Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

NAC appliance troubles under 4.1.1

Hi, we are doing a testbed with NAC appliance. We are doing basical tests with latest version 4.1.1 (30 april).

We are in an OOB test with virtual gateway mode. Our problem is very basic. For this test we are using local database.

TEST1

When we authenticate trough the Web Page (no agent required) all is good we are moved to the access vlan and we can work. Sniffing we can see snmp that reatributes the access vlan. In this case the state and the display in logged in users is consistent, we are shown with the AllAccess role.

TEST2

If we authenticate through the CAA, the authentication is displayed as successfull on the agent. The logged OOB users displays the test user with our AllAccess profile, but the logs show that we were moved to the Temporary Role (discrepancy here). If we snif SNMP from CAM to Switch, no SNMP is generated from the cam to switch. In this case we stay in the Auth vlan and we loop always for reauthentication. As the CAM consider us as logged in but didn't move the vlan. For this test we use a compliant machine).

TEST3

If we test with an uncompliant machine, we stay in the AuthVlan, wich is normal, and we can access sites for remediation (normal behaviour).

In the three cases the config of roles etc is exacltly the same, the only difference is that we authenticated via a different way.

So for a compliant machine with authentication through CAA, we have a problem.

Did anyone experienced the same issue??

Best Regards

Miguel Luna

3 REPLIES
Community Member

Re: NAC appliance troubles under 4.1.1

Miguel,

I seen this error when the Client can't reach the CAS server. You are doing a Central or Edge Deployment? Are you behind an IP phone?

How are the VLAN's configured?

Regards,

Pedro Cabarga

Community Member

Re: NAC appliance troubles under 4.1.1

Hi Pedro, nop we could find a configuration

mistake on CAS. The issue is now resolved. I was so suprised to see a discrepency that I thought it could be a bug.

In fact it was very simple, the list of managed Vlan's was not correct on CAS. So in this case, yes there is a communication problem and the discrepency on CAM appears.

Thank you very much for your answer.

Miguel

Community Member

Re: NAC appliance troubles under 4.1.1

Yes - the documentation is a bit confusing for CAS configuration for L2 OOB. I just had the same mistake not configuring a managed subnet for the L2 OOB vlan I've trunked to the trusted side.

125
Views
4
Helpful
3
Replies
CreatePlease to create content