Getting desperate here..been trying to get the Cisco NAC solution (Cisco NAC 3310) to work but with limited success, and the results are so far discouragingly random. I have a lot of experience with Cisco products and so far this one has been the most distressing :-( Any help here would be gladly appreciated!!
Ok here's the setup: the CAM and CAS are setup in OOB VG mode (layer-2). I've setup everything according to Cisco's guide (i hope) - different VLANs for the CAM and CAS, VLANs mapping done, Managed Subnets, Switch Profiles etc configured. Yet I'm getting strange responses - some PCs are unable to connect to the network, even though the managed switch port successfully informs the CAM that a new MAC is detected (the switch port changes to the auth vlan from the initial vlan). I racked my brains trying to figure out what's wrong, the events logs doesnt indicate much problems. Just to check on some uncertainties:
1. For the Managed subnet IP, should I tick the "Enable Subnet based Vlan retag" box?
2. For the Managed Subnet, should I put the Managed Subnet IP address as the gateway IP? E.g. VLAN 110 (untrusted vlan) mapped to VLAN 10 (trusted VLAN) which is subnet 10.1.10.0/24. The gateway is 10.1.10.254. So should I configure Managed Subnet IP/Netmask as 10.1.10.254/255.255.255.0? Or choose another unused IP address within that subnet (e.g. 10.1.10.1)?
3. I'm also experiencing the situation where logging in successfully (pass the NAC verification etc), I unplugged my laptop from the managed switch port, and after a while plugged it in. This time no authentication happens, but network connectivity is broken (even though the Cisco Agent is running). Seems that the network port is placed into the Auth VLAN, yet nothing is prompted to login. Any ideas??
What policies do have setup on your current user roles?
You may want to try allowing all TCP/UDP and fragments to see if does not login constantly.
Right click on the access agent as well and select properties. Make sure it does not have a discovery host since this is a L2 implementation
Also you be able to rate the previous post so if others are having similar issues they will look at this thread