cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
721
Views
12
Helpful
8
Replies

Clean Access & Windows Loginscript Problems

jsteffensen
Level 1
Level 1

Hi Everyone

We are installing NAC Cisco Clean Access.

The CAS is installed as L2 Virutal Gateway OutOfBand - with SSO towards the AD.

We are experiencing some problems related to Windows Domain login scripts (vbs)

They are not executed.

It looks like the Microsoft Group Policies are pushed to the Client, but the login script never starts.

"Everything" else works - VLAN Mapping, Network Access and so on.

We have modified the "Unauthenticated Role" so that a Domain Logon can be done.

Does anyone have experience related to this issue?

Greetings

Jarle

8 Replies 8

jt3rry
Level 1
Level 1

We are experiencing the exact same problem, under CCA version 4.1.1 - Were you ever able to find a fix?

Thanks,

Hey all-

try to add a ping statement at the beginning of the login script. Goal is to use a n ip that is not pingable while on the Authentication vlan. That ping will loop in the background, and once the agent finishes authentication and CAM changes vlan to Access, the ping will complete then move on to the next function in the script.

Script.BAT

:CHECK

@echo off

echo Please wait

ping -n 1 -l 1 10.x.x.x

if errorlevel 1 goto CHECK

@echo on

net use L: \\Server\Script

Hope this helps!

please rate

thanks

Hi all,

We experienced 2 problems with the login sript.

A) The ipconfig /release and /renew were ocassionnaly taking place in the middle of the script execution so part of the mapped drive were missing.

B) Apparently, whether you are using linkup or MAC notification to control you switchport access, the auth VLAN is set on the switchport only when it "sees" the MAC address of the controlled PC. In our case the network card driver loads in windows XP and the switchport is bounced to auth VLAN and while the process is done, if users logs in to quickly, the windows XP machine loads it credential from cache (doesn't see domain controller) and therefore login script is not executed at all.

Best way to fix A) problem, is to do like jvr755 suggest. we

and for fix to B), I opened a case with cisco because when the switch sends SNMP Link-Up trap to the CAM it sould be set to Auth VLAN right away, but in our case it's not.

Finally, When debugging, I think it's very usefull to do a "show run int FX/X" on the port controlled by the NAC while booting the PC, it really helps to see what's going on in the booting process.

Dominic

Hi

Yes we have solved the problem. It is related to the DHCP IP renewal after authentication.

Windows Group-Policies cannot be stopped/halted the same way as Logon-Scripts can.

The Problem is solved only because we keep the same IP address after an sucessful authentication/authorisation (L2 OOB - Virtual Gateway).

This is done by disabeling the DHCP Renewal on the CAM.

This cannot be done using GUI!!!

and must be done by logging on to the CAM and delete and add "DhcpRenewDelay" from "smartmanager_conf" SQL Tables.

(sorry are not allowed to poste the CLI syntax - but your Cisco AM can help you with this dedicated problem)

Greetings

Jarle

Thanks, one suggestion being made by Cisco right now is to change our login script from a VB based to a typical Batch file (I'm not sure I like this as a "fix") But would you mind sharing your login script?

Thanks again,

Well i guess the fix is to start a batch file to then load the visualbasic script afterwards... ;-)

Here is our batch file:

Batch-File for Ping Test:

:CHECK

echo Please wait....

ping -n 1 -l 1 172.16.1.21

if errorlevel 1 goto CHECK

@echo on

ping 127.0.0.1 -n 5

\\server\sysvol\company.local\Policies\{0753456-7234-15AC-CA1B-27293560221}\User\Scripts\Logon\LogonScript.vbs

The Ping 127.0.0.1 -n 5 is to delay the execution of the logonscript with 5 sec so that DHCP renew and everything can take place first... (trick nr 386... ;-) )

Hope this helps

Greetings

Jarle

Hi jsteffensen

Thanks for your input about disabling Ip renewal. We are in Real-Ip GW so we must keep changing IP addresses. Initially, We were thinking of using Virtual GW mode too but we thought it could be hard to manage since we have more than 1000 PC's and over 20 vlans...

How many PC / VLAN's do you have ? Is it hard to manage ?

Thanks.

Dominic

Hi

Well we are still "piloting", which makes it much easier. At the moment we are ony testing for 3 VLANs and about 30 PC's.

The CAS's are close to the edge.

Managing this is pritty easy.

In a Final Config - the CAS will be Centralized, and i bet there will be problems with DHCP renewal and Group-Policies - so i cant help you with information about large scale rollout .

Greetings

Jarle

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: