Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem with NAC v4.7.2 and WLC version v6.0.199.4 in L2-OOB mode

Hello,

Our client  has a network with 20 CAS pairs and 1 CAM pair all with v4.7.2.The wired users are all pass through NAC for authentication.

We now want to implement the same setup for the wireless users. The client has a WLC 4404 with v6.0.199.For the need of NAC authentication 1 pair of CAS has been implemented.

I have followed the document NAC Out−Of−Band (OOB) Wireless Configuration Example

(http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml).

I have also checked the guides for CAM(V4.7.2) and WLC(V6.0).

The issue is that the implementation of NAC and WLC is not working. The users are connecting like there is no NAC in between. From the troubleshooting I have performed it seems that the WLC is not communicating correctly with the CAM.I can only see Disassociation traps from the WLC.

Is there any updated document or any other info that can help me to solve the issue?

Thank you,

Stratos Demosthenous

8 REPLIES
Cisco Employee

Re: Problem with NAC v4.7.2 and WLC version v6.0.199.4 in L2-OOB

That document is a nice one and contains all needed to have it working.

Please make sure that accounting is configured on the WLAN so that the WLC can send the accounting start to the CAM.

Also, plese verify if you have the NAC check box enabled on the WLAN.

Is the quarantine interface configured on the WLC?

What is exactly the client behavior?

Does the client get an IP address?

Does the Clean Access Agent pops up?

Thanks,

Tiago

New Member

Re: Problem with NAC v4.7.2 and WLC version v6.0.199.4 in L2-OOB

Hello Tiago,

NAC checkbox and quarantine interface is enabled on WLC.

The client behaviour is like before i enable the NAC:it connects to the SSID and access the network.No agent or redirction page appears.

As far as the Radius accounting feature do i have to enable it even though SSO feature is not enabled?

If i enable the Radius accounting will i see discoverd clients on the CAM?

Thank you,

Stratos Demosthenous

Cisco Employee

Re: Problem with NAC v4.7.2 and WLC version v6.0.199.4 in L2-OOB

Just a note from the controller perspective.

The interface vlan must be the NAC access vlan and what WLC calls "quarantine vlan" is the NAC authentication vlan.

When a client is wireless connected, go in the monitor client page and check the client details. In which vlan is it placed? is it NAC_REQD state or RUN state ?

If it's run, it means it somehow got the OK from the CAM while if it's NAC_REQD, it means the WLC is doing its job but apparently your quarantine vlan allows network access.

Cisco Employee

Re: Problem with NAC v4.7.2 and WLC version v6.0.199.4 in L2-OOB

> As far as the Radius accounting feature do i have to enable it even though SSO feature is not enabled?

> If i enable the Radius accounting will i see discoverd clients on the CAM?

For Wireless SSO you have to point the RADIUS accounting to the CAS.. not the CAM.

You will be able to see the users under the "active VPN clients"; the VPN terminology comes by the fact that Wireless and VPN SSO actually share the same method, being RADIUS accounting from either the WLC or the VPN gateway.

However, if for now you don't see any web redirection nor agent pop-up, I'd check the WLC dynamic interface config for the access and quarantine VLAN, but also the VLAN mapping and managed subnet configuration on the VGW CAS.

Regards,

Federico

New Member

Re: Problem with NAC v4.7.2 and WLC version v6.0.199.4 in L2-OOB

Hello all,

Thank you for your inputs.

The problem in the end was not the configuration/nor the software of the WLC but the operation of the device itself.

I configured the Wism module(same software version as the Wlc) on the 6500 switch that the client has and moved the wireless configuration to it.

By the minute i performed this the NAC opration worked!!!!

I have also enabled SSO using Windows AD  in order for the user to have the same feeling as its wired connection.That also worked from the start.

It seems that the WLC has a lot of problems  and Cisco needs to solve them out.

Thank you,

Stratos Demosthenous

Cisco Employee

Re: Problem with NAC v4.7.2 and WLC version v6.0.199.4 in L2-OOB

Hi Stratos,

I strongly doubt that it's a platform problem. Especially since a Wism blade is actually 2 WLC 4404 assembled in a blade, so the platform IS really the same.

I'm quite sure that there is something different in your setup between the wism and the WLC so you might want to check on their differences. It can be as simple as a vlan missing or something like this.

Regards,

Nicolas

New Member

Re: Problem with NAC v4.7.2 and WLC version v6.0.199.4 in L2-OOB

Hello,

WLC was a temporary solution until Wism been placed to the network so there is no need to furhter troubleshoot.

Anyway since you doubt there is a problem with the WLC, have you performed such a setup and worked?

If yes please post it in order to use for future clients.

Thank you,

Stratos Demosthenous

Cisco Employee

Re: Problem with NAC v4.7.2 and WLC version v6.0.199.4 in L2-OOB

We don't have such a setup always ready at disposal, but we'll sure consider posting config examples of NAC + WLC OOB actually. thanks for the request.

Nicolas

506
Views
0
Helpful
8
Replies
CreatePlease login to create content