Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

NAC in-band user logout issue

I'm trying to deploy Cisco NAC as in-band and I've got the following issue:

- if user tries to log out (being logged in via web or using Cisco NAC agent), logs off Windows, shuts down PC, nothing happens - the user is still seen on the Online users page and has access to everything.

The only error messages I found on the CAM were in the apache log: - - [11/Feb/2010:10:04:37 +0300] "GET /auth/perfigo_logout.jsp?user_key= HTTP/1.1" 400 - - - [11/Feb/2010:13:33:32 +0300] "POST /auth/client%5flogout%2ejsp HTTP/1.1" 400 -

Could someone help me with it?


Re: NAC in-band user logout issue


Need more info. What sort of setup is it? Versions (agent/CCA)? VGW/RIP? L2/L3? Any SSO's? Please post your network diagram (L2 and L3 both) and the CAM/CAS logs.



New Member

Re: NAC in-band user logout issue


here is the info you requested:

- it's L3 setup, CAS is the Real-IP gateway for user networks;

- version of CCA - 4.7.2, agent's version is the latest, the user's workstation works under Windows XP;

- authentication via local DB of CAM, no SSO.

Can't post any diagram now, can do it tomorrow.

In the CAM's events logs I can see that the user successfully logged in, but after I press the Log out button there is nothing.

No traffic is blocked between the agent, CAS and CAM.



Re: NAC in-band user logout issue


Okay. Please post the net diagram and your CAM/CAS logs with times when you've done the tests and also the Client logs from the client itself.



NAC in-band user logout issue

I have the same problem with my customer.

  • So I have: InBand - Virtual Ip Gateway ( L3 deployment )  4.7.2
    1 Cam installed in central site
    1 Cas Installed in central site
    All traffic Remote sites will be pass trought the CAS Inband ( inline vlan 563 to 63 access vlan Central Site )

Some configurations about timers:

User Management / User Role / Schedule / Heartbeat Timer
Enable Heartbeat Timer (Enable)

Log Out Disconnected Users After: 5 minutes

Device Management / Cleans Access / Genereal Setup / Agent Login

User Role - "Remote users"
Operatin system "all"

Enable -  Logoff Nac Agent Users from network on their machine logoff or shutdown after "1 minute."( for windows & In-band setup )

Next we see One user that log out the network but still in the "IB - Online Users" List. If another user connect to the network and take the SAME Ip address. The user do not neet to authenticate, becouse the Ip address still int the list, so user can access normally the all network.

Can you help with this problem?

Tks a lot.

CreatePlease to create content