1.) Nope not correct. Your mappings are not working correctly. Go to User Management > Auth Servers > and click the Mapping Rules Tab.
2.) This could be normal behavior if you have allowed those accesses to the unauthenticated role. Go to User Management > User Roles > click the traffic control tab. If you didn't allow it there verify the mac and/or IP address is not "whitelisted". Go to Device Management > and click the devices tab. If neither of these allow the client they may not be set up to go throught he Clean Access server. Verify your vlan mappings are correct. Go to Device Management > CCA Servers > Manage the appropriate server > click advanced > click managed subnet.
3.) Agree. They may not be enough. I recommend using wireshark or similar network sniffer on a host behind the CAS and sniff traffic going to and from the client. You may likely find a port that should be open that is not. Remember by default everything is allowed from a trusted source (DC) to the untrusted source (client) so you probably only need to look at sniffing the client side of the connection. Look for attempts to connect to your DC(s) IP address from the client where the port is not allowed through traffic rules mentioned in #2.
4.) They should not be allowed to browse until moving from unauthenticated to another more trusted role. If they can't browse it means they are not getting placed into the correct role. Again I reference #2 answers above.
5.) It should not. Verify the user after authenticating is not still being placed into the incorrect role. See answers to question 1 above.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :