I have been experimenting with NAC appliance on a small test network for a little while. I have an OOB Virtual gateway scenario using the Clean Access Agent to perform a very basic AV install and definition check. I am authenticating to a Local DB on the CAS with just a few test users.
Everything works fine. I have SNMP linkup/linkdown traps configured so that when a machine shuts down or restarts the machine is placed back in the Authentication VLAN and when authentication and posture validation takes place and is successful, the machine is moved to an Access VLAN and has network access. Users are showing up properly in the out of band user list and are removed as soon as a linkdown trap is received. Machines are showing up in the certified devices list properly when they pass posture validation.
I have noticed one thing that troubles me though and I am wondering if this is normal behavior or if I have missed something in the NAC configuration. If a user authenticates properly and the machine passes posture validation they get network access. If the user then logs out of Windows(no restart or shutdown), the link never goes down on the switch. Because of this, the user stays in the out of band user list on the CAM and the machine stays in the Access VLAN. If a new windows user logs into the machine, no new authentication or posture validation takes place and the machine is still in the Access VLAN.
I would imagine that AD SSO would take care of this, but I have not gotten to that point yet. Also, what if a non AD machine comes on network we are back to the same problem. It seems like there should be a way for the NAC appliances to recognize a logout, delete the user's session and move the switchport back to the authentication VLAN.
If anyone has any insight into this issue, I would love to hear from you.