Cisco NAC Online User List Problem and Multiple MAC Scenario ?
I am performing Cisco NAC demo at a customer. Have two vital questions.
1_ Customer is willing to do posture assessment whenever it is possible., like everytime a user connects and disconnects from and to the network. For wired connections I have emhasized "remove online user when disconnected" setting in port profile. This works great. However for users who are wireless or behind IP phones , there is no such setting. So if a user switches from wireless to wired, that user is still on Online User List so it does not get assessed against NAC Server. It continues to work without any posture validation. Is there any other setting to remove the Online User who is wireless o behing an IP phone once it gets disconnected from the network ?
2_ What exactly happens when there are multiple devices on a switchport (I know I could see it for myself but time is tight ) ? I mean if there are multiple devices who are members of different roles, is the switchport assigned a different VLAN whenever that clients posture validation gets completed ?
Re: Cisco NAC Online User List Problem and Multiple MAC Scenario
For 1, you can have the user removed from OUL in OOB scenarios, but behind IP phones it's difficult since we won't know when the PC is offline from there. Only way to know that is when CAM receives a MAC-Notification of a new MAC address being learnt. In IB, you can use heartbeat timers to log them out
For 2, when a new MAC address is seen on the port, the MAC-Notification is sent out, and depending on your port profile the switchport will change or not. Check your port profile settings for more details on how you have it setup.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...