This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NAC dns proxy redirection not working any alternatives?

NAC dns proxy redirection not working any alternatives?

Kunal_Waghela
New Contributor

‎10-13-2015 02:04 PM

Hi,

Currently we have setup NAC to run as a DNS proxy to display a portal page from NAC when wireless devices have been quarantined. We have not setup PBR but are just forcing the client to a VLAN with the DNS server settings in DHCP pointing to NAC and the wireless controller having a policy only allowing access to the NAC DNS.

This seems to be buggy where at times the user is displayed with the page but at times they are not. At it stands this has now completely stopped working.

So question is do I try to debug this issue or is there a better method which will work all the time? Requirement is we want the device to display a message when it has been quarantined.

Is it possible to force a device to a http page from the extreme controller using policy, which we can point to the NAC http page?

Or is there some instructions on how I can setup PBR on the S series switches and C series to help with this?

Thanks

0 Kudos
4 REPLIES 4

Doug
Extreme Employee

‎10-15-2015 12:46 PM

Reference: https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Configure-a-Route-map-to-Re-direct-...
Doug Hyde
Director, Technical Support / Extreme Networks
0 Kudos

Bill_Handler
Contributor II

‎10-14-2015 09:20 AM

Kunal,

I forgot to add, in your routing interface config for the Unregistered/Quarantine VLAN add:

ip policy route-map Unreg

0 Kudos

Kunal_Waghela
New Contributor

‎10-14-2015 09:18 AM

thanks, will give it a go
0 Kudos

Bill_Handler
Contributor II

‎10-14-2015 09:15 AM

Kunal,

PBR on the S series should be no problem. I don't think the C series can perform PBR (at least not without Advanced Routing Licensing - not sure)...

You will need to mark the packets within the VNS Role Policy for Unregistered as cs2. Occasionally, we have needed to match on IP addresses of the Quarantine/Unregistered VLAN. Change the access-list accordingly.

The S series code should be:

ip access-list extended UR
permit tcp any any eq 80 dscp cs2
permit tcp any any eq 8080 dscp cs2
exit

route-map policy Unreg permit 10
match ip address UR
set next-hop
exit

Thanks,

Bill
0 Kudos
GTM-P2G8KFN