Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1419
Views
0
Helpful
7
Replies

Cisco NAC 4.1.6 vlan bounce

jefflocktsg
Level 1
Level 1

‎10-14-2008 03:34 AM - edited ‎02-21-2020 03:03 AM

Hi Everyone,

I just upgraded from CAM/CAS 4.1.2.0 to 4.1.6.0 and we are now having problems with all the users not being able to get on the trusted VLAN. 4.2.1.0 worked fine and we had SSO working with the agents just fine. After the upgrade, the agents will authenticate through SSO, change the VLAN to our trusted VLAN, and then 2 seconds later switch back to the untrusted VLAN. During the upgrade, I redid the certificates as required for the untrusted side of the CAS. Any ideas?

0 Helpful
7 Replies 7

felixjai
Level 1
Level 1

‎10-15-2008 11:34 AM

I assume you are running OOB mode. Perhaps you can try blocking the SWISS ports on the user vlan (trusted vlan), the ports are UDP 8905 and 8906. You CCA agent might be doing authentication over and over again because the CCA sees the CAS server while already in the trusted vlan.

0 Helpful

jefflocktsg
Level 1
Level 1
In response to felixjai

‎10-16-2008 04:59 AM

I am using OOB mode and I blocked the CAS untrusted IP address from the trusted vlan by using an access-list. I was looking at the logs, and I see that what is happening is the agent is sending over the authentication and the MAC of the computer, and then authentication does happen and the port changes according to user role appropriately, but then the CAM picks up the Cisco Phone MAC and tosses the port back into the untrusted VLAN. Our PC's plug into the back of Cisco Phones. What I did was I created a filter to ignore the Cisco Phone MAC and that does seem to work, however, I'm not sure that's the best way to go about it.

0 Helpful

rv_viji
Level 1
Level 1
In response to jefflocktsg

‎10-20-2008 11:40 AM

I have a question to you, like you we are also using the OOB mode and I'm running into a small issue...

The issue is that when the computer gets authenticated and CAM moves the switch port into the trusted vlan, the agent sends the ip address release/renew, but on some computers the ip address renew gets failed as the users who are logged in does not have permission to do so....

How can I come across this?? Any inputs..??

0 Helpful

felixjai
Level 1
Level 1
In response to rv_viji

‎10-21-2008 11:45 AM

The Clean Access Agent has the admin rights to do dhcp release/renew for the user. The logged-in user doesn't need admin rights.

If dhcp release/renew fails, it might be a different issue, check your dhcp server settings for the trusted vlan.

By the way, what version of Clean Access Agent do you have?

0 Helpful

rv_viji
Level 1
Level 1
In response to felixjai

‎10-22-2008 01:08 AM

No, but the error message in the clean access agent window clearly states that "Refreshing IP Failed, Please release/renew IP manually"

Kindly find the attached screenshot too...

And when the user with admin rights logs into the computer this error message doesn't come...

Im using clean access agent 4.1.3.1

Preview file
26 KB
0 Helpful

felixjai
Level 1
Level 1
In response to rv_viji

‎10-22-2008 07:02 AM

You should install the NAC Agent Stub with admin rights. The stub installer can be found under the CAM admin page. Device Management -> Clean Access -> Clean Access Agent -> Installation

NAC Agent stub

Cisco NAC Appliance provides a Stub installer to allow users without administrator privileges on their machines to install the Clean Access Agent from the Stub service. The Stub service is required to support the following features for non-admin users:

• Download and install Agent

• Upgrade Agent

• Launch an executable

• Launch WSUS updates

• Access to Authentication VLAN change detection

• Perform IP refresh/renew

0 Helpful

west-david
Level 1
Level 1
In response to jefflocktsg

‎10-22-2008 07:54 AM

Actually, that is the only way to run NAC in an IP telephony environment. Did you have the MAC filters in place before upgrading your CAM/CAS? I would have expected you to have the endless re-authentication issues prior to the upgrade without those filters. Just curious...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card