NAC Clean Access Agent doesn't pop-up

Unanswered Question
Aug 4th, 2008
User Badges:

Hi,

I have installed and configured NAC 3310. I have configured L2 OOB virtual Gateway (As it is a central deployment). I did the following in my configuration:

1. Install the Manager

2.Install the Server

3.Add the server to the Manager

4.Configure Managed Subnets, VLAN mapping, SNMP configuration on both switch and NAC, add the switch and configure port profiles.


My problem is that when I plug a PC on the switch port the CCA installed on the PC doesn't pop up for authentication. I can see the port moving to the authentication VLAN and i can get IP address from the DHCP but cat access anything(Even ping the CAS). It used to work before but I was using the evaluation license of NAC and a different access switch(2960). Now i'm using 2900XL. Any idea please!


Thanks in advance,

Stanslaus.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
IT_Data_CorporateNet Mon, 08/04/2008 - 22:43
User Badges:

I've noticed also that when i'm on the cas i can't ping the default gateway of my VLAN but if i remove the managed subnet IP of the VLAN from the CAM i can ping the gateway from CAS.

Any help please.


BR,

Stanslaus.

r-frank Tue, 08/12/2008 - 21:26
User Badges:

Stanslaus

Because you have changed switches have you ensured that the switch is in the mgr as a device, also that the correct SNMP config is on the switch, it can take one line to screw it up.

no SNMP restrictions on the switch.

is the correct VLAN allowed down to the switch from the core ?


Cheers

RIck

IT_Data_CorporateNet Wed, 08/13/2008 - 08:56
User Badges:

Thanks Rick,

I think the problem was my IOS. The switch has ver 12.1 while for 3750 it is recommended 12.2(25)SEE and above. I replaced the switch with the one that have latest IOS and it works. I could not upgrade the old one due to memory problem.


regards,

Stanslaus.

I am using NAC agent 4.7.2.10 and the agent

is configured to pop up on login so users can access the secure network.


The agent however pops up maybe one time in 10. I can trigger it to pop up by releasing and renewing the IP address of the machine (ip address doesn't change - just renews). The Agent login will pop up immediately then and I can login however most users won't have admin right to perform this and they shouldn't have to.


Once logged in everything works fine but I can't roll this solution out yet as the Agent popup is so unreliable....


The NACAgentUI process can beseen running in Tak Manager even if it hasn't popped and is visible in the taskbar however you cannot manually launch it - the login button is avaiable but nothing happens when I click on it...


Is there a debugger or log generator I can run for this...?


Please advise....



Thanks...

luciano.carvalho Thu, 12/09/2010 - 04:43
User Badges:


Hi Bryan,

You can set the debug option accessing your NAC Appliance Server directly via Web interface (https://server/admin). Go to Support Logs and set the options you want to Trace.

After simulating the problem, just click on Download to get all logs from the Appliance. Most of the useful messages will be on nac_server.log.

Best Regards

troy.kinnison Sun, 12/12/2010 - 17:49
User Badges:

Bryan,

It sound like you do not have the time set to clear the online users.  They will stay logged in unleass the reboot, or, there is a trap recieved telling the CAS the the device is logged off.  If you want the users to authenticate every time, set the timer to clear the certified device list after 10 to 12 hours.  This way the clients have to re-auth the next morning, or, 10 to 12 hours after they log on.  I have ran into issue's like this before.  I am no longer running 4.7.2, but, 4.8, so, out of band logoff is supported.  Let me know if this helps or if this does not fix and I can dig into this a little more.

Tiago Antunes Mon, 12/13/2010 - 09:07
User Badges:
  • Cisco Employee,

Hi,


Yes, if you are using an unsuported switch IOS it is expected not to work, as the CAm contains the OIDs for the suported switches and if it does not contain the OID for the switch you are trying to use, then it will not work.


I was confused about the switch model you are using as you spoke about 2900XL and latrer on 3750...

Anyway, please check out the supported models and IOS minimum version:

http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/switch_spt.html#wp83479.


HTH,
Tiago


--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Actions

This Discussion