Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAC: OOB --VLAN does not change when user logs out.

I have been experimenting with NAC appliance on a small test network for a little while. I have an OOB Virtual gateway scenario using the Clean Access Agent to perform a very basic AV install and definition check. I am authenticating to a Local DB on the CAS with just a few test users.

Everything works fine. I have SNMP linkup/linkdown traps configured so that when a machine shuts down or restarts the machine is placed back in the Authentication VLAN and when authentication and posture validation takes place and is successful, the machine is moved to an Access VLAN and has network access. Users are showing up properly in the out of band user list and are removed as soon as a linkdown trap is received. Machines are showing up in the certified devices list properly when they pass posture validation.

I have noticed one thing that troubles me though and I am wondering if this is normal behavior or if I have missed something in the NAC configuration. If a user authenticates properly and the machine passes posture validation they get network access. If the user then logs out of Windows(no restart or shutdown), the link never goes down on the switch. Because of this, the user stays in the out of band user list on the CAM and the machine stays in the Access VLAN. If a new windows user logs into the machine, no new authentication or posture validation takes place and the machine is still in the Access VLAN.

I would imagine that AD SSO would take care of this, but I have not gotten to that point yet. Also, what if a non AD machine comes on network we are back to the same problem. It seems like there should be a way for the NAC appliances to recognize a logout, delete the user's session and move the switchport back to the authentication VLAN.

If anyone has any insight into this issue, I would love to hear from you.


Re: NAC: OOB --VLAN does not change when user logs out.

Go through this Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(3) .

New Member

Re: NAC: OOB --VLAN does not change when user logs out.

For an OOB deployment this is a normal behavior. We have an option for this available for the In-Band deployment.

In OOB only way to clear the Certified Device List is to setup a timer or do it manually

Reason for this is Agent is not inline with the CAS and cannot send the log off packet to CAS

New Member

Re: NAC: OOB --VLAN does not change when user logs out.

If a User1 is logged in, and he is in CDL and Online-User List. When User1 logs off and User2 logs into the same client User1 is removed from the Online-user list and User2 will be in the Online-user list

This will occur when in the port profile you have checked the following:

Remove other out-of-band online users on the switch port when a new user is detected on the same port.


If a non AD machine comes on to network then AD SSO fails and will be prompted to enter credential manually before accessing the network

CreatePlease login to create content