https://community.cisco.com/t5/network-security/cisco-nac-agent-pop-up-twice-login-twice/m-p/1637270#M758658 <P class="MsoNormal" style="margin: 0in 0in 10pt;"><SPAN style="font-family: Calibri; color: #000000; font-size: 12pt;">Dear All:</SPAN></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"><SPAN style="font-family: Calibri; color: #000000; font-size: 12pt;">We have NAC&nbsp; version 4.8.0 and the agent version is 4.8.1.5. The deployment type is Out-Of-band virtual gateway. Windows SSO is enable and working as a champion but the problem is when the agent successfully login the users the CAM logs out it after a while (NAC agent pop up again) I found that the switch port is changed back to the unauthenticated VLAN by the CAM and then to the access VLAN.</SPAN></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"><SPAN style="font-family: Calibri; color: #000000; font-size: 12pt;">The host under testing: IP 10.30.8.207, MAC 78:E7:D1: CD: D8:8A and the switch port is 10048 (FA0/48)</SPAN></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"><SPAN style="font-family: Calibri; color: #000000; font-size: 12pt;">The log for kicking out the user is:</SPAN></P><P class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt; mso-layout-grid-align: none;"><SPAN style="color: #000000; font-size: 10pt;">2011-03-09 13:15:30.450 +0300 [Timer-199783] DEBUG c.p.wlan.web.admin.DelayedOobLogoutInfoManager<SPAN style="mso-spacerun: yes;">&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>- DLIM: delete DLI for 10.30.8.207 from CAS user_key='10.30.8.207_VTMJDKPIR41ABQLT'</SPAN></P><P class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt; mso-layout-grid-align: none;"><SPAN style="color: #000000; font-size: 10pt;">2011-03-09 13:15:30.451 +0300 [Thread-334356] DEBUG c.p.wlan.web.admin.DelayedOobLogoutInfoManager<SPAN style="mso-spacerun: yes;">&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>- DLIM: userip = 10.30.8.207maclist = 78:E7:D1:CD:D8:8Auserkey = user_key='10.30.8.207_VTMJDKPIR41ABQLT'</SPAN></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"><SPAN style="font-family: Calibri; color: #000000; font-size: 12pt;">And the log for login is:</SPAN></P><P class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt; mso-layout-grid-align: none;"><SPAN style="color: #000000; font-size: 12pt;"><SPAN style="font-size: 10pt;">2011-03-09 13:15:57.335 +0300 [TP-Processor24] TRACE com.perfigo.wlan.web.sms.SnmpTimerTask<SPAN style="mso-spacerun: yes;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>- SnmpTimerTask com.perfigo.wlan.web.sms.task.SwitchCertifiedTask id=2004989 is created: set port [10048] to Access VLAN [308] on switch [10.1.40.14] for [78:E7:D1:CD:D8:8A</SPAN>]</SPAN></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"><SPAN style="font-family: Calibri; color: #000000; font-size: 12pt;">I don’t know the meaning of “DLIM: delete DLI for 10.30.8.207 from CAS” and why this is happening. Would you please help?</SPAN></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"><SPAN style="font-family: Calibri; color: #000000; font-size: 12pt;">Attached log file.</SPAN></P> Fri, 21 Feb 2020 12:16:54 GMT abu_khair 2020-02-21T12:16:54Z https://community.cisco.com/t5/network-security/cisco-nac-agent-pop-up-twice-login-twice/m-p/1637270#M758658 <P class="MsoNormal" style="margin: 0in 0in 10pt;"><SPAN style="font-family: Calibri; color: #000000; font-size: 12pt;">Dear All:</SPAN></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"><SPAN style="font-family: Calibri; color: #000000; font-size: 12pt;">We have NAC&nbsp; version 4.8.0 and the agent version is 4.8.1.5. The deployment type is Out-Of-band virtual gateway. Windows SSO is enable and working as a champion but the problem is when the agent successfully login the users the CAM logs out it after a while (NAC agent pop up again) I found that the switch port is changed back to the unauthenticated VLAN by the CAM and then to the access VLAN.