I just upgraded from CAM/CAS 184.108.40.206 to 220.127.116.11 and we are now having problems with all the users not being able to get on the trusted VLAN. 18.104.22.168 worked fine and we had SSO working with the agents just fine. After the upgrade, the agents will authenticate through SSO, change the VLAN to our trusted VLAN, and then 2 seconds later switch back to the untrusted VLAN. During the upgrade, I redid the certificates as required for the untrusted side of the CAS. Any ideas?
I assume you are running OOB mode. Perhaps you can try blocking the SWISS ports on the user vlan (trusted vlan), the ports are UDP 8905 and 8906. You CCA agent might be doing authentication over and over again because the CCA sees the CAS server while already in the trusted vlan.
I am using OOB mode and I blocked the CAS untrusted IP address from the trusted vlan by using an access-list. I was looking at the logs, and I see that what is happening is the agent is sending over the authentication and the MAC of the computer, and then authentication does happen and the port changes according to user role appropriately, but then the CAM picks up the Cisco Phone MAC and tosses the port back into the untrusted VLAN. Our PC's plug into the back of Cisco Phones. What I did was I created a filter to ignore the Cisco Phone MAC and that does seem to work, however, I'm not sure that's the best way to go about it.
I have a question to you, like you we are also using the OOB mode and I'm running into a small issue...
The issue is that when the computer gets authenticated and CAM moves the switch port into the trusted vlan, the agent sends the ip address release/renew, but on some computers the ip address renew gets failed as the users who are logged in does not have permission to do so....
You should install the NAC Agent Stub with admin rights. The stub installer can be found under the CAM admin page. Device Management -> Clean Access -> Clean Access Agent -> Installation
NAC Agent stub
Cisco NAC Appliance provides a Stub installer to allow users without administrator privileges on their machines to install the Clean Access Agent from the Stub service. The Stub service is required to support the following features for non-admin users:
â¢ Download and install Agent
â¢ Upgrade Agent
â¢ Launch an executable
â¢ Launch WSUS updates
â¢ Access to Authentication VLAN change detection
Actually, that is the only way to run NAC in an IP telephony environment. Did you have the MAC filters in place before upgrading your CAM/CAS? I would have expected you to have the endless re-authentication issues prior to the upgrade without those filters. Just curious...
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :