try to add a ping statement at the beginning of the login script. Goal is to use a n ip that is not pingable while on the Authentication vlan. That ping will loop in the background, and once the agent finishes authentication and CAM changes vlan to Access, the ping will complete then move on to the next function in the script.
A) The ipconfig /release and /renew were ocassionnaly taking place in the middle of the script execution so part of the mapped drive were missing.
B) Apparently, whether you are using linkup or MAC notification to control you switchport access, the auth VLAN is set on the switchport only when it "sees" the MAC address of the controlled PC. In our case the network card driver loads in windows XP and the switchport is bounced to auth VLAN and while the process is done, if users logs in to quickly, the windows XP machine loads it credential from cache (doesn't see domain controller) and therefore login script is not executed at all.
Best way to fix A) problem, is to do like jvr755 suggest. we
and for fix to B), I opened a case with cisco because when the switch sends SNMP Link-Up trap to the CAM it sould be set to Auth VLAN right away, but in our case it's not.
Finally, When debugging, I think it's very usefull to do a "show run int FX/X" on the port controlled by the NAC while booting the PC, it really helps to see what's going on in the booting process.
Thanks, one suggestion being made by Cisco right now is to change our login script from a VB based to a typical Batch file (I'm not sure I like this as a "fix") But would you mind sharing your login script?
Thanks for your input about disabling Ip renewal. We are in Real-Ip GW so we must keep changing IP addresses. Initially, We were thinking of using Virtual GW mode too but we thought it could be hard to manage since we have more than 1000 PC's and over 20 vlans...
How many PC / VLAN's do you have ? Is it hard to manage ?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :