10-20-2009 05:22 AM - edited 02-21-2020 03:44 AM
Hi all,
I'm implementing the NAC solution. Curently i'm on the testing phase. My problem is that whether i'm using CCA or web client it takes less than a minute for the user to be on the network. I'm using ver 4.5.1 of the software.
Is there a timer set somewhere by default? I havent set any session timer.
regards,
Stanslaus.
Solved! Go to Solution.
10-27-2009 06:49 AM
You have to add the MAC addresses of the IP phones to the filter list as IGNORE. When you do that, the CAM ignores the SNMP traps sent from the phones.
HTH,
Faisal
10-21-2009 07:00 AM
Stanslaus,
Not sure what you mean by that. Is it taking your users less than a minute to get online? Are you doing any posture checks? What is the backend database you're authenticating against?
Faisal
10-21-2009 10:26 PM
Hi Faisal,
Users get the successfully logged in page. They are able to access network resources like file servers, printing etc. The problem is within the first minute of successfully login the client pops again requesting for authentication. Network connectivity disappears until the user provide credentials and checks are performed. This keeps on repeating. I have only test users in the Appliance and it is not integrated with any external database. I'm currently planning to use ADSSO but only after resolving the timeout problem.
Currently i'm performing Windows update and Antivirus checks.
My deployment mode is OOB virtual Gateway mode. All CAS and CAM are connected on 6500 series distribution switches.
Stanslaus.
10-22-2009 06:14 AM
Stanslaus,
Check your managed subnets to ensure you have them set right. Best course would be to open a TAC case so an engineer can do a sanity check for your settings.
HTH,
Faisal
10-27-2009 05:07 AM
I have discovered that the problem is caused by my IP phones. I'm in a completely IP phone environment and i'm using snmp mac notification traps. I've tried to bypass the IP phone and the problem cleared. We are using POLYCOM Soundpoint IP 330 SIP AND SoundPoint IP 650 SIP. It seems like IP phones are keeping on sending SNMP traps even after successfully login.
10-27-2009 06:49 AM
You have to add the MAC addresses of the IP phones to the filter list as IGNORE. When you do that, the CAM ignores the SNMP traps sent from the phones.
HTH,
Faisal
10-27-2009 07:10 AM
I had the device filter created. My mistake was that i didn't enable it in the port profile.
Note that for Out-of-Band (OOB) deployments, you must enable the use of device filters in the Port Profile section [Switch Management > Profiles > Port]
Thanks very much Faisal for your support.
regards,
Stanslaus.
10-29-2009 04:28 AM
I had the same problem and i did exactly what you have said but i have observed that if i do a reboot my ip remain same of my access vlan. After i do a manual release and renew then i get the ip add of authenticated vlan go through the temporary role to normal login role. after that i get the ip address of access vlan . but i have to do once manual release / renew.
11-03-2009 08:20 AM
IB deployment resolves all of those issues. Even once you get the release/renew issue resolved - you will still see a delay in authenticating as the CAS will "in essence" do a release/renew in order to move the client to the access vlan. OOB is "at best" a clunky solution - IMHO (it also will not work for your wireless deployments). We originally sarted out with OOB deployment but have since moved everything back over to IB.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: