I have configured OOB Virtual Gateway. However, the CAS fail to detected and redirect to the login web page.
sometime i change the managed subnet, I work...
I wonder what exact IP address should be typed into the managed subnet?
Suppose I have 10 trust VLANs (10,11,12,13 ...) , and i create related 10 untrusted VLAN (20,21,22,23...)
IP address for VLAN 10: 192.168.10.0/24
IP address for VLAN 11: 192.168.11.0/24
IP address for VLAN 12: 192.168.12.0/24
IP address for VLAN 13: 192.168.10.0/24
I have tried 4.1.x version of CAM/CAS, the page allowed us to input subnet address.
However, in 4.5.x or above, we must input host ip address. Now i upgraded to 4.7.2 versions, what IP address and VLAN should i type into this page?
also, I wanna to ask the Network page of CAS. The Set management VLAN ID of untrust interface should set to "0" ,"left it blank" or "one of trust VLAN"??
I'm green hand in NAC...hope someone guide. Many Thanks
Always use IP addresses for Managed Subnet entries, and never the subnet address.
As for setting management VLANs, except for some corner cases, it should be nothing on the untrusted side.
how about the VLAN in managed subnet? should be untrust or trust VLAN??
Fail to get IP address from DHCP server ..
I added vlan mapping in vlan mapping tab:
vlan 1 is trust vlan, vlan 240 is untrust vlan
vlan 110 is trust vlan, vlan 241 is untrsut vlan
also add managed subnet as following:
188.8.131.52 255.255.0.0 vlan 1
192.168.210.0 255.255.255.0 vlan 110
Traffic Crotrol as following:
Default <-- DNS* Allow DHCP and DNS
the DHCP server is located in vlan 1 168.18.0.x,
vlan 110 need to go gateway with ip helper-address to 168.18.0.x
would ip helper-address make vlan 241 fail to get IP?
any special need to do in CAM/CAS so that vlan 241 could get IP from DHCP server 168.18.0.x?
Change those networks to an IP in those networks, so for example 184.108.40.206 255.255.0.0 should be 220.127.116.11
Vlan tag should be of the untrusted vlan, so in this case vlan 1, and if you can please move away from vlan 1 and use something else.
There isn't anything special required for dhcp to work other than a correct managed subnet and vlan mapping.
oh..might be my explaination is not clear... It should be vlan 240 as untrust, vlan 1 is trust.
i knew from installation guide that vlan 1 is not recommended but in my case, I can't move it away from user access(trsut) vlan.
using any UNUSED ip address as virtual gateway in managed subnet with related untrust VLAN ID.
18.104.22.168 255.255.0.0 vlan 240
Should i configure ARP entry too?
Arp entries (i saw installation guide.. it mentioned the entries would be automaticatedly created ... how to verify that?? coz there're no entries in arp tab )
22.214.171.124 eth1 ????
Also, not to select "L3 enable"?!!!
No need to set ARP entries. They are done automatically. If your setup is L2 only, then there's no need to enable L3 also. Enabling it won't make a difference for your L2 clients.
To see the arp entries on a CAS, use the command: cat /proc/click/intern_arpq/table (see entries on untrusted side) or cat /proc/click/extern_arpq/table (to see entries on the trusted side)
yes.. Arp could not allow me to add since it is conflicted with managed subnet..
I still have not chance down to server room and take a look on ARP entries. But i would do this next monday.
Thanks for your reply. However, I still could not get any IP from DHCP servers.
I wonder that there're NO untrust VLAN could get IP from DHCP server NOW.
The attached file is captured from real case.
I just use 2 VLAN as testing now.
pic 1 - pic6:
Only L2 is ok.. I uncheck L3 enable already.
126.96.36.199/16 = VLAN1 <--> VLAN240
192.168.210.0/24 = VLAN110 <--> VLAN241
I take 2 unused IP addresses from 188.8.131.52/16 and 192.168.210.254/24 as manage subnet.
Unauthenticated role is allowed UDP/DHCP by default..
Could explain what I wrong in configuration?
Help!!.. It still fail to get IP for any untrust vlan.
If i set the port as uncontrol, pc is normally received IP for the related VLAN.
so, all vlan (included "untrust") is normally configured on all switches located between paths from cas/cam.
i attached a screen dump for further help!! many thanks.
Successful to get IP NOW... coz some VTP set to transparent and can't learn all VLAN.
Even that... some issues i face.. Since User Flat network is big enough and cover thousand of switches. I find some characteristic ..
The big flat network is using "3750 stack" as core switch. The version of IOS is 12.2(25). I did check with doc.
Extracted as below:
For Cisco Clean Access (NAC Appliance) customers with OOB deployments running stacked Cisco Catalyst 3750 switches with Cisco IOS 12.2(25) SEC2 or lower, SNMP mac-notifications can fail, and SNMP does not report MAC addresses to the OOB Clean Access Manager and Server.
So.................... my Question is:
Although this Switches might fail to snmp notification to CAS/CAM, all other switches connected to this 3750 would fail to report snmp notification also???
My case seems like all switches connected away from the switch connected to CAS/CAM is success performing login and authentication by CAS, However, all switches connected to this core 3750 fail to perform the login ..even no login page find..
SW1 --- 3750 -- SW2 --- SW3 --CAS & CAM
SW2 and SW3 could success performing CAS login.
SW1 fail to get login page and fail to do authentication. But could get DHCP and stuck in untrust VLAN.
Please post a network diagram of what you're working with. Mark the VLANs and IP addresses and post the switch configurations of the switches in question.
get it from SSH console..
cat /proc/click/intern_arpq/table (see entries on untrusted side) <-- No entries
cat /proc/click/extern_arpq/table (to see entries on the trusted side) <-- Many Entries
Why no entries in intern_arpq/table????
and is it correct ??
fail to get IP X.X
Also, more info:
CAS is using vlan 228 (192.168.228.0/24)
CAM is using vlan 229 (192.168.229.0/24)
They are individual VLAN and using 3750 as inter-VLAN routing to other vlans.
Hi to All,
I would like to ask some help for my nac appliance. Currently im setting up the nac appliance. I just having trouble what ip address should I use for the managed subnet. I have setup trusted vlan as it is existing in our network but what about the untrusted vlan? Should i make new ip addresses for it and put it in the untrusted? I dont know if made it correct but I cannot get an ip address everytime i change the switchport to port profile I made. Please can you guys help me i just need to know it for my project. thanks.