topic Re: NAC CCA Problem in Network Security

NAC CCA Problem

Joshua Warcop — Fri, 21 Feb 2020 09:30:50 GMT

I have a CAM/CAS deployment in L2 OOB - vlan 545 trunked to untrusted and vlan 245 trunked to the trusted side. The switch/device/port profiles are setup via snmpv3. The switchport is not being bounced since the IP address is not being changed from auth vlan to access vlan. I hook a PC up and I get the CCA login page when I try and access a website on the trusted network. I put in some valid credentials and I see the snmp information being sent to the switch. Howerver, the switchport never changes to the access vlan and the CCA login page re-displays itself. What could I be missing here?

Re: NAC CCA Problem

dario.didio — Wed, 09 May 2007 14:03:38 GMT

Hello,

Logically I would say that SNMP is not configured correctly.

Could you try to change to version 1 and see if that works? Then you are sure that the NAC appliance is configured correctly.

Can you tell us what kind of switch you are using as access switch?

If you're switch is L3 (on network level, not on NAC level) then C6500 and C4500, no problem. C3750/C3560 must be running 12.2(25)SEE or higher. C3550 is not supported to be in L3.

For more detail, see following matrix: http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca40/switch.htm#wp60598

hope this helps.

Re: NAC CCA Problem

Joshua Warcop — Wed, 09 May 2007 14:08:09 GMT

Thanks for the quick reply - I actually found my mistake to be the same as posted in the thread "General: NAC appliance troubles under 4.1.1".

I went back to the CAS and added the L2 subnet as a managed subnet and enabled Layer 3 support. I really don't think I needed to enable Layer 3 support, but I found info stating that it will not be enabled for subnets that are also configured as managed subnets. So I figure no harm no foul.

I'm using a 3750 as the access switch and have upgraded to the latest. SNMPv3 seems to be working good - boy I wish I had an ACS server right now......