Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAC 4.7 "CAS unavailable" temporary role

I have a VGW, OOB with layer 3 enabled pilot deployment right now. Everything looks fine. However, about

30% of the time (and its increasing) when I log on using the 4.7 agent, the agent will give me the error that the cas is unavialbe on the network. When I check the CAM, the user can be viewed on the monitoring tab, in-band and placed in the temporary role. (highlighted quarantined)

When i kick the user, more often than not , the user can log back in and it places him in the oob role that he is assigned to and all works fine.

core switch -----------cas/cam

     |

distribution switch

     |

End user switch---------end user pc

Any ideas as to why when placed in the temp role transitioning to the authenticated role it would lose contact???? and why would it be placed in the in-band section of the monitoring online users?

18 REPLIES
New Member

Re: NAC 4.7 "CAS unavailable" temporary role

Dear Rick ,

Check the SSL certificate of the CAS and the CAM .The common name (CN) of the SSL  certificate should be the IP address of the CAS and the CAM .

New Member

Re: NAC 4.7 "CAS unavailable" temporary role

let me check that...i know some things changed in 4.7

Let me confirm ...you say the x509 CN on the CAS should be the CAS IP address, and the X509 CN on the CAM should be the CAM ip address?

I think that is what I have , but it will be Monday before I can check that out. Thanks for replying.

Re: NAC 4.7 "CAS unavailable" temporary role

Rick,

So trying to understand your topology. You're trying to do L3 OOB VGW? Are your clients multiple hops away from the CAS?

Waqas's point is valid to an extent. Bad certs or misconfigured certs can cause lots of issues in 4.7, but in that instance no logins would happen.

More clarification on how things are laid out at your end would help.

Faisal

New Member

Re: NAC 4.7 "CAS unavailable" temporary role

the cn name on the cas was indeed wrong. the IP address was that of the CAM.

However, that still hasnt fully fixed the problem.

I took all the checks away from the auth role assigned and it seems to fix the problem.

Yes, Faisal all the end points are Layer 2, no hops in between. I have a 6509E as the core switch. Each vlan on the switch, apart from the Auth vlans have a SVI.

ie. on the core switch

interface GigabitEthernet2/28
description trusted
no ip address
switchport
switchport trunk native vlan 997
switchport trunk allowed vlan 5,100,110,120,130,140,150,160,250,298 >>>Access Vlans
switchport mode trunk
!
interface GigabitEthernet2/29
description untrusted
no ip address
switchport
switchport trunk native vlan 996
switchport trunk allowed vlan 9,10,20,30,40,50,60,400 >>>> Auth Vlans
switchport mode trunk

Example SVI for access VLANS

interface Vlan110
description StaffLowerPT
ip address 1.1.1.1 255.255.255.0
ip helper-address 1.1.1.4
ip pim sparse-dense-mode
ipx network 8

no SVI's for auth vlans.

I remember reading somewhere that if no checks are done (ie if the agent is not running any rules on it) then it moves straight from authenitcation (phase1) to authenticated role (phase 3) without ever hitting the temp user role. Could it be that a rule would cause the CAS to become unavailable if it could not remediate?

I have a AV check rule, and two sus/WSUS rules.

New Member

Re: NAC 4.7 "CAS unavailable" temporary role

on the temp role policy, only dns request is allowed through. there are several host rules that allow symantec updates etc....but would i need to add the cas/cam ip address (since the CAS is oob, vgw it has no ip address - well its the same ip but just not used)....

Re: NAC 4.7 "CAS unavailable" temporary role

Rick,

Having requirements shouldn't cause the CAS communication failure notice. There's something else broken in your network I suspect.

You don't have to add the CAS/CAM ip addresses in the roles for this to work. You should however add any remediation resources (which from the post it seems you have)

Please post your CAS and CAM logs here for review. Do a test first, note the time, and then collect the logs. Post the logs and time when you did the test.

Faisal

New Member

Re: NAC 4.7 "CAS unavailable" temporary role

how do you export the cas/cam logs from the devices?

Re: NAC 4.7 "CAS unavailable" temporary role

Rick,

From CAM, go to CCA Manager -> Support Logs and Download

From CAS, go to https://IP_ADD_OF_CAS/admin Support Logs -> Download

Faisal

New Member

Re: NAC 4.7 "CAS unavailable" temporary role

ok here are the attached logs

New Member

Re: NAC 4.7 "CAS unavailable" temporary role

this is the cam logs, teh previous was cas

New Member

Re: NAC 4.7 "CAS unavailable" temporary role

here is the cas logs

New Member

Re: NAC 4.7 "CAS unavailable" temporary role

I noticed my core 6509e was running code Version "12.2(18)SXD7"  would that cause any problems

New Member

Re: NAC 4.7 "CAS unavailable" temporary role

although ive not had any problems with the switches being able to be controlled of the ports not being put in the correct vlans etc

New Member

Re: NAC 4.7 "CAS unavailable" temporary role

the error seems to be appearing whenever i ask for remediation...if i don't ask for remediation ..or any rules, scanning at all ..i get the cas server not available on the network....i've asked tac to look at , their initial check couldnt see anything wrong with the config, so we're going deeper. Has anyone else experienced this and what was their fix?

New Member

Re: NAC 4.7 "CAS unavailable" temporary role

im still waiting for TAC as i sent them lots of info so hopefully once they wade through it the answer may appear...however I noticed a couple of things that may improve my knowledge as well...

in 4.7 the ehternet filters...do i need this enabled for remediation, im running a vgw oob with layer 3 checked. The client fails is a layer 2 client. It fails when asked to do any kind of checks. To me it seems that it is maybe not put/kept in a vlan or something....I believe by default it should remain in the auth vlan when it is in phase 2 remediation. In the temp role, if i edit it I see the variable to change the vlan for the role....although this says it is only for the normal logon.

my question is this....do i need to change the filters to be enabled for ethernet, allowing all for the temp role and the roles created for the users?

Also would i need to add  the role vlan to the temp user?

New Member

Re: NAC 4.7 "CAS unavailable" temporary role

TAC said the issue has only been seen with packet loss and out of order packets. Im running all cisco switches, voip etc. network utilization is about 3 %..any ideas im at a loss, all interface stastics are fine...no network problems whatsoever. Running out of ideas

Re: NAC 4.7 "CAS unavailable" temporary role

Rick,

Can you private-msg me the TAC SR?

Thanks,

Faisal

New Member

Re: NAC 4.7 "CAS unavailable" temporary role

I sent your the SR, if you check your inbox

614
Views
0
Helpful
18
Replies