topic NAC - Global Device Filter in OOB deployment in Network Access Control

NAC - Global Device Filter in OOB deployment

boris.senker — Mon, 11 Mar 2019 01:44:22 GMT

Hi,

Some help would be appriciated. I'm trying to bypass authentication/posture assessment for a printer in an OOB NAC deployment (CAM/CAS Version 4.9.0
).

I added the device MAC address in the global device filter, with the ALLOW access type set.

"Change VLAN according to global device filter list" option is checked in the port profile set on the corresponding switch port.

However, the device ends up in the Auth VLAN every time...

What am I missing?

NAC - Global Device Filter in OOB deployment

Tarik Admani — Sun, 22 Jan 2012 00:59:17 GMT

Are you managing the switch port in the CAM database and do you have a port profile assigned to the port? Also check your snmp settings, one more thing...what do you see in the event logs?

You can also set the OOB logging to debug and shut and no shut the port, check the nac manager.log file after downloading the logs and see what the logs show.

thanks,

Tarik Admani

NAC - Global Device Filter in OOB deployment

boris.senker — Tue, 24 Jan 2012 14:02:43 GMT

Hi Tarik,

Yes, the port is managed and a test profile named 'Printer_test' is currently assigned to the port.

Here is what I see in the nac manager.log file (level set to debug) after the port comes up:

2012-01-24 14:41:08.219 +0100 DefaultUDPTransportMapping_0.0.0.0/162 DEBUG com.perfigo.wlan.web.sms.SnmpTrapListener - Received trap event SwitchTrapEvent [type=LINK_UP switch_ip=10.1.0.32 mac=null port=10035 dot1dBasePort=0 vlan=0]

2012-01-24 14:41:08.219 +0100 DefaultUDPTransportMapping_0.0.0.0/162 DEBUG com.perfigo.wlan.web.sms.SnmpRunnable - SnmpRunnable com.perfigo.wlan.web.sms.task.SwitchNotificationTask id=5091348 is created: SwitchTrapEvent [type=LINK_UP switch_ip=10.1.0.32 mac=null port=10035 dot1dBasePort=0 vlan=0]

2012-01-24 14:41:08.219 +0100 DefaultUDPTransportMapping_0.0.0.0/162 DEBUG com.perfigo.wlan.web.sms.SnmpManager - Task from device 10.1.0.32 submitted with task id 5091348

2012-01-24 14:41:08.219 +0100 pool-3-thread-16 DEBUG com.perfigo.wlan.web.sms.SnmpRunnable - SnmpRunnable com.perfigo.wlan.web.sms.task.SwitchNotificationTask id=5091348 starts run() after 0ms.

2012-01-24 14:41:08.219 +0100 pool-3-thread-16 DEBUG com.perfigo.wlan.web.sms.SnmpRunnable - Resolved PortProfile Switch Port Profile [ id=4 name='Printer_test' type='normal' auth_vlan=100 access_vlan=15 idle_vlan=-1 attributes=635 vlan_profile_id=0 description='' reserved='' ] from event SwitchTrapEvent [type=LINK_UP switch_ip=10.1.0.32 mac=null port=10035 dot1dBasePort=0 vlan=0]

2012-01-24 14:41:08.220 +0100 pool-3-thread-16 INFO com.perfigo.wlan.web.sms.SnmpRunnable - Received SNMP LINK_UP trap, but switch 10.1.0.32 is not using LINK_UP for task 5091348

2012-01-24 14:41:08.220 +0100 pool-3-thread-16 DEBUG com.perfigo.wlan.web.sms.SnmpRunnable - Trap does not need to processed: SwitchTrapEvent [type=LINK_UP switch_ip=10.1.0.32 mac=null port=10035 dot1dBasePort=0 vlan=0] for task 5091348

2012-01-24 14:41:08.220 +0100 pool-3-thread-16 DEBUG com.perfigo.wlan.web.sms.SnmpRunnable - SnmpRunnable com.perfigo.wlan.web.sms.task.SwitchNotificationTask id=5091348 ends run() after 1ms.

2012-01-24 14:41:08.220 +0100 pool-3-thread-16 DEBUG com.perfigo.wlan.web.sms.SnmpRunnable - SnmpRunnable com.perfigo.wlan.web.sms.task.SwitchNotificationTask id=5091348 finishes after 1ms.

NAC - Global Device Filter in OOB deployment

mgraham50 — Wed, 11 Apr 2012 12:02:40 GMT

Was this ever resolved?

We are having issues as well and you can see in the above log the mac-address value is NULL. The NAC wont operate without knowing the mac-address of the client on the switchport.