02-11-2010 05:36 AM - edited 02-21-2020 03:52 AM
I'm trying to deploy Cisco NAC as in-band and I've got the following issue:
- if user tries to log out (being logged in via web or using Cisco NAC agent), logs off Windows, shuts down PC, nothing happens - the user is still seen on the Online users page and has access to everything.
The only error messages I found on the CAM were in the apache log:
192.168.12.14 - - [11/Feb/2010:10:04:37 +0300] "GET /auth/perfigo_logout.jsp?user_key=192.168.12.14_699SZJNZ84VWG95I HTTP/1.1" 400 -
192.168.12.14 - - [11/Feb/2010:13:33:32 +0300] "POST /auth/client%5flogout%2ejsp HTTP/1.1" 400 -
Could someone help me with it?
02-11-2010 10:02 AM
Vladimir,
Need more info. What sort of setup is it? Versions (agent/CCA)? VGW/RIP? L2/L3? Any SSO's? Please post your network diagram (L2 and L3 both) and the CAM/CAS logs.
Thanks,
Faisal
02-11-2010 11:11 AM
Faisal,
here is the info you requested:
- it's L3 setup, CAS is the Real-IP gateway for user networks;
- version of CCA - 4.7.2, agent's version is the latest, the user's workstation works under Windows XP;
- authentication via local DB of CAM, no SSO.
Can't post any diagram now, can do it tomorrow.
In the CAM's events logs I can see that the user successfully logged in, but after I press the Log out button there is nothing.
No traffic is blocked between the agent, CAS and CAM.
Regards,
Vladimir
02-13-2010 07:35 PM
Vladimir,
Okay. Please post the net diagram and your CAM/CAS logs with times when you've done the tests and also the Client logs from the client itself.
Thanks,
Faisal
08-12-2011 08:28 AM
Faisal.
I have the same problem with my customer.
Some configurations about timers:
User Management / User Role / Schedule / Heartbeat Timer
Enable Heartbeat Timer (Enable)
Log Out Disconnected Users After: 5 minutes
Device Management / Cleans Access / Genereal Setup / Agent Login
User Role - "Remote users"
Operatin system "all"
Enable - Logoff Nac Agent Users from network on their machine logoff or shutdown after "1 minute."( for windows & In-band setup )
Next we see One user that log out the network but still in the "IB - Online Users" List. If another user connect to the network and take the SAME Ip address. The user do not neet to authenticate, becouse the Ip address still int the list, so user can access normally the all network.
Can you help with this problem?
Tks a lot.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: