We are installing NAC 4.6(1). Just dealing right now with one profile, Dealing with device filter list. We have a MAC address in the list that when it is seen puts the switchport in VLAN 117 (access VLAN) then when the device gets unplugged, we want it to move back to the VLAN 115 (auth VLAN). The first part works, but when it is unplugged, it does not go back to the auth VLAN. We are doing all port changes via SNMP Link-change and in debug we can see the SNMP link-down being sent. Any ideas?
By the way, when we plug a non-certified laptop into the same port, it moves it to VLAN 115 (auth VLAN). It just won't move it back after the certified device is unplugged. Thanks,
That is by design. It doesn't hurt anything though, since as soon as the switch notices a link-up on the port, it will notify the CAM and it will change the port to VLAN 115, all within less than a second.
In addition, you can set the intial VLAN of the port to be in the Auth VLAN as opposed to the Access or vice versa. My customer wanted, FAIL OPEN, so we set the initial VLAN to the Access VLAN. The customer is very concerned about HA and even though we have 2 CAMs and 2 CASs, he still wanted it like that. If the CAMs disapear, the port will remain in the access VLAN and they will continue to work.
Well, if that is the case, why do they ask you what you want the CAM to do when it receives a link-down. It asks if you want to leave it in the access VLAN, move to the Auth VLAN, etc. I have that I would like it to move back to the auth VLAN (115), but that does not happen.
We are a financial company so we must meet PCI and have several audits per year, so if the NAC goes down while certain ports are in a more open VLAN, does the switchport stay in thet VLAN? If so, that is a problem, and is why we need it to move it back to the auth VLAN.
I have attached a screenshot of the port profile config that I am talking about. We have also verified we are getting link-down messages from the switch, it just doesn't seem to do anything with that information.
I found this in the config guide for NAC CAM 4.6. Section under port profile configuration.
Step 14 Remove out-of-band online user when SNMP linkdown trap is received, and then [do nothing | change to Auth VLAN | change to Restricted VLAN]
Click this option to specify which VLAN the CAM assigns to a switch port after receiving a linkdown trap from the switch when a client disconnects from the Cisco NAC Appliance network. (See Advanced for details on linkdown traps.)
•If this option is checked and specifies to do nothing, when the client disconnects (causing a linkdown trap to be sent), the switch port remains on the last VLAN assigned, or re-assigned to the VLAN specified in the Change to [Auth VLAN | Access VLAN] if the device is certified, but not in the out-of-band user list option.
Note If the client is not on the Certified Devices List, the client is put on the Authentication VLAN.
•If this option is checked and specifies to change to Auth VLAN, the CAM puts the switch port on the Authentication VLAN after receiving a linkdown SNMP trap regardless of whether or not the client is on the Certified Devices List.
•If this option is checked and specifies to change to Restricted VLAN, the CAM either assigns the switch port to a previously-configured VLAN Name (see Configure VLAN Profiles for more details), or to a specific VLAN ID number you enter in the text field that appears under this setting. As with the change to Auth VLAN option, this VLAN assignment takes place when the CAM receives a linkdown trap regardless of whether or not the client is on the Certified Devices List.
So it seems like it is supposed to be changing the VLAN back to whatever VLAN I specify, but that is not happening. Guess I need to just open a TAC Case.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...