Cisco Support Community
Community Member

NAC/CAM kicking users

Normally, the event logs on the CAM would show the following when a user logs out of his system and CAM kicks the user session:

SW_Management2012-06-28 09:43:03Kicked OOB user [OOB ## 00:24:E8:12:11:D7 ##] on port 423 of switch
Client2012-06-28 09:43:02[OOB ## 00:24:E8:12:11:D7 ##] - Logout request

As far as I know, this is all normal, especially before lunch time and before 5pm as users leave their desks. 

However, we recently noticed logs showing "Kicked OOB user" messages without a "Logout request" messages (several every day).  Additionally, for a couple of times in the past several month, we experienced an issue where over a period of a minute or two minutes, hundreds of users got kicked by the CAM - event logs should pages of Kicks messages without "logout request" messages.

Some users would be re-authenticated automatically, however, some would need to restart their computers.  Also, some would be stuck in the In Band mode - this should never happen as all users should be Out of Band once authenticated and successfully posture assessed.  We would then need to manually kick those users stuck in the In Band mode forcing them to re-authenticate.

Any ideas on what is causing KICKs without the logout request and why users would be stuck in the In Band mode?



NAC/CAM kicking users


If the users are getting kicked without the the logout messages could be the session timer expires for the user role they are associated to, also if they are manually kicked, meaning if you have a new administrator on the NAC appliance and they are trying to choose a specific user but then they end up kicking the entire users on the table.

As far as users being stuck in the 'in band' role, are they coming up stuck in the temporary role? If so, are you using SSO from a wireless controller or users coming through the ASA? Also, what version are you on, if you are on 4.7.2 and you are using wildcard filters, there is a patch that Cisco can provide that will help fix this.


Tarik Admani

Tarik Admani *Please rate helpful posts*
Community Member

NAC/CAM kicking users


I looked for messages that would indicate admin kicking all users.  However, I found non leading up to the time this issue occured.  Specifically there were no "admin logon" or "manual kick" messages.  As for session timer expired, is this timer based on user logon time (different for each user)?  The reason I am asking is all users got kick within a matter of 2 minutes.

We are using version 4.8.  Users are not coming through the ASAs.


NAC/CAM kicking users

I thought I posted a response but I guess it never posted.

What, you can do is raise the logging on the manager for the top three entries to trace.

Then you can grab a support bundle once you open it you can grab the nac_manager.lg file and see what event triggered the manager kicking the users.


Tarik admani

Tarik Admani *Please rate helpful posts*
CreatePlease to create content