NAC 4.7 "CAS unavailable" temporary role

Unanswered Question
Jul 16th, 2010
User Badges:

I have a VGW, OOB with layer 3 enabled pilot deployment right now. Everything looks fine. However, about

30% of the time (and its increasing) when I log on using the 4.7 agent, the agent will give me the error that the cas is unavialbe on the network. When I check the CAM, the user can be viewed on the monitoring tab, in-band and placed in the temporary role. (highlighted quarantined)

When i kick the user, more often than not , the user can log back in and it places him in the oob role that he is assigned to and all works fine.

core switch -----------cas/cam


distribution switch


End user switch---------end user pc

Any ideas as to why when placed in the temp role transitioning to the authenticated role it would lose contact???? and why would it be placed in the in-band section of the monitoring online users?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
waqas0612147 Fri, 07/16/2010 - 12:38
User Badges:

Dear Rick ,

Check the SSL certificate of the CAS and the CAM .The common name (CN) of the SSL  certificate should be the IP address of the CAS and the CAM .

mecampr Fri, 07/16/2010 - 13:22
User Badges:

let me check that...i know some things changed in 4.7

Let me confirm say the x509 CN on the CAS should be the CAS IP address, and the X509 CN on the CAM should be the CAM ip address?

I think that is what I have , but it will be Monday before I can check that out. Thanks for replying.

Faisal Sehbai Mon, 07/19/2010 - 06:30
User Badges:
  • Gold, 750 points or more


So trying to understand your topology. You're trying to do L3 OOB VGW? Are your clients multiple hops away from the CAS?

Waqas's point is valid to an extent. Bad certs or misconfigured certs can cause lots of issues in 4.7, but in that instance no logins would happen.

More clarification on how things are laid out at your end would help.


mecampr Mon, 07/19/2010 - 20:28
User Badges:

the cn name on the cas was indeed wrong. the IP address was that of the CAM.

However, that still hasnt fully fixed the problem.

I took all the checks away from the auth role assigned and it seems to fix the problem.

Yes, Faisal all the end points are Layer 2, no hops in between. I have a 6509E as the core switch. Each vlan on the switch, apart from the Auth vlans have a SVI.

ie. on the core switch

interface GigabitEthernet2/28
description trusted
no ip address
switchport trunk native vlan 997
switchport trunk allowed vlan 5,100,110,120,130,140,150,160,250,298 >>>Access Vlans
switchport mode trunk
interface GigabitEthernet2/29
description untrusted
no ip address
switchport trunk native vlan 996
switchport trunk allowed vlan 9,10,20,30,40,50,60,400 >>>> Auth Vlans
switchport mode trunk

Example SVI for access VLANS

interface Vlan110
description StaffLowerPT
ip address
ip helper-address
ip pim sparse-dense-mode
ipx network 8

no SVI's for auth vlans.

I remember reading somewhere that if no checks are done (ie if the agent is not running any rules on it) then it moves straight from authenitcation (phase1) to authenticated role (phase 3) without ever hitting the temp user role. Could it be that a rule would cause the CAS to become unavailable if it could not remediate?

I have a AV check rule, and two sus/WSUS rules.

mecampr Mon, 07/19/2010 - 20:45
User Badges:

on the temp role policy, only dns request is allowed through. there are several host rules that allow symantec updates etc....but would i need to add the cas/cam ip address (since the CAS is oob, vgw it has no ip address - well its the same ip but just not used)....

Faisal Sehbai Tue, 07/20/2010 - 08:16
User Badges:
  • Gold, 750 points or more


Having requirements shouldn't cause the CAS communication failure notice. There's something else broken in your network I suspect.

You don't have to add the CAS/CAM ip addresses in the roles for this to work. You should however add any remediation resources (which from the post it seems you have)

Please post your CAS and CAM logs here for review. Do a test first, note the time, and then collect the logs. Post the logs and time when you did the test.


mecampr Tue, 07/20/2010 - 08:38
User Badges:

how do you export the cas/cam logs from the devices?

mecampr Wed, 07/21/2010 - 08:26
User Badges:

I noticed my core 6509e was running code Version "12.2(18)SXD7"  would that cause any problems

mecampr Wed, 07/21/2010 - 08:30
User Badges:

although ive not had any problems with the switches being able to be controlled of the ports not being put in the correct vlans etc

mecampr Wed, 07/21/2010 - 15:18
User Badges:

the error seems to be appearing whenever i ask for remediation...if i don't ask for remediation ..or any rules, scanning at all ..i get the cas server not available on the network....i've asked tac to look at , their initial check couldnt see anything wrong with the config, so we're going deeper. Has anyone else experienced this and what was their fix?

mecampr Thu, 07/22/2010 - 07:29
User Badges:

im still waiting for TAC as i sent them lots of info so hopefully once they wade through it the answer may appear...however I noticed a couple of things that may improve my knowledge as well...

in 4.7 the ehternet i need this enabled for remediation, im running a vgw oob with layer 3 checked. The client fails is a layer 2 client. It fails when asked to do any kind of checks. To me it seems that it is maybe not put/kept in a vlan or something....I believe by default it should remain in the auth vlan when it is in phase 2 remediation. In the temp role, if i edit it I see the variable to change the vlan for the role....although this says it is only for the normal logon.

my question is i need to change the filters to be enabled for ethernet, allowing all for the temp role and the roles created for the users?

Also would i need to add  the role vlan to the temp user?

mecampr Thu, 07/22/2010 - 13:36
User Badges:

TAC said the issue has only been seen with packet loss and out of order packets. Im running all cisco switches, voip etc. network utilization is about 3 %..any ideas im at a loss, all interface stastics are network problems whatsoever. Running out of ideas

Faisal Sehbai Thu, 07/22/2010 - 13:39
User Badges:
  • Gold, 750 points or more


Can you private-msg me the TAC SR?



mecampr Thu, 07/22/2010 - 19:07
User Badges:

I sent your the SR, if you check your inbox


This Discussion