</SPAN></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"><SPAN style="font-family: Calibri; color: #000000; font-size: 12pt;">The host under testing: IP 10.30.8.207, MAC 78:E7:D1: CD: D8:8A and the switch port is 10048 (FA0/48)</SPAN></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"><SPAN style="font-family: Calibri; color: #000000; font-size: 12pt;">The log for kicking out the user is:</SPAN></P><P class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt; mso-layout-grid-align: none;"><SPAN style="color: #000000; font-size: 10pt;">2011-03-09 13:15:30.450 +0300 [Timer-199783] DEBUG c.p.wlan.web.admin.DelayedOobLogoutInfoManager<SPAN style="mso-spacerun: yes;">&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>- DLIM: delete DLI for 10.30.8.207 from CAS user_key='10.30.8.207_VTMJDKPIR41ABQLT'</SPAN></P><P class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt; mso-layout-grid-align: none;"><SPAN style="color: #000000; font-size: 10pt;">2011-03-09 13:15:30.451 +0300 [Thread-334356] DEBUG c.p.wlan.web.admin.DelayedOobLogoutInfoManager<SPAN style="mso-spacerun: yes;">&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>- DLIM: userip = 10.30.8.207maclist = 78:E7:D1:CD:D8:8Auserkey = user_key='10.30.8.207_VTMJDKPIR41ABQLT'</SPAN></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"><SPAN style="font-family: Calibri; color: #000000; font-size: 12pt;">And the log for login is:</SPAN></P><P class="MsoNormal" style="line-height: normal; margin: 0in 0in 0pt; mso-layout-grid-align: none;"><SPAN style="color: #000000; font-size: 12pt;"><SPAN style="font-size: 10pt;">2011-03-09 13:15:57.335 +0300 [TP-Processor24] TRACE com.perfigo.wlan.web.sms.SnmpTimerTask<SPAN style="mso-spacerun: yes;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN>- SnmpTimerTask com.perfigo.wlan.web.sms.task.SwitchCertifiedTask id=2004989 is created: set port [10048] to Access VLAN [308] on switch [10.1.40.14] for [78:E7:D1:CD:D8:8A</SPAN>]</SPAN></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"><SPAN style="font-family: Calibri; color: #000000; font-size: 12pt;">I don’t know the meaning of “DLIM: delete DLI for 10.30.8.207 from CAS” and why this is happening. Would you please help?</SPAN></P><P class="MsoNormal" style="margin: 0in 0in 10pt;"><SPAN style="font-family: Calibri; color: #000000; font-size: 12pt;">Attached log file.</SPAN></P> Fri, 21 Feb 2020 12:16:54 GMT https://community.cisco.com/t5/network-security/cisco-nac-agent-pop-up-twice-login-twice/m-p/1637270#M758658 abu_khair 2020-02-21T12:16:54Z https://community.cisco.com/t5/network-security/cisco-nac-agent-pop-up-twice-login-twice/m-p/1637271#M758659 <HTML><HEAD></HEAD><BODY><P>Hello!</P><P></P><P>Maybe my answer will help you.</P><P></P><P>So, I had a similar problem with my Out-of-Band Real-IP-Gateway deployment. The reason was that NAC agent was still commnicating with untrusted interface of the NAC server, after logging in with Windows AD login/password. And of course, NAC agent pop up again, after client successfully looged in with active directory login\password, and his computer were transferring from "auth" vlan to "access" vlan.</P><P>Cisco experts says, that it's better to brake communication between NAC agent and NAC server, if the client machine is in access vlan. You can implement, for example, an access-list for "access" vlan. The goal of that access-list is to deny all packets destined for NAC server, and permit all other packets.</P></BODY></HTML> Sun, 13 Mar 2011 18:40:04 GMT https://community.cisco.com/t5/network-security/cisco-nac-agent-pop-up-twice-login-twice/m-p/1637271#M758659 Petr Nagernyuk 2011-03-13T18:40:04Z