NAC dns proxy redirection not working any alternatives?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎10-13-2015 02:04 PM
Hi,
Currently we have setup NAC to run as a DNS proxy to display a portal page from NAC when wireless devices have been quarantined. We have not setup PBR but are just forcing the client to a VLAN with the DNS server settings in DHCP pointing to NAC and the wireless controller having a policy only allowing access to the NAC DNS.
This seems to be buggy where at times the user is displayed with the page but at times they are not. At it stands this has now completely stopped working.
So question is do I try to debug this issue or is there a better method which will work all the time? Requirement is we want the device to display a message when it has been quarantined.
Is it possible to force a device to a http page from the extreme controller using policy, which we can point to the NAC http page?
Or is there some instructions on how I can setup PBR on the S series switches and C series to help with this?
Thanks
Currently we have setup NAC to run as a DNS proxy to display a portal page from NAC when wireless devices have been quarantined. We have not setup PBR but are just forcing the client to a VLAN with the DNS server settings in DHCP pointing to NAC and the wireless controller having a policy only allowing access to the NAC DNS.
This seems to be buggy where at times the user is displayed with the page but at times they are not. At it stands this has now completely stopped working.
So question is do I try to debug this issue or is there a better method which will work all the time? Requirement is we want the device to display a message when it has been quarantined.
Is it possible to force a device to a http page from the extreme controller using policy, which we can point to the NAC http page?
Or is there some instructions on how I can setup PBR on the S series switches and C series to help with this?
Thanks
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎10-15-2015 12:46 PM
Reference: https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Configure-a-Route-map-to-Re-direct-...
Doug Hyde
Director, Technical Support / Extreme Networks
Director, Technical Support / Extreme Networks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎10-14-2015 09:20 AM
Kunal,
I forgot to add, in your routing interface config for the Unregistered/Quarantine VLAN add:
ip policy route-map Unreg
I forgot to add, in your routing interface config for the Unregistered/Quarantine VLAN add:
ip policy route-map Unreg
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎10-14-2015 09:18 AM
thanks, will give it a go
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎10-14-2015 09:15 AM
Kunal,
PBR on the S series should be no problem. I don't think the C series can perform PBR (at least not without Advanced Routing Licensing - not sure)...
You will need to mark the packets within the VNS Role Policy for Unregistered as cs2. Occasionally, we have needed to match on IP addresses of the Quarantine/Unregistered VLAN. Change the access-list accordingly.
The S series code should be:
ip access-list extended UR
permit tcp any any eq 80 dscp cs2
permit tcp any any eq 8080 dscp cs2
exit
route-map policy Unreg permit 10
match ip address UR
set next-hop
exit
Thanks,
Bill
PBR on the S series should be no problem. I don't think the C series can perform PBR (at least not without Advanced Routing Licensing - not sure)...
You will need to mark the packets within the VNS Role Policy for Unregistered as cs2. Occasionally, we have needed to match on IP addresses of the Quarantine/Unregistered VLAN. Change the access-list accordingly.
The S series code should be:
ip access-list extended UR
permit tcp any any eq 80 dscp cs2
permit tcp any any eq 8080 dscp cs2
exit
route-map policy Unreg permit 10
match ip address UR
set next-hop
exit
Thanks,
Bill
