NAC: OOB --VLAN does not change when user logs out.
I have been experimenting with NAC appliance on a small test network for a little while. I have an OOB Virtual gateway scenario using the Clean Access Agent to perform a very basic AV install and definition check. I am authenticating to a Local DB on the CAS with just a few test users.
Everything works fine. I have SNMP linkup/linkdown traps configured so that when a machine shuts down or restarts the machine is placed back in the Authentication VLAN and when authentication and posture validation takes place and is successful, the machine is moved to an Access VLAN and has network access. Users are showing up properly in the out of band user list and are removed as soon as a linkdown trap is received. Machines are showing up in the certified devices list properly when they pass posture validation.
I have noticed one thing that troubles me though and I am wondering if this is normal behavior or if I have missed something in the NAC configuration. If a user authenticates properly and the machine passes posture validation they get network access. If the user then logs out of Windows(no restart or shutdown), the link never goes down on the switch. Because of this, the user stays in the out of band user list on the CAM and the machine stays in the Access VLAN. If a new windows user logs into the machine, no new authentication or posture validation takes place and the machine is still in the Access VLAN.
I would imagine that AD SSO would take care of this, but I have not gotten to that point yet. Also, what if a non AD machine comes on network we are back to the same problem. It seems like there should be a way for the NAC appliances to recognize a logout, delete the user's session and move the switchport back to the authentication VLAN.
If anyone has any insight into this issue, I would love to hear from you.
Re: NAC: OOB --VLAN does not change when user logs out.
If a User1 is logged in, and he is in CDL and Online-User List. When User1 logs off and User2 logs into the same client User1 is removed from the Online-user list and User2 will be in the Online-user list
This will occur when in the port profile you have checked the following:
Remove other out-of-band online users on the switch port when a new user is detected on the same port.
If a non AD machine comes on to network then AD SSO fails and will be prompted to enter credential manually before accessing the network
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :