04-05-2007 05:28 AM - edited 03-09-2019 05:44 PM
Hi Everyone
We are installing NAC Cisco Clean Access.
The CAS is installed as L2 Virutal Gateway OutOfBand - with SSO towards the AD.
We are experiencing some problems related to Windows Domain login scripts (vbs)
They are not executed.
It looks like the Microsoft Group Policies are pushed to the Client, but the login script never starts.
"Everything" else works - VLAN Mapping, Network Access and so on.
We have modified the "Unauthenticated Role" so that a Domain Logon can be done.
Does anyone have experience related to this issue?
Greetings
Jarle
05-02-2007 05:25 AM
We are experiencing the exact same problem, under CCA version 4.1.1 - Were you ever able to find a fix?
Thanks,
05-03-2007 09:31 AM
Hey all-
try to add a ping statement at the beginning of the login script. Goal is to use a n ip that is not pingable while on the Authentication vlan. That ping will loop in the background, and once the agent finishes authentication and CAM changes vlan to Access, the ping will complete then move on to the next function in the script.
Script.BAT
:CHECK
@echo off
echo Please wait
ping -n 1 -l 1 10.x.x.x
if errorlevel 1 goto CHECK
@echo on
net use L: \\Server\Script
Hope this helps!
please rate
thanks
05-04-2007 04:35 AM
Hi all,
We experienced 2 problems with the login sript.
A) The ipconfig /release and /renew were ocassionnaly taking place in the middle of the script execution so part of the mapped drive were missing.
B) Apparently, whether you are using linkup or MAC notification to control you switchport access, the auth VLAN is set on the switchport only when it "sees" the MAC address of the controlled PC. In our case the network card driver loads in windows XP and the switchport is bounced to auth VLAN and while the process is done, if users logs in to quickly, the windows XP machine loads it credential from cache (doesn't see domain controller) and therefore login script is not executed at all.
Best way to fix A) problem, is to do like jvr755 suggest. we
and for fix to B), I opened a case with cisco because when the switch sends SNMP Link-Up trap to the CAM it sould be set to Auth VLAN right away, but in our case it's not.
Finally, When debugging, I think it's very usefull to do a "show run int FX/X" on the port controlled by the NAC while booting the PC, it really helps to see what's going on in the booting process.
Dominic
05-07-2007 01:58 AM
Hi
Yes we have solved the problem. It is related to the DHCP IP renewal after authentication.
Windows Group-Policies cannot be stopped/halted the same way as Logon-Scripts can.
The Problem is solved only because we keep the same IP address after an sucessful authentication/authorisation (L2 OOB - Virtual Gateway).
This is done by disabeling the DHCP Renewal on the CAM.
This cannot be done using GUI!!!
and must be done by logging on to the CAM and delete and add "DhcpRenewDelay" from "smartmanager_conf" SQL Tables.
(sorry are not allowed to poste the CLI syntax - but your Cisco AM can help you with this dedicated problem)
Greetings
Jarle
05-07-2007 04:24 AM
Thanks, one suggestion being made by Cisco right now is to change our login script from a VB based to a typical Batch file (I'm not sure I like this as a "fix") But would you mind sharing your login script?
Thanks again,
05-07-2007 04:55 AM
Well i guess the fix is to start a batch file to then load the visualbasic script afterwards... ;-)
Here is our batch file:
Batch-File for Ping Test:
:CHECK
echo Please wait....
ping -n 1 -l 1 172.16.1.21
if errorlevel 1 goto CHECK
@echo on
ping 127.0.0.1 -n 5
\\server\sysvol\company.local\Policies\{0753456-7234-15AC-CA1B-27293560221}\User\Scripts\Logon\LogonScript.vbs
The Ping 127.0.0.1 -n 5 is to delay the execution of the logonscript with 5 sec so that DHCP renew and everything can take place first... (trick nr 386... ;-) )
Hope this helps
Greetings
Jarle
05-07-2007 05:25 AM
Hi jsteffensen
Thanks for your input about disabling Ip renewal. We are in Real-Ip GW so we must keep changing IP addresses. Initially, We were thinking of using Virtual GW mode too but we thought it could be hard to manage since we have more than 1000 PC's and over 20 vlans...
How many PC / VLAN's do you have ? Is it hard to manage ?
Thanks.
Dominic
05-07-2007 05:42 AM
Hi
Well we are still "piloting", which makes it much easier. At the moment we are ony testing for 3 VLANs and about 30 PC's.
The CAS's are close to the edge.
Managing this is pritty easy.
In a Final Config - the CAS will be Centralized, and i bet there will be problems with DHCP renewal and Group-Policies - so i cant help you with information about large scale rollout .
Greetings
Jarle
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide