Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
473
Views
0
Helpful
4
Replies

NAC OOB

phamthecong
Level 1
Level 1

‎01-23-2007 01:36 PM - last edited on ‎02-21-2020 11:16 PM by Community Manager

dear all,

I have this outline in my lab:

I use L3 OOB VG,

quarantine VLAn 100(172.16.100.0/24), Access VLAN 10(172.16.10.0/24).

The untrusted interface IP 172.16.100.1

The trusted interface IP 172.16.10.3

Router's interface for Access VLAN 172.16.10.1

and the CAM ip 192.168.1.1/24

When I connect a PC to a switch, the switch changes the port to VLAN 100 and the PC obtains an IP address 172.16.10.5 which is what I expected.

The problem is that the PC can not get the login page.

Could anyone help please? thanks.

0 Helpful
4 Replies 4

gerardtorin
Level 1
Level 1

‎02-01-2007 06:51 PM

Did you configure the dns server? If the pc doesn?t resolve the name of the link the authentication page doesn?t work.

0 Helpful

dominic.bilodeau
Level 1
Level 1
In response to gerardtorin

‎02-06-2007 07:27 AM

Hello,

You specified that you are OOB VG mode, if this is correct, then only VLAN ID number is translated from your untrusted auth VLAN (100) to your trusted, production VLAN (10) so the IP address obtained from your untrusted VLAN will not have to be renewed or changed when bounced to the VLAN 10 or prod VLAN. Also, make sure when in the Auth VLAN (100), that your default GW points to the IP address of the CAS, so it sees traffic go through, then the agent will trigger and ask for authentication...

Dominic

0 Helpful

ROBERT WATSON
Level 1
Level 1
In response to dominic.bilodeau

‎12-09-2008 06:06 PM

If your configured in VGW then your GW should not point to the CAS at all

0 Helpful

ramkumar-b
Level 1
Level 1
In response to ROBERT WATSON

‎12-10-2008 10:25 PM

If DNS is not configured then, can u ping the Untrust Interface IP of the CAS?

Try to browse to the Untrust Interface IP of the CAS "https://Untrust-Int-IP" and see whether re-direction happens or not?

Have u configured User pages or not?

Have u configured any user role with "Require use of clean access agent".?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card