NAC manager doesn't change auth vlan to access vlan

zoran.suica · ‎04-28-2010

Hi,

I am trying to install L2 out-of band NAC in my LAN but I have problem for which I don't seem to find any solutions.

The problem is that NAC manager simply doesn't change switchport from authentication to access vlan although user

is authenticated and all CAA requirements have been met.

I connect my laptop to switch and NAM changes vlan to auth. vlan and laptop gets IP address from access vlan (vlan mapping

configured on NAM). Then CCA login pops out and I enter username and password. After that CAA says: "Successfully logged in

to network" but laptop stays in auth. vlan and I can see my user in "out of band" users list (on NAM) but laptop (his MAC address) is not

in the certified devices list. And Manager keeps it in auth. vlan. So when I click OK in CAA, the login window pops out again because I'm still

in authentication vlan.

What could be the problem? I really tried everything and I don't know why manager doesn't put laptop to certified devices list (I repeat, user is in out

of band users list) and CCA says successfully logged in to network, and all requirements are met too.

Faisal Sehbai · ‎04-28-2010

Zoran,

Check the SNMP strings to ensure you have everything set right on the CAM and the switches. First thought suggests that the CAM is unable to write to the switch, which means your RW strings might be messed up.

HTH,

Faisal

zoran.suica · ‎04-28-2010

Faisal,

thanks for quick answer. SNMP is ok because when I manually enter access vlan in NAM, NAM sets port to that vlan. And then

again when I connect my laptop to that port, NAM again changes vlan to authentication. So that seems to be ok.

And I do not see laptops MAC in certified devices list so I think that is the reason why NAM doesn't put port to access vlan.

Faisal Sehbai · ‎04-28-2010

Zoran,

You have a managed subnet entry for the subnet you're working with? Please post screenshots of your CAS config pages, your SNMP Receiver page and sanitized output from your switch.

Thanks

Faisal

zoran.suica · ‎04-29-2010

Faisal,

thank you very much, yes that was the problem. I didn't have managed subnet entry. Now it works fine, but I have another problem. When I added managed

subnet I cannot connect to NAC server from my PC which has IP address from that subnet range. I cannot ping neither connect via https, totally

inaccessible.

What can I do to have that managed subnet entry, and still to be able to connect to server from that subnet (VLAN)?

I tried adding managed subnet entry with auth. vlan (400) and then with access vlan (110) and no-vlan (-1) but the situation is same - clean access

works fine, but I cannot reach server from my PC.

Faisal Sehbai · ‎04-29-2010

Zoran,

This is as expected. If your client is in one of the managed subnet, then by default the CAS sends out all traffic through it's untrusted interface. That's why when you're already authenticated, and you try to access the CAS, the replies to those queries/attempts would go out the untrusted interface and never reach your client back.

HTH,

Faisal