Cisco Support Community
Community Member

NAC Implementation

We terminate vpn users on an ASA. That is working. The problem is running the remote users through the NAC appliance while not checking other traffic. We have tried restricting all vpn users to a vlan to layer 3 with PBR. None of these options seem to work. What is the best way to run remote users through NAC before allowing access to the network??? Layer 3, Layer 2, InBand, Out of Band, or ???


Community Member

Re: NAC Implementation

The recommended way to run your VPN users through the NAC appliance(s) is to implement the L3 InBand deployment.



Community Member

Re: NAC Implementation

Will this work having the remote users restricted to one vlan on the ASA separate from my inside interface? Or will all traffic have to pass through the nac and exempt everything but the vpn traffic?

Community Member

Re: NAC Implementation

yes and yes

As you're only inserting the NAC appliance into the existing traffic flow.

The traffic you want to interrogate can be specified via your manage subnets list as well.

if your vpn is not setup yet, you should get it up and working through that dedicated interface and then insert the NAC appliance.


Re: NAC Implementation

if your NAC appliance is more than 1 hop away from your vpn appliance, you can policy route the VPN ip pool through the NAC servers. all other traffic will be routed normally, w/o going through NAC.

CreatePlease to create content