Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

NAC Inband L2 and L3 Simultaneously not work

Dear All,

I have a problem with simultaneous L2 and L3 NAC deployement.

I have a CAS configured as Real IP gateway, Inband. Previosly i can have the NAC running well on L3 deployment using PBR.I configured PBR on distribution switch to intercept the traffic from user to untrusted NAC.

Now our company try to add Wireless, using WLC, which have interface vlan configured in untrusted CAS (Using 'managed subnet' section on CAM). the wireless run perfectly, they able to authenticate to NAC and able to connect to the whole network after NAC authentication.

However now the L3 users cant reach the untrusted to perform NAC authentication. The CAS cant even ping the L3 user which was okay previosly.

Is there any limitation on Cisco NAC for L2 and L3 deployment? I read from Cisco that one CAS can be configured for L3 and L2 simoultaneously so i should work

Tq
Imad

1 ACCEPTED SOLUTION

Accepted Solutions

Re: NAC Inband L2 and L3 Simultaneously not work

Imad,

The way you described it working is pretty close to how one would set it up.

Glad that it works for you now!

Ma'salam,

Faisal

6 REPLIES

Re: NAC Inband L2 and L3 Simultaneously not work

Imad,

What other changes were made to your network when you were enabling the Wireless?

L2 and L3 do work on the same CAS. Need more information on your layout to comment further.

Faisal

New Member

Re: NAC Inband L2 and L3 Simultaneously not work

Hai Faisal,

I give you the logical diagram of our NAC - Wireless. Red line is L3 link, and black line is L2 link.

For the wireless i create the interface vlan on untrusted NAC. For the wired, i configured PBR on routed interface connecting to aggregator switch. the next hop ip for the wired user is virtual ip address for untrusted interface ( we use 2 CAS for failover ).

Basicly we only add managed subnet for wireless user, the ip address for managed subnet is interface vlan for wireless.On the CAS network we enable L3 support, without enable L3 strict mode for NAT.

FYI, We recently upgrade the NAC from 4.7.1 to 4.8

I hope this give you clearer information.

Thank you before, and Happy Ramadhan

Imad

New Member

Re: NAC Inband L2 and L3 Simultaneously not work

Faisal,

If i can simplify, the problem is: "the interface untrusted can not do routing".

I suspect this because, when i add static route for managed network via untrusted interface, the managed network cant ping the untrusted interface.

If i remove static route for managed network, the managed network can ping the untrusted interface. ( ping echo request from managed network and reply from NAC is sent via trusted interface )

BR,

Imad

Re: NAC Inband L2 and L3 Simultaneously not work

Imad,

Ramazan mubarak to you also.

Please post the screenshots of your CAS's configuration screens, particularly the Network page, the Managed subnets, the static routes.

Please also post your IP/VLAN information to go along with your network diagram.

Ma'salaam,

Faisal

New Member

Re: NAC Inband L2 and L3 Simultaneously not work

Salam Faisal

Now our NAC is working fine with wireless (L2) and wired (L3).

For wireless network, we keep the interface vlan on "managed subnet". For wired network we remove the static route on the CAS. We do this to overcome the problem with the Untrusted Interface which cant do routing if we add "managed subnet".

So traffic flow for unauthenticated role for wired user:

1. User generate http or https request, traffic go to untrusted interface of CAS ( Because we configure PBR on distribution )

2. CAS reply the request using TRUSTED INTERFACE. During this stage user cant go to protected network

3.  User authenticate via radius, LDAP or SSO

4. After performing authentication and remediation user can go to protected network

I think this is not an ideal solution for NAC, because CAS should  route the L3 user via untrusted interface.

This is also not ideal because this mean that the traffic flow from user to  protected network is asymetric (Traffic from user to protected network flows inband to NAC, traffic from protected network to user doesnt flow via NAC)

Salam,

Imad

Re: NAC Inband L2 and L3 Simultaneously not work

Imad,

The way you described it working is pretty close to how one would set it up.

Glad that it works for you now!

Ma'salam,

Faisal

471
Views
0
Helpful
6
Replies
CreatePlease to create content