NAC in-band user logout issue

Unanswered Question
Feb 11th, 2010
User Badges:

I'm trying to deploy Cisco NAC as in-band and I've got the following issue:

- if user tries to log out (being logged in via web or using Cisco NAC agent), logs off Windows, shuts down PC, nothing happens - the user is still seen on the Online users page and has access to everything.


The only error messages I found on the CAM were in the apache log:


192.168.12.14 - - [11/Feb/2010:10:04:37 +0300] "GET /auth/perfigo_logout.jsp?user_key=192.168.12.14_699SZJNZ84VWG95I HTTP/1.1" 400 -
192.168.12.14 - - [11/Feb/2010:13:33:32 +0300] "POST /auth/client%5flogout%2ejsp HTTP/1.1" 400 -


Could someone help me with it?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Faisal Sehbai Thu, 02/11/2010 - 10:02
User Badges:
  • Gold, 750 points or more

Vladimir,


Need more info. What sort of setup is it? Versions (agent/CCA)? VGW/RIP? L2/L3? Any SSO's? Please post your network diagram (L2 and L3 both) and the CAM/CAS logs.


Thanks,

Faisal

vladimir.agafin Thu, 02/11/2010 - 11:11
User Badges:

Faisal,


here is the info you requested:

- it's L3 setup, CAS is the Real-IP gateway for user networks;

- version of CCA - 4.7.2, agent's version is the latest, the user's workstation works under Windows XP;

- authentication via local DB of CAM, no SSO.


Can't post any diagram now, can do it tomorrow.


In the CAM's events logs I can see that the user successfully logged in, but after I press the Log out button there is nothing.

No traffic is blocked between the agent, CAS and CAM.


Regards,

Vladimir

Faisal Sehbai Sat, 02/13/2010 - 19:35
User Badges:
  • Gold, 750 points or more

Vladimir,


Okay. Please post the net diagram and your CAM/CAS logs with times when you've done the tests and also the Client logs from the client itself.


Thanks,

Faisal

Tiago Andrade d... Fri, 08/12/2011 - 08:28
User Badges:

Faisal.
I have the same problem with my customer.

  • So I have: InBand - Virtual Ip Gateway ( L3 deployment )  4.7.2
    1 Cam installed in central site
    1 Cas Installed in central site
    All traffic Remote sites will be pass trought the CAS Inband ( inline vlan 563 to 63 access vlan Central Site )





Some configurations about timers:


User Management / User Role / Schedule / Heartbeat Timer
Enable Heartbeat Timer (Enable)

Log Out Disconnected Users After: 5 minutes


Device Management / Cleans Access / Genereal Setup / Agent Login

User Role - "Remote users"
Operatin system "all"

Enable -  Logoff Nac Agent Users from network on their machine logoff or shutdown after "1 minute."( for windows & In-band setup )



Next we see One user that log out the network but still in the "IB - Online Users" List. If another user connect to the network and take the SAME Ip address. The user do not neet to authenticate, becouse the Ip address still int the list, so user can access normally the all network.




Can you help with this problem?


Tks a lot.

Actions

This Discussion