spinning my wheels for the past week trying to get this to work.
My Goal: To have users switched back to their initial vlan after successful authentication/remediation.
I was able to get this to work in the lab with a single vlan. I had a 1:1 ratio of 1 auth vlan for 1 access vlan by using vlan-mapping.
In production, we have approximately 40 access vlans. Does this mean I need to create an additional 40 non-routable authentication vlans. (one for every access vlan??)
Can I simply create one auth vlan and set a policy to switch users back to their initial vlan? In doing so, i would assume I would need to make both eth0 and eth1 trunk ports.... and if this is the case, what else do I need to do?? How would dhcp pass-through work since everyone will be coming into the auth vlan and then placed into their initial vlan?? How does the DHCP server (not the service on the CAS)know which scope to use?
Since you're deploying virtual gateway, you probably want 1:1 ratio for Auth and Access VLANs. This is also better for Spanning Tree - you should limit you VLANs at each closet, and manually prune them "switchport trunk allowed vlan #,#,#"
IDFA - Access Vlan 10 - Auth Vlan 110
IDFB - Access Vlan 20 - Auth Vlan 120
Since the CAS is in VGW it's a bridge, and DHCP will pass through it once your VLAN mappings are setup under the CAS adv onfiguration (through the CAM interface).
You'll need to configure VLAN mappings like so:
Untrusted VLAN 110 maps to Trusted VLAN 10
Untrusted VLAN 120 maps to Trusted VLAN 20
And yes you'll need to trunk the eth0 and eth1 and make sure you have the correct vlans on the allow list of the switchport trunk.
I've also had luck tagging the management subnet on both eth0 and eth1 which is the subnet/vlan you setup durin the install wizard. To tag the eth0 and eth1 CAS management VLAN/subnet login to the cas/admin page and click the check box on both eth0 and eth1 to tag traffic with VLAN ID and enter the VLAN ID. Leave the passthrough check box unchecked.
This seems to help eliminate the CDP native vlan mismatch messages on switches.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...