NAC dns proxy redirection not working any alternatives?

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered

Hi,

Currently we have setup NAC to run as a DNS proxy to display a portal page from NAC when wireless devices have been quarantined.  We have not setup PBR but are just forcing the client to a VLAN with the DNS server settings in DHCP pointing to NAC and the wireless controller having a policy only allowing access to the NAC DNS.

This seems to be buggy where at times the user is displayed with the page but at times they are not.  At it stands this has now completely stopped working. 

So question is do I try to debug this issue or is there a better method which will work all the time?  Requirement is we want the device to display a message when it has been quarantined.

Is it possible to force a device to a http page from the extreme controller using policy, which we can point to the NAC http page?

Or is there some instructions on how I can setup PBR on the S series switches and C series to help with this?

Thanks

Photo of Kunal Waghela

Kunal Waghela

  • 252 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Bill Handler

Bill Handler

  • 1,274 Points 1k badge 2x thumb

Kunal,


PBR on the S series should be no problem.  I don't think the C series can perform PBR (at least not without Advanced Routing Licensing - not sure)...

You will need to mark the packets within the VNS Role Policy for Unregistered as cs2.  Occasionally, we have needed to match on IP addresses of the Quarantine/Unregistered VLAN.  Change the access-list accordingly.

The S series code should be:


 ip access-list extended UR
  permit tcp any any eq 80 dscp cs2 
  permit tcp any any eq 8080 dscp cs2
  exit

route-map policy Unreg permit 10
  match ip address UR
  set next-hop <NAC IP Address>
  exit


Thanks,

Bill

Photo of Kunal Waghela

Kunal Waghela

  • 252 Points 250 badge 2x thumb
thanks, will give it a go
Photo of Bill Handler

Bill Handler

  • 1,274 Points 1k badge 2x thumb

Kunal,


I forgot to add, in your routing interface config for the Unregistered/Quarantine VLAN add:

ip policy route-map Unreg

Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,502 Points 20k badge 2x thumb