12-11-2020 01:51 PM
We are trying to implement a NAC solution. The basics are that the NAC is connected to the switch stack and upon sensing a device connecting, it checks it for authentication against the NAC and if it fail it quarantines it into a specific VLAN. That part is working.
The next step WOULD be that when the device goes to make a connection somewhere and upon hitting the Palo Alto (They are using the Palo Alto for Layer 3) the VLAN it is in SHOULD route it to the authentication page of the NAC and allow them to login and then the NAC would remove it from the quarantine VLAN and place it in the proper and routable VLAN. This part is not working.
We have tried a few way to get the Palo Alto to direct all traffic in the quarantine VLAN to a specific IP (Internal Auth Page of the NAC) and nothing we have done is getting it to actually do the redirect........
Thoughts, suggestions, help, I am a PA newb, but have configured these with Cisco PBR's all day long and never had an issue............and Google has not been my friend!!
Thanks in advance if you can help
12-12-2020 09:25 PM
You are correct in the fact that it is not fully installed....we are 85% installed. We are able to move devices into the quarantine VLAN through our connection at the switch level.
After is it in the quarantine zone, it supposed to be routed to the splash page of the NAC solution, but the PA acting as their layer 3 routing device is not routing it to the NAC. We have tried static routing and PBF and the devices never get to the splash page. It just times out.
Getting this, what I have always considered a simple process, routing to the splash page is the only step left and the NAC implementation is complete. The PANOS is the only thing I cant figure out at this point..all other services and applications in this solution are working.
12-12-2020 09:54 PM
It might help to actually say what NAC solution you are using. There's some rather large differences between quarantine configuration between NAC solutions, so knowing how your NAC solution is actually attempting to route to the authentication page would be good to know. Some solutions have you use the NAC appliance as the DNS server for the quarantine VLAN, and others are expecting you to forward all traffic to the NAC authentication page through a proxy.
When it comes to routing on the PAN side, that's going to depend on the rest of your network configuration and how you have things setup. In some situations you could just use a simple static route because the quarantine VLAN is terminating on a dedicated PAN interface, and in others you'll have to use a PBF so that you can capture just the addresses that you are looking for. The firewall isn't going to proxy and redirect the URL to your NAC auth page if that's a requirement however.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!