Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
433
Views
4
Helpful
3
Replies

NAC appliance troubles under 4.1.1

miguelantonio.luna
Level 1
Level 1

‎05-01-2007 07:22 AM - edited ‎02-21-2020 01:30 AM

Hi, we are doing a testbed with NAC appliance. We are doing basical tests with latest version 4.1.1 (30 april).

We are in an OOB test with virtual gateway mode. Our problem is very basic. For this test we are using local database.

TEST1

When we authenticate trough the Web Page (no agent required) all is good we are moved to the access vlan and we can work. Sniffing we can see snmp that reatributes the access vlan. In this case the state and the display in logged in users is consistent, we are shown with the AllAccess role.

TEST2

If we authenticate through the CAA, the authentication is displayed as successfull on the agent. The logged OOB users displays the test user with our AllAccess profile, but the logs show that we were moved to the Temporary Role (discrepancy here). If we snif SNMP from CAM to Switch, no SNMP is generated from the cam to switch. In this case we stay in the Auth vlan and we loop always for reauthentication. As the CAM consider us as logged in but didn't move the vlan. For this test we use a compliant machine).

TEST3

If we test with an uncompliant machine, we stay in the AuthVlan, wich is normal, and we can access sites for remediation (normal behaviour).

In the three cases the config of roles etc is exacltly the same, the only difference is that we authenticated via a different way.

So for a compliant machine with authentication through CAA, we have a problem.

Did anyone experienced the same issue??

Best Regards

Miguel Luna

0 Helpful
3 Replies 3

pcabarga
Level 1
Level 1

‎05-03-2007 11:13 AM

Miguel,

I seen this error when the Client can't reach the CAS server. You are doing a Central or Edge Deployment? Are you behind an IP phone?

How are the VLAN's configured?

Regards,

Pedro Cabarga

miguelantonio.luna
Level 1
Level 1
In response to pcabarga

‎05-09-2007 12:51 AM

Hi Pedro, nop we could find a configuration

mistake on CAS. The issue is now resolved. I was so suprised to see a discrepency that I thought it could be a bug.

In fact it was very simple, the list of managed Vlan's was not correct on CAS. So in this case, yes there is a communication problem and the discrepency on CAM appears.

Thank you very much for your answer.

Miguel

0 Helpful

Joshua Warcop
Level 5
Level 5
In response to miguelantonio.luna

‎05-09-2007 07:09 AM

Yes - the documentation is a bit confusing for CAS configuration for L2 OOB. I just had the same mistake not configuring a managed subnet for the L2 OOB vlan I've trunked to the trusted side.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card