Clean Access & Windows Loginscript Problems

Unanswered Question
Apr 5th, 2007
User Badges:

Hi Everyone


We are installing NAC Cisco Clean Access.

The CAS is installed as L2 Virutal Gateway OutOfBand - with SSO towards the AD.


We are experiencing some problems related to Windows Domain login scripts (vbs)

They are not executed.

It looks like the Microsoft Group Policies are pushed to the Client, but the login script never starts.

"Everything" else works - VLAN Mapping, Network Access and so on.



We have modified the "Unauthenticated Role" so that a Domain Logon can be done.


Does anyone have experience related to this issue?


Greetings


Jarle

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
jt3rry Wed, 05/02/2007 - 05:25
User Badges:

We are experiencing the exact same problem, under CCA version 4.1.1 - Were you ever able to find a fix?


Thanks,

jvr775 Thu, 05/03/2007 - 09:31
User Badges:

Hey all-

try to add a ping statement at the beginning of the login script. Goal is to use a n ip that is not pingable while on the Authentication vlan. That ping will loop in the background, and once the agent finishes authentication and CAM changes vlan to Access, the ping will complete then move on to the next function in the script.


Script.BAT


:CHECK


@echo off


echo Please wait


ping -n 1 -l 1 10.x.x.x


if errorlevel 1 goto CHECK


@echo on


net use L: \\Server\Script






Hope this helps!

please rate

thanks

dominic.bilodea... Fri, 05/04/2007 - 04:35
User Badges:

Hi all,


We experienced 2 problems with the login sript.


A) The ipconfig /release and /renew were ocassionnaly taking place in the middle of the script execution so part of the mapped drive were missing.


B) Apparently, whether you are using linkup or MAC notification to control you switchport access, the auth VLAN is set on the switchport only when it "sees" the MAC address of the controlled PC. In our case the network card driver loads in windows XP and the switchport is bounced to auth VLAN and while the process is done, if users logs in to quickly, the windows XP machine loads it credential from cache (doesn't see domain controller) and therefore login script is not executed at all.


Best way to fix A) problem, is to do like jvr755 suggest. we


and for fix to B), I opened a case with cisco because when the switch sends SNMP Link-Up trap to the CAM it sould be set to Auth VLAN right away, but in our case it's not.



Finally, When debugging, I think it's very usefull to do a "show run int FX/X" on the port controlled by the NAC while booting the PC, it really helps to see what's going on in the booting process.


Dominic

jsteffensen Mon, 05/07/2007 - 01:58
User Badges:

Hi


Yes we have solved the problem. It is related to the DHCP IP renewal after authentication.

Windows Group-Policies cannot be stopped/halted the same way as Logon-Scripts can.


The Problem is solved only because we keep the same IP address after an sucessful authentication/authorisation (L2 OOB - Virtual Gateway).

This is done by disabeling the DHCP Renewal on the CAM.


This cannot be done using GUI!!!

and must be done by logging on to the CAM and delete and add "DhcpRenewDelay" from "smartmanager_conf" SQL Tables.


(sorry are not allowed to poste the CLI syntax - but your Cisco AM can help you with this dedicated problem)


Greetings


Jarle

jt3rry Mon, 05/07/2007 - 04:24
User Badges:

Thanks, one suggestion being made by Cisco right now is to change our login script from a VB based to a typical Batch file (I'm not sure I like this as a "fix") But would you mind sharing your login script?


Thanks again,

jsteffensen Mon, 05/07/2007 - 04:55
User Badges:

Well i guess the fix is to start a batch file to then load the visualbasic script afterwards... ;-)


Here is our batch file:

Batch-File for Ping Test:

:CHECK

echo Please wait....

ping -n 1 -l 1 172.16.1.21

if errorlevel 1 goto CHECK

@echo on

ping 127.0.0.1 -n 5

\\server\sysvol\company.local\Policies\{0753456-7234-15AC-CA1B-27293560221}\User\Scripts\Logon\LogonScript.vbs


The Ping 127.0.0.1 -n 5 is to delay the execution of the logonscript with 5 sec so that DHCP renew and everything can take place first... (trick nr 386... ;-) )


Hope this helps


Greetings


Jarle


dominic.bilodea... Mon, 05/07/2007 - 05:25
User Badges:

Hi jsteffensen



Thanks for your input about disabling Ip renewal. We are in Real-Ip GW so we must keep changing IP addresses. Initially, We were thinking of using Virtual GW mode too but we thought it could be hard to manage since we have more than 1000 PC's and over 20 vlans...


How many PC / VLAN's do you have ? Is it hard to manage ?


Thanks.


Dominic

jsteffensen Mon, 05/07/2007 - 05:42
User Badges:

Hi


Well we are still "piloting", which makes it much easier. At the moment we are ony testing for 3 VLANs and about 30 PC's.

The CAS's are close to the edge.

Managing this is pritty easy.


In a Final Config - the CAS will be Centralized, and i bet there will be problems with DHCP renewal and Group-Policies - so i cant help you with information about large scale rollout .


Greetings


Jarle


Actions

This Discussion