NAC 4.7 "CAS unavailable" temporary role

Unanswered Question
Jul 16th, 2010

I have a VGW, OOB with layer 3 enabled pilot deployment right now. Everything looks fine. However, about

30% of the time (and its increasing) when I log on using the 4.7 agent, the agent will give me the error that the cas is unavialbe on the network. When I check the CAM, the user can be viewed on the monitoring tab, in-band and placed in the temporary role. (highlighted quarantined)

When i kick the user, more often than not , the user can log back in and it places him in the oob role that he is assigned to and all works fine.

core switch -----------cas/cam

     |

distribution switch

     |

End user switch---------end user pc

Any ideas as to why when placed in the temp role transitioning to the authenticated role it would lose contact???? and why would it be placed in the in-band section of the monitoring online users?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
waqas0612147 Fri, 07/16/2010 - 12:38

Dear Rick ,

Check the SSL certificate of the CAS and the CAM .The common name (CN) of the SSL  certificate should be the IP address of the CAS and the CAM .

mecampr Fri, 07/16/2010 - 13:22

let me check that...i know some things changed in 4.7

Let me confirm ...you say the x509 CN on the CAS should be the CAS IP address, and the X509 CN on the CAM should be the CAM ip address?

I think that is what I have , but it will be Monday before I can check that out. Thanks for replying.

Faisal Sehbai Mon, 07/19/2010 - 06:30

Rick,

So trying to understand your topology. You're trying to do L3 OOB VGW? Are your clients multiple hops away from the CAS?

Waqas's point is valid to an extent. Bad certs or misconfigured certs can cause lots of issues in 4.7, but in that instance no logins would happen.

More clarification on how things are laid out at your end would help.

Faisal

mecampr Mon, 07/19/2010 - 20:28

the cn name on the cas was indeed wrong. the IP address was that of the CAM.

However, that still hasnt fully fixed the problem.

I took all the checks away from the auth role assigned and it seems to fix the problem.

Yes, Faisal all the end points are Layer 2, no hops in between. I have a 6509E as the core switch. Each vlan on the switch, apart from the Auth vlans have a SVI.

ie. on the core switch

interface GigabitEthernet2/28
description trusted
no ip address
switchport
switchport trunk native vlan 997
switchport trunk allowed vlan 5,100,110,120,130,140,150,160,250,298 >>>Access Vlans
switchport mode trunk
!
interface GigabitEthernet2/29
description untrusted
no ip address
switchport
switchport trunk native vlan 996
switchport trunk allowed vlan 9,10,20,30,40,50,60,400 >>>> Auth Vlans
switchport mode trunk

Example SVI for access VLANS

interface Vlan110
description StaffLowerPT
ip address 1.1.1.1 255.255.255.0
ip helper-address 1.1.1.4
ip pim sparse-dense-mode
ipx network 8

no SVI's for auth vlans.

I remember reading somewhere that if no checks are done (ie if the agent is not running any rules on it) then it moves straight from authenitcation (phase1) to authenticated role (phase 3) without ever hitting the temp user role. Could it be that a rule would cause the CAS to become unavailable if it could not remediate?

I have a AV check rule, and two sus/WSUS rules.

mecampr Mon, 07/19/2010 - 20:45

on the temp role policy, only dns request is allowed through. there are several host rules that allow symantec updates etc....but would i need to add the cas/cam ip address (since the CAS is oob, vgw it has no ip address - well its the same ip but just not used)....

Faisal Sehbai Tue, 07/20/2010 - 08:16

Rick,

Having requirements shouldn't cause the CAS communication failure notice. There's something else broken in your network I suspect.

You don't have to add the CAS/CAM ip addresses in the roles for this to work. You should however add any remediation resources (which from the post it seems you have)

Please post your CAS and CAM logs here for review. Do a test first, note the time, and then collect the logs. Post the logs and time when you did the test.

Faisal

mecampr Tue, 07/20/2010 - 08:38

how do you export the cas/cam logs from the devices?

mecampr Wed, 07/21/2010 - 08:26

I noticed my core 6509e was running code Version "12.2(18)SXD7"  would that cause any problems

mecampr Wed, 07/21/2010 - 08:30

although ive not had any problems with the switches being able to be controlled of the ports not being put in the correct vlans etc

mecampr Wed, 07/21/2010 - 15:18

the error seems to be appearing whenever i ask for remediation...if i don't ask for remediation ..or any rules, scanning at all ..i get the cas server not available on the network....i've asked tac to look at , their initial check couldnt see anything wrong with the config, so we're going deeper. Has anyone else experienced this and what was their fix?

mecampr Thu, 07/22/2010 - 07:29

im still waiting for TAC as i sent them lots of info so hopefully once they wade through it the answer may appear...however I noticed a couple of things that may improve my knowledge as well...

in 4.7 the ehternet filters...do i need this enabled for remediation, im running a vgw oob with layer 3 checked. The client fails is a layer 2 client. It fails when asked to do any kind of checks. To me it seems that it is maybe not put/kept in a vlan or something....I believe by default it should remain in the auth vlan when it is in phase 2 remediation. In the temp role, if i edit it I see the variable to change the vlan for the role....although this says it is only for the normal logon.

my question is this....do i need to change the filters to be enabled for ethernet, allowing all for the temp role and the roles created for the users?

Also would i need to add  the role vlan to the temp user?

mecampr Thu, 07/22/2010 - 13:36

TAC said the issue has only been seen with packet loss and out of order packets. Im running all cisco switches, voip etc. network utilization is about 3 %..any ideas im at a loss, all interface stastics are fine...no network problems whatsoever. Running out of ideas

Actions

This Discussion