https://community.cisco.com/t5/network-security/nac-multiple-issues/m-p/1491999#M797203 <HTML><HEAD></HEAD><BODY><P>looks like the trusted root for the cam or cas is not imported on the respective servers. ...</P><P>ie import the cas's public root on the cam and vice versa</P></BODY></HTML> Thu, 22 Jul 2010 12:25:09 GMT mecampr 2010-07-22T12:25:09Z https://community.cisco.com/t5/network-security/nac-multiple-issues/m-p/1491998#M797202 <P>1st qeustion</P><P></P><P>i am trying to pass my wireless users through nac. i have catalyst 3560 switch to which everything is connected to including the nas,nam,wlc and ap.</P><P>the problem is i can see the wireless users registered in the nam but they are unable to pick ip address. what could be the problem i attached every configuration i did on the switch, wlc and nam.</P><P></P><P>2nd question</P><P>how could i fix this error message</P><P>"</P><P></P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/5/1/0/6015-error1.png" alt="error1.png" class="jive-image-thumbnail jive-image" onclick="" width="450" /></P> Fri, 21 Feb 2020 12:02:01 GMT https://community.cisco.com/t5/network-security/nac-multiple-issues/m-p/1491998#M797202 mshebelle 2020-02-21T12:02:01Z https://community.cisco.com/t5/network-security/nac-multiple-issues/m-p/1491999#M797203 <HTML><HEAD></HEAD><BODY><P>looks like the trusted root for the cam or cas is not imported on the respective servers. ...</P><P>ie import the cas's public root on the cam and vice versa</P></BODY></HTML> Thu, 22 Jul 2010 12:25:09 GMT https://community.cisco.com/t5/network-security/nac-multiple-issues/m-p/1491999#M797203 mecampr 2010-07-22T12:25:09Z https://community.cisco.com/t5/network-security/nac-multiple-issues/m-p/1492000#M797204 <HTML><HEAD></HEAD><BODY><P>1) On the Device Management &gt; Clean Access Servers &gt; Advanced &gt; Managed Subnet page, uncheck "Enable subnet-based VLAN retag".&nbsp; You don't need that checked to do VLAN mapping, and it breaks most networks.</P><P></P><P>2) There are two red nag messages.&nbsp; One is complaining that you're using the temporary perfigo end entity certificate, and one that you have the temporary perfigo root in your trusted certificate authorities.&nbsp; The only way to get rid of those messages is to get a CA-signed (non-perfigo) cert.&nbsp; The reasoning behind this is that these certs are only meant for non-production environments, so if this is just a test network, you can just ignore them.</P></BODY></HTML> Thu, 22 Jul 2010 14:12:09 GMT https://community.cisco.com/t5/network-security/nac-multiple-issues/m-p/1492000#M797204 Lauren Sullivan 2010-07-22T14:12:09Z https://community.cisco.com/t5/network-security/nac-multiple-issues/m-p/1492001#M797205 <HTML><HEAD></HEAD><BODY><P>yeah, lauren you were right i needed to uncheck the "Enable subnet-based VLAN retag" and the agents pops up and it works fine.</P><P>what about if i don't want to user the agent and rather use the web login? what are the steps i need to follow? does it automatically pops up like the agent does? thank you very much bzw...u really saved my day.</P></BODY></HTML> Fri, 23 Jul 2010 09:46:38 GMT https://community.cisco.com/t5/network-security/nac-multiple-issues/m-p/1492001#M797205 mshebelle 2010-07-23T09:46:38Z https://community.cisco.com/t5/network-security/nac-multiple-issues/m-p/1492002#M797206 <HTML><HEAD></HEAD><BODY><P>If the user is in the auth VLAN and opens up a browser, they should get redirected to the CAS login page.&nbsp; For this to happen, you do need to make sure that whatever web address they're trying to go to is blocked in the unauth traffic policy - so if&nbsp; you had an "allow all" traffic rule in the unauth role for testing, make sure you remove it.</P></BODY></HTML> Fri, 23 Jul 2010 12:32:35 GMT https://community.cisco.com/t5/network-security/nac-multiple-issues/m-p/1492002#M797206 Lauren Sullivan 2010-07-23T12:32:35Z