I have installed and configured NAC 3310. I have configured L2 OOB virtual Gateway (As it is a central deployment). I did the following in my configuration:
1. Install the Manager
2.Install the Server
3.Add the server to the Manager
4.Configure Managed Subnets, VLAN mapping, SNMP configuration on both switch and NAC, add the switch and configure port profiles.
My problem is that when I plug a PC on the switch port the CCA installed on the PC doesn't pop up for authentication. I can see the port moving to the authentication VLAN and i can get IP address from the DHCP but cat access anything(Even ping the CAS). It used to work before but I was using the evaluation license of NAC and a different access switch(2960). Now i'm using 2900XL. Any idea please!
I think the problem was my IOS. The switch has ver 12.1 while for 3750 it is recommended 12.2(25)SEE and above. I replaced the switch with the one that have latest IOS and it works. I could not upgrade the old one due to memory problem.
is configured to pop up on login so users can access the secure network.
The agent however pops up maybe one time in 10. I can trigger it to pop up by releasing and renewing the IP address of the machine (ip address doesn't change - just renews). The Agent login will pop up immediately then and I can login however most users won't have admin right to perform this and they shouldn't have to.
Once logged in everything works fine but I can't roll this solution out yet as the Agent popup is so unreliable....
The NACAgentUI process can beseen running in Tak Manager even if it hasn't popped and is visible in the taskbar however you cannot manually launch it - the login button is avaiable but nothing happens when I click on it...
Is there a debugger or log generator I can run for this...?
It sound like you do not have the time set to clear the online users. They will stay logged in unleass the reboot, or, there is a trap recieved telling the CAS the the device is logged off. If you want the users to authenticate every time, set the timer to clear the certified device list after 10 to 12 hours. This way the clients have to re-auth the next morning, or, 10 to 12 hours after they log on. I have ran into issue's like this before. I am no longer running 4.7.2, but, 4.8, so, out of band logoff is supported. Let me know if this helps or if this does not fix and I can dig into this a little more.
Yes, if you are using an unsuported switch IOS it is expected not to work, as the CAm contains the OIDs for the suported switches and if it does not contain the OID for the switch you are trying to use, then it will not work.
I was confused about the switch model you are using as you spoke about 2900XL and latrer on 3750...
Anyway, please check out the supported models and IOS minimum version:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...