Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

NAC multiple issues

1st qeustion

i am trying to pass my wireless users through nac. i have catalyst 3560 switch to which everything is connected to including the nas,nam,wlc and ap.

the problem is i can see the wireless users registered in the nam but they are unable to pick ip address. what could be the problem i attached every configuration i did on the switch, wlc and nam.

2nd question

how could i fix this error message

"

error1.png

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: NAC multiple issues

1) On the Device Management > Clean Access Servers > Advanced > Managed Subnet page, uncheck "Enable subnet-based VLAN retag".  You don't need that checked to do VLAN mapping, and it breaks most networks.

2) There are two red nag messages.  One is complaining that you're using the temporary perfigo end entity certificate, and one that you have the temporary perfigo root in your trusted certificate authorities.  The only way to get rid of those messages is to get a CA-signed (non-perfigo) cert.  The reasoning behind this is that these certs are only meant for non-production environments, so if this is just a test network, you can just ignore them.

4 REPLIES
Community Member

Re: NAC multiple issues

looks like the trusted root for the cam or cas is not imported on the respective servers. ...

ie import the cas's public root on the cam and vice versa

Community Member

Re: NAC multiple issues

1) On the Device Management > Clean Access Servers > Advanced > Managed Subnet page, uncheck "Enable subnet-based VLAN retag".  You don't need that checked to do VLAN mapping, and it breaks most networks.

2) There are two red nag messages.  One is complaining that you're using the temporary perfigo end entity certificate, and one that you have the temporary perfigo root in your trusted certificate authorities.  The only way to get rid of those messages is to get a CA-signed (non-perfigo) cert.  The reasoning behind this is that these certs are only meant for non-production environments, so if this is just a test network, you can just ignore them.

Community Member

Re: NAC multiple issues

yeah, lauren you were right i needed to uncheck the "Enable subnet-based VLAN retag" and the agents pops up and it works fine.

what about if i don't want to user the agent and rather use the web login? what are the steps i need to follow? does it automatically pops up like the agent does? thank you very much bzw...u really saved my day.

Community Member

Re: NAC multiple issues

If the user is in the auth VLAN and opens up a browser, they should get redirected to the CAS login page.  For this to happen, you do need to make sure that whatever web address they're trying to go to is blocked in the unauth traffic policy - so if  you had an "allow all" traffic rule in the unauth role for testing, make sure you remove it.

198
Views
0
Helpful
4
Replies
CreatePlease to create content