This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeCloud IQ- Site Engine Management Center
- END_SYSTEM_UNREACHABLE error in NAC
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
END_SYSTEM_UNREACHABLE error in NAC
END_SYSTEM_UNREACHABLE error in NAC
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-23-2015 12:32 PM
Hi! I'm doing some labs with the Netsight and Nac appliances. The problem comes when I try to deploy an agent-less informational assessment managed by a profile which maps to a "Assessing" vlan while assessing, a "Quarantine" vlan in order to put the end-system in quarantine and an internal vlan for the accept policy.
Please, correct me if I'm wrong, but the way I think it should work is that while the end-system is being scanned, this end-system is assigned to the Assessing vlan and the assessment server should reach him just to start the scoring tests. But, in order to do that, the end-system should receive a new IP (dhcp needed?) while it's assigned to the Assessing vlan and it should be able to reach the assessment server by its gateway. So the question is, should I need to enable the ipforwarding command between all vlans and how do I receive a new IP for the end-systems while assigned to the Assessing vlan? If I enable the ipforwarding option, the quarantine could be able to reach anywhere but it should be limited by the upm profile assigned to it right? These things come up to my mind because I'm getting the END_SYSTEM_UNREACHABLE error.
Thanks in advance
Please, correct me if I'm wrong, but the way I think it should work is that while the end-system is being scanned, this end-system is assigned to the Assessing vlan and the assessment server should reach him just to start the scoring tests. But, in order to do that, the end-system should receive a new IP (dhcp needed?) while it's assigned to the Assessing vlan and it should be able to reach the assessment server by its gateway. So the question is, should I need to enable the ipforwarding command between all vlans and how do I receive a new IP for the end-systems while assigned to the Assessing vlan? If I enable the ipforwarding option, the quarantine could be able to reach anywhere but it should be limited by the upm profile assigned to it right? These things come up to my mind because I'm getting the END_SYSTEM_UNREACHABLE error.
Thanks in advance
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-21-2016 01:36 PM
I need some clarification. where is the error? in the End Systems Table? if so, what is the policy and did you assign a quarantine policy? did the end system get placed in the right vlan?
how are your PBR rules set up? with VLANs you generally want to use the source IP of the Quarantine/Assessment VLAN and set the next-hop to the next router interface on the path to the NAC Gateway. PBR will need to be implemented on each hop from the normal network path to the NAC Gateway, otherwise it will not work.
how are your PBR rules set up? with VLANs you generally want to use the source IP of the Quarantine/Assessment VLAN and set the next-hop to the next router interface on the path to the NAC Gateway. PBR will need to be implemented on each hop from the normal network path to the NAC Gateway, otherwise it will not work.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-21-2016 12:42 PM
Thanks Matthew, I was able to deploy an informational agent-less assessment thanks to your help. I have one last question if you don't mind. If I want to use agent-based assessment, whenever the end user connects to the system, PBR should redirect its traffic to the nac portal page, where he's able to download the agent. Am I right? By now, I'm having always the same error "Assessment agent is not running or has not connected to server".
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-20-2016 01:17 AM
if you are using agent-less assessment you should allow full IP access to the NAC server. If you just want to allow remediation access and/or the agent, then they will need primarily ports: 8443, 8080, 80, and 443 to the NAC appliance. ICMP to NAC might be useful for troubleshooting, but i do not believe it is required for this, but is required for agent-less assessment.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-19-2016 03:12 PM
Matthew, should these ACLs also permit ping with the NAC server, right?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-23-2015 12:50 PM
If you are using VLANs, you can combine the Assessing and Quarantine VLAN if you desire, as they need the same permissions. What you want to do is create the new VLANs and yes, enable routing or ipforwarding on those VLANs. As like with all other VLANs, you would enable the ip-helper to point to your DHCP server, and also add these subnets to your DHCP server. once that is all working, and you can verify that an end system has no problems communicating on the network, you would then lock the VLAN down with ACLs. you would block everything, but permit DNS, the NAC gateway IP, as well as any other assessment/remediation servers you may have or be using (external assessment?) if you are using PBR for redirection you should also allow web traffic with the appropriate DSCP value.
