I am testing the following setup: Client>>>NAT Router>>>CAS>>>CAM
We use inband VG CAS and checked "enable L3 support"(the other two options not checked). In our test, we connected two wired clients behind a NAT broadband router. >From 4.1 documentation: "The Agent always sends the MAC/IP address pair of the client at login request regardless of the CAS configuration. The CAS then determines what to read or discard. If the CAS is enabled for L3 deployment, the CAS takes the MAC/IP address of the Agent at UDP discovery and at login request." I think both two client behind the router should pass the posture checks because the CAS looked at the IP/MAC information sent by agent, not the router. But the test result shows that only the first user got checked and 2nd user can get network access without checks. In the online users list, I see the client username with the IP/MAC of the router. That means CAS still looks at the IP/MAC of the router, not the agent. To me it is different with the documentation. Anyone tried with this scenario? Any advices? Thanks! Dennis Xu Network Analyst(CCS) University of Guelph 5198244120 x 56217
