Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
531
Views
0
Helpful
3
Replies

NAC: OOB --VLAN does not change when user logs out.

bconnaghan
Level 1
Level 1

‎06-12-2008 10:24 AM - edited ‎02-21-2020 02:03 AM

I have been experimenting with NAC appliance on a small test network for a little while. I have an OOB Virtual gateway scenario using the Clean Access Agent to perform a very basic AV install and definition check. I am authenticating to a Local DB on the CAS with just a few test users.

Everything works fine. I have SNMP linkup/linkdown traps configured so that when a machine shuts down or restarts the machine is placed back in the Authentication VLAN and when authentication and posture validation takes place and is successful, the machine is moved to an Access VLAN and has network access. Users are showing up properly in the out of band user list and are removed as soon as a linkdown trap is received. Machines are showing up in the certified devices list properly when they pass posture validation.

I have noticed one thing that troubles me though and I am wondering if this is normal behavior or if I have missed something in the NAC configuration. If a user authenticates properly and the machine passes posture validation they get network access. If the user then logs out of Windows(no restart or shutdown), the link never goes down on the switch. Because of this, the user stays in the out of band user list on the CAM and the machine stays in the Access VLAN. If a new windows user logs into the machine, no new authentication or posture validation takes place and the machine is still in the Access VLAN.

I would imagine that AD SSO would take care of this, but I have not gotten to that point yet. Also, what if a non AD machine comes on network we are back to the same problem. It seems like there should be a way for the NAC appliances to recognize a logout, delete the user's session and move the switchport back to the authentication VLAN.

If anyone has any insight into this issue, I would love to hear from you.

0 Helpful
3 Replies 3

mchin345
Level 6
Level 6

‎06-18-2008 07:17 AM

Go through this Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(3) .

http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/413/413rn.html

0 Helpful

aneelaka
Level 1
Level 1
In response to mchin345

‎06-20-2008 12:19 PM

For an OOB deployment this is a normal behavior. We have an option for this available for the In-Band deployment.

In OOB only way to clear the Certified Device List is to setup a timer or do it manually

Reason for this is Agent is not inline with the CAS and cannot send the log off packet to CAS

0 Helpful

aneelaka
Level 1
Level 1

‎03-11-2009 10:42 AM

If a User1 is logged in, and he is in CDL and Online-User List. When User1 logs off and User2 logs into the same client User1 is removed from the Online-user list and User2 will be in the Online-user list

This will occur when in the port profile you have checked the following:

Remove other out-of-band online users on the switch port when a new user is detected on the same port.

-----------

If a non AD machine comes on to network then AD SSO fails and will be prompted to enter credential manually before accessing the network

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card