i am deploying NAC as layer 3 OOB Real IP Gateway using ACL. i have a problem that Agent doesn't try to communicate with CAS untrusted interface
i enabled logging on the Switch and i found that NAC agent sends udp requests to its default gw (interface vlan on the switch) not to the CAS untrusted interface. and because of this no trigger for NAC Authenticationa and posture assessment happened.
i configured access list on untrusted vlan interface to allow ip traffic to cas untrusted
agent discovery host points to CAS untrusted interface.
The agent will send discovery packets initially to udp/8905 to the clients default gateway (which works when the CAS is L2 adjacent to the user). If the agent doesn't get a response to those packets it will switch over to udp/8906 to the discovery host that is configured.
Can you do a packet capture on the client and see if the secondary udp/8906 packets are sent out?
Has anyone found a solution to this issue? I am seeing this same issue at two different sites.
The first site is a OOB VGW with CASs installed at the site and the CAMs are at another site. Web authentication works fine and ports are changed as they should be, but agent never works. I have the discovery host set to the CAM IP address.
The second site is a Real IP Gateway remote site that is experiancing the same behavior. I tried changing the discovery host to the either IP of the CAS as well as the CAM IP and no change.
As explained above, the Agent communicates over UDP/8905 to send discovery packets (L2), with no response the packet is Layer3 encapsulated and sent over UDP/8906.
The objective of setting the Discovery host IP is to forward the traffic THROUGH the CAS server in case of Layer 3 OOB deployments. Thus if you are using the CAM server IP address, ensure that the CAM server resides on the TRUSTED side of the CAS server, and the traffic does NOT bypass the CAS server i.e directly going to the CAM server without having CAS inline, which most probably happens due to routing.
Thus for OOB, you may point to the IP address of the
- UNTRUSTED interface of the CAS server,
- TRUSTED interface of the CAM server provided the traffic will CROSS the CAS server first.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :