Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

NAC Implementation

I have configuired nac but login page when i am entering user name password then password field becom empty and nothing happend

interface GigabitEthernet1/0/18
switchport trunk encapsulation dot1q
switchport trunk native vlan 998
switchport trunk allowed vlan 507,513,540
switchport mode trunk

interface GigabitEthernet1/0/15
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan 504
switchport mode trunk

User in VLAN 513

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: NAC Implementation

Vikram,

Please turn the checkbox marked "Enable Subnet-Based VLAN retag" off, reboot your CAS and try again.

Thanks,

Faisal

Re: NAC Implementation

Vikram,

Have you added a trap-receiver in your WLC? The error means CAM didn't get the trap.

Faisal

12 REPLIES
Community Member

Re: NAC Implementation

reply if any thinf missing

Re: NAC Implementation

Vikram,

Can you share what your certs look like on the CAS and the CAM?

Also, your managed subnet is for VLAN 501, and your mappings are for 504->513.

You're also requiring the web agent AND the agent on the unauthenticated role which doesn't make sense.

You also have the Web Login options turned on for the consultant role. These are used only for Nessus scanning, so you should turn those off.

Please fix these and send me what your certs look like from both the CAM and the CAS.

Faisal

Community Member

Re: NAC Implementation

I am getting user login page but when I am trying to enter user name and password

Password box got blank and nothing happened, What settings I should check

Re: NAC Implementation

Vikram,

Did you fix the things I detailed? Can you share your certificate setups on CAS and CAM?

Faisal

Community Member

Re: NAC Implementation

Hi faisal

I have followed the proces...

without adding management subnet i was able to ping gateway

but now(after Changes) I am not able to ping nac server as well as gateway

please find the attachements

Consultant VLAN- 513   IP - 10.20.20.0

Untrusted- 504 NO IP

L2

interface FastEthernet0/46
switchport access vlan 504   ***** Consultant PC****** ( It Should Consultant VLAN 513 or untrusted VLAN 504)
switchport mode access
snmp trap mac-notification added
spanning-tree portfast

L3

interface GigabitEthernet1/0/15   **** NAC Srv untrusted***
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan 501,504
switchport mode trunk

interface GigabitEthernet1/0/18   ***** NAC Srv Trusted****
switchport trunk encapsulation dot1q
switchport trunk native vlan 998
switchport trunk allowed vlan 507,513,540
switchport mode trunk

interface GigabitEthernet1/0/10   ***** NAC Mgr ****
switchport access vlan 506
spanning-tree portfast

route

10.0.0.0 10.1.8.2  ( 10.1.8.2- Firewall IP )

Re: NAC Implementation

Vikram,

Please turn the checkbox marked "Enable Subnet-Based VLAN retag" off, reboot your CAS and try again.

Thanks,

Faisal

Community Member

Re: NAC Implementation

Thanks Faisal Bhai

Thank you...............

Community Member

Re: NAC Implementation

wireless user is not able to authenticate getting following error

Unable to process out-of-band login request from [00:21:5D:80:9C:00 ##  10.20.20.5] vikram. Cause: OOB client 00:21:5D:80:9C:00/10.20.20.5 not found.

Re: NAC Implementation

Vikram,

Have you added a trap-receiver in your WLC? The error means CAM didn't get the trap.

Faisal

Community Member

Re: NAC Implementation

Hi faisal there was the mismatch the community name

thankssss.....

Community Member

Re: NAC Implementation

Dear Faisal

Some times user is not able to ping nac server thats why they  are not able to redirect to nac server

user is getting directly internet connection

Community Member

Re: NAC Implementation

Another issue I have found that results in this error is two MAC addresses showing up in the cam table of the switch.  If the first one to show up is not the one used when the user tried to authenticate it will result in this error.

You can verify the cam entries either from the switch or from OOB Management --> Devices.  Look at the Client MAC entry for the port.

Haven't quite figured out how/why the device has two MAC addresses but that is the issue.

830
Views
0
Helpful
12
Replies
CreatePlease to create content