Hi! I'm doing some labs with the Netsight and Nac appliances. The problem comes when I try to deploy an agent-less informational assessment managed by a profile which maps to a "Assessing" vlan while assessing, a "Quarantine" vlan in order to put the end-system in quarantine and an internal vlan for the accept policy.
Please, correct me if I'm wrong, but the way I think it should work is that while the end-system is being scanned, this end-system is assigned to the Assessing vlan and the assessment server should reach him just to start the scoring tests. But, in order to do that, the end-system should receive a new IP (dhcp needed?) while it's assigned to the Assessing vlan and it should be able to reach the assessment server by its gateway. So the question is, should I need to enable the ipforwarding command between all vlans and how do I receive a new IP for the end-systems while assigned to the Assessing vlan? If I enable the ipforwarding option, the quarantine could be able to reach anywhere but it should be limited by the upm profile assigned to it right? These things come up to my mind because I'm getting the END_SYSTEM_UNREACHABLE error.

Thanks in advance

9 replies

Userlevel 3
If you are using VLANs, you can combine the Assessing and Quarantine VLAN if you desire, as they need the same permissions. What you want to do is create the new VLANs and yes, enable routing or ipforwarding on those VLANs. As like with all other VLANs, you would enable the ip-helper to point to your DHCP server, and also add these subnets to your DHCP server. once that is all working, and you can verify that an end system has no problems communicating on the network, you would then lock the VLAN down with ACLs. you would block everything, but permit DNS, the NAC gateway IP, as well as any other assessment/remediation servers you may have or be using (external assessment?) if you are using PBR for redirection you should also allow web traffic with the appropriate DSCP value.
Matthew, should these ACLs also permit ping with the NAC server, right?
Userlevel 3
if you are using agent-less assessment you should allow full IP access to the NAC server. If you just want to allow remediation access and/or the agent, then they will need primarily ports: 8443, 8080, 80, and 443 to the NAC appliance. ICMP to NAC might be useful for troubleshooting, but i do not believe it is required for this, but is required for agent-less assessment.
Thanks Matthew, I was able to deploy an informational agent-less assessment thanks to your help. I have one last question if you don't mind. If I want to use agent-based assessment, whenever the end user connects to the system, PBR should redirect its traffic to the nac portal page, where he's able to download the agent. Am I right? By now, I'm having always the same error "Assessment agent is not running or has not connected to server".
Userlevel 3
I need some clarification. where is the error? in the End Systems Table? if so, what is the policy and did you assign a quarantine policy? did the end system get placed in the right vlan?

how are your PBR rules set up? with VLANs you generally want to use the source IP of the Quarantine/Assessment VLAN and set the next-hop to the next router interface on the path to the NAC Gateway. PBR will need to be implemented on each hop from the normal network path to the NAC Gateway, otherwise it will not work.
Yes, the error shows in the End Systems Table. I have a policy called Assessment, which has an catch-all condition. The assessment policy and the quarantine policy puts the end user into a "Not Authorized" vlan, which permits the primary ports you've talked about, and the end users get placed right into that vlan. I'm thinking that maybe it's a PBR issue.
Userlevel 3
Does the end system state show quarantine on the end user?

if you tcpdump the NAC gateway's interface, do you see the http requests coming from the client? if not, then you will need to revisit your PBR rules. I'm not sure what you are using for routers, but check to ensure that those rules are working.
Even though it shows "Assessment" Scan Complete Assessment agent is not running or has not connected to server" and "Agent Not Connected To Server", I get the accept policy (maybe because it's authenticated via MAC?).. it should put me under the quarantine policy to reach out the NAC portal page.
Userlevel 7
In the end-system tab righ click on the client and select "configuration evaluation tool" and then on "run evaluation" to see why the client is passing the accept rule AND failed the quarantine rule.

This will give you an idea how to change the rule set to get the correct behavior.