Thanks for the help so far with Clean Access. We are up and running L3 OOB w/ ACLs in our test environment and all is working as expected. I have a question that doesn't seem to have been posed yet. I want to create a rule that will kick a user off of their user VLAN after being logged in for X number of hours. Our policy states workstations are to remain off, but that rarely happens and these workstations should be placed back into the auth VLAN if they are not powered off. I've attempted to set the timeout setting on the CAM, but this did not cause the user to be moved back to the auth VLAN. In a L3 OOB multi-hop deployment, how can this be achieved?