Solved: NAC disconnecting users after successfully login

IT_Data_CorporateNet · ‎10-20-2009

Hi all,

I'm implementing the NAC solution. Curently i'm on the testing phase. My problem is that whether i'm using CCA or web client it takes less than a minute for the user to be on the network. I'm using ver 4.5.1 of the software.

Is there a timer set somewhere by default? I havent set any session timer.

regards,

Stanslaus.

Faisal Sehbai · ‎10-27-2009

You have to add the MAC addresses of the IP phones to the filter list as IGNORE. When you do that, the CAM ignores the SNMP traps sent from the phones.

HTH,

Faisal

View solution in original post

Faisal Sehbai · ‎10-21-2009

Stanslaus,

Not sure what you mean by that. Is it taking your users less than a minute to get online? Are you doing any posture checks? What is the backend database you're authenticating against?

Faisal

IT_Data_CorporateNet · ‎10-21-2009

Hi Faisal,

Users get the successfully logged in page. They are able to access network resources like file servers, printing etc. The problem is within the first minute of successfully login the client pops again requesting for authentication. Network connectivity disappears until the user provide credentials and checks are performed. This keeps on repeating. I have only test users in the Appliance and it is not integrated with any external database. I'm currently planning to use ADSSO but only after resolving the timeout problem.

Currently i'm performing Windows update and Antivirus checks.

My deployment mode is OOB virtual Gateway mode. All CAS and CAM are connected on 6500 series distribution switches.

Stanslaus.

Faisal Sehbai · ‎10-22-2009

Stanslaus,

Check your managed subnets to ensure you have them set right. Best course would be to open a TAC case so an engineer can do a sanity check for your settings.

HTH,

Faisal

IT_Data_CorporateNet · ‎10-27-2009

I have discovered that the problem is caused by my IP phones. I'm in a completely IP phone environment and i'm using snmp mac notification traps. I've tried to bypass the IP phone and the problem cleared. We are using POLYCOM Soundpoint IP 330 SIP AND SoundPoint IP 650 SIP. It seems like IP phones are keeping on sending SNMP traps even after successfully login.

Faisal Sehbai · ‎10-27-2009

You have to add the MAC addresses of the IP phones to the filter list as IGNORE. When you do that, the CAM ignores the SNMP traps sent from the phones.

HTH,

Faisal

IT_Data_CorporateNet · ‎10-27-2009

I had the device filter created. My mistake was that i didn't enable it in the port profile.

Note that for Out-of-Band (OOB) deployments, you must enable the use of device filters in the Port Profile section [Switch Management > Profiles > Port]

Thanks very much Faisal for your support.

regards,

Stanslaus.

talha_490 · ‎10-29-2009

I had the same problem and i did exactly what you have said but i have observed that if i do a reboot my ip remain same of my access vlan. After i do a manual release and renew then i get the ip add of authenticated vlan go through the temporary role to normal login role. after that i get the ip address of access vlan . but i have to do once manual release / renew.

nagel · ‎11-03-2009

IB deployment resolves all of those issues. Even once you get the release/renew issue resolved - you will still see a delay in authenticating as the CAS will "in essence" do a release/renew in order to move the client to the access vlan. OOB is "at best" a clunky solution - IMHO (it also will not work for your wireless deployments). We originally sarted out with OOB deployment but have since moved everything back over to IB.