topic Re: Cisco NAC - Mapping Rules with VLAN ID in Network Security

topic Re: Cisco NAC - Mapping Rules with VLAN ID in Network Security https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637389#M825788 <HTML><HEAD></HEAD><BODY><P>Hi Nate</P><P></P><P>I did what you suggested and is working as expected, thanks.</P><P></P><P></P><P>Kind Regards,</P><P>Daniel Stefani</P></BODY></HTML> Wed, 02 Mar 2011 13:53:07 GMT Daniel Stefani 2011-03-02T13:53:07Z Cisco NAC - Mapping Rules with VLAN ID https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637360#M825592 <P></P><P>Hello,</P><P></P><P>I have a NAC L3 - OOB - Real IP Gateway environment. </P><P>The NAC is the version 4.8.1. </P><P>Each floor of the company has one Access Vlan, one Auth Vlan and one User Role. </P><P></P><P>I configured an LDAP Auth Server where the default role is Unauthenticated Role </P><P>and created Mapping Rules based on the Vlan ID of Auth Vlan on each floor. </P><P></P><P>Ex: The Access Vlan of the 8th floor is  380, the Auth Vlan is 908 and User Role is </P><P>FuncionariosB8. </P><P></P><P>When I run an Auth Test, the result is as expected and User is mapped to the desired Role. </P><P></P><P>But when put into production, the user enters the Default Unauthenticated Role. </P><P></P><P>The figures attached show my settings in the NAC. </P><P></P><P>The log file below is taken nac_manager.log </P><P></P><P></P><P style="padding-left: 30px;"><EM style="color: #000080; font-size: 10pt; ">2011-02-25 17:42:23.091 +0100 [TP-Processor23] INFO  com.perfigo.wlan.web.admin.UserInfoManager         - UIM - removeUsersByMacList: 1 MACs 0 users</EM></P><P style="padding-left: 30px;"><EM style="color: #000080; font-size: 10pt; ">2011-02-25 17:42:44.709 +0100 [TP-Processor23] INFO  c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator  - Cond#1:AuthServerMapCondition: mapid=1 condId=1 type=2 lOp=VLAN ID op=equals rOp=907</EM></P><P style="padding-left: 30px;"><EM style="color: #000080; font-size: 10pt; ">2011-02-25 17:42:44.709 +0100 [TP-Processor23] INFO  c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator  - conditions - {1=false}</EM></P><P style="padding-left: 30px;"><EM style="color: #000080; font-size: 10pt; ">2011-02-25 17:42:44.709 +0100 [TP-Processor23] INFO  c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator  - Cond#1:AuthServerMapCondition: mapid=0 condId=1 type=2 lOp=VLAN ID op=equals rOp=908</EM></P><P style="padding-left: 30px;"><EM style="color: #000080; font-size: 10pt; ">2011-02-25 17:42:44.710 +0100 [TP-Processor23] INFO  c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator  - conditions - {1=false}</EM></P><P style="padding-left: 30px;"><EM style="color: #000080; font-size: 10pt; ">2011-02-25 17:42:44.710 +0100 [TP-Processor23] INFO  c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator  - Cond#1:AuthServerMapCondition: mapid=2 condId=1 type=2 lOp=VLAN ID op=equals rOp=909</EM></P><P style="padding-left: 30px;"><EM style="color: #000080; font-size: 10pt; ">2011-02-25 17:42:44.710 +0100 [TP-Processor23] INFO  c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator  - conditions - {1=false}</EM></P><P style="padding-left: 30px;"><EM style="color: #000080; font-size: 10pt; ">2011-02-25 17:42:44.710 +0100 [TP-Processor23] INFO  c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator  - Cond#1:AuthServerMapCondition: mapid=3 condId=1 type=2 lOp=VLAN ID op=equals rOp=929</EM></P><P style="padding-left: 30px;"><EM style="color: #000080; font-size: 10pt; ">2011-02-25 17:42:44.710 +0100 [TP-Processor23] INFO  c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator  - conditions - {1=false}</EM></P><P style="padding-left: 30px;"><EM style="color: #000080; font-size: 10pt; ">2011-02-25 17:42:44.710 +0100 [TP-Processor23] INFO  c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator  - Cond#1:AuthServerMapCondition: mapid=8 condId=1 type=2 lOp=VLAN ID op=equals rOp=928</EM></P><P style="padding-left: 30px;"><EM style="color: #000080; font-size: 10pt; ">2011-02-25 17:42:44.710 +0100 [TP-Processor23] INFO  c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator  - conditions - {1=false}</EM></P><P style="padding-left: 30px;"><EM style="color: #000080; font-size: 10pt; ">2011-02-25 17:42:44.710 +0100 [TP-Processor23] INFO  c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator  - Cond#1:AuthServerMapCondition: mapid=11 condId=1 type=2 lOp=VLAN ID op=equals rOp=910</EM></P><P style="padding-left: 30px;"><EM style="color: #000080; font-size: 10pt; ">2011-02-25 17:42:44.710 +0100 [TP-Processor23] INFO  c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator  - conditions - {1=false}</EM></P><P style="padding-left: 30px;"><EM style="color: #000080; font-size: 10pt; ">2011-02-25 17:42:44.710 +0100 [TP-Processor23] INFO  c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator  - Cond#1:AuthServerMapCondition: mapid=13 condId=1 type=2 lOp=VLAN ID op=equals rOp=931</EM></P><P style="padding-left: 30px;"><EM style="color: #000080; font-size: 10pt; ">2011-02-25 17:42:44.710 +0100 [TP-Processor23] INFO  c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator  - conditions - {1=false}</EM></P><P style="padding-left: 30px;"><EM style="color: #000080; font-size: 10pt; ">2011-02-25 17:42:44.710 +0100 [TP-Processor23] INFO  c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator  - Cond#1:AuthServerMapCondition: mapid=15 condId=1 type=2 lOp=VLAN ID op=equals rOp=911</EM></P><P style="padding-left: 30px;"><EM style="color: #000080; font-size: 10pt; ">2011-02-25 17:42:44.711 +0100 [TP-Processor23] INFO  c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator  - conditions - {1=false}</EM></P><P style="padding-left: 30px;"><EM style="color: #000080; font-size: 10pt; ">2011-02-25 17:42:44.711 +0100 [TP-Processor23] INFO  c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator  - Cond#1:AuthServerMapCondition: mapid=17 condId=1 type=2 lOp=VLAN ID op=equals rOp=912</EM></P><P style="padding-left: 30px;"><EM style="color: #000080; font-size: 10pt; ">2011-02-25 17:42:44.711 +0100 [TP-Processor23] INFO  c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator  - conditions - {1=false}</EM></P><P style="padding-left: 30px;"><EM style="color: #000080; font-size: 10pt; "><STRONG>2011-02-25 17:42:49.103 +0100 [Thread-72] ERROR com.perfigo.wlan.web.sms.SnmpUtil                  - Failed to find Access VLAN for switch [10.5.0.121] port [88]. Use default Access VLAN 380 instead.</STRONG></EM></P><P style="padding-left: 30px;"><EM style="color: #000080; font-size: 10pt; "><STRONG>2011-02-25 17:42:49.354 +0100 [Thread-73] ERROR com.perfigo.wlan.web.sms.SnmpUtil                  - Failed to find Access VLAN for switch [10.5.0.121] port [88]. Use default Access VLAN 380 instead.</STRONG></EM></P><P></P><P></P><P>Can you help me with this problem? that will need to open a TAC?</P><P></P><P></P><P>Kind Regards,</P><P>Daniel Stefani</P> Fri, 21 Feb 2020 12:15:56 GMT https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637360#M825592 Daniel Stefani 2020-02-21T12:15:56Z Re: Cisco NAC - Mapping Rules with VLAN ID https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637361#M825598 <HTML><HEAD></HEAD><BODY><P>Hi Daniel,</P><P></P><P>You don't correctly configure a LDAP mapping rules.</P><P>LDAP use queries by looking in AD structure to find a user belongs to OU or groups and <SPAN class="short_text" id="result_box" lang="en"><SPAN class="hps" title="Click for alternate translations">the basis of</SPAN> <SPAN class="hps" title="Click for alternate translations"></SPAN></SPAN><SPAN class="short_text" id="result_box" lang="en"><SPAN class="hps" title="Click for alternate translations">received </SPAN></SPAN><SPAN class="short_text" id="result_box" lang="en"><SPAN class="hps" title="Click for alternate translations">responses</SPAN> put user to the proper role.<SPAN class="hps" title="Click for alternate translations"></SPAN></SPAN></P><P>In your  NAC configuration  it always put user in Unauthenticated role because you indicate Auth VLAN 908.</P><P></P><P>For example in your AD is created a group called 'FunctionariosB8'  and it has a member called 'test'</P><P>Create a role that in the expression form be a formula 'memeberof contains FunctionariosB8'.</P><P>And you can now verify in Auth Test what is a response for user 'test'</P><P></P><P>Kamil</P></BODY></HTML> Sun, 27 Feb 2011 20:50:25 GMT https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637361#M825598 wkamil123 2011-02-27T20:50:25Z Re: Cisco NAC - Mapping Rules with VLAN ID https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637362#M825605 <HTML><HEAD></HEAD><BODY><P>Hi Kamil,</P><P></P><P></P><P></P><P>In Mapping Rule setup, the condition VLAN ID is available for all Auth Servers.</P><P></P><P>I intend to use the condition type VLAN ID and not Attribute.</P><P></P><P>In my environment, this condition is more appropriate.</P><P></P><P>In the example you gave, you use Attribute.</P><P></P><P>See my illustrated attached file.</P><P></P><P></P><P></P><P>Thanks for the reply, but i believe it does not solve my problem.</P><P></P><P></P><P></P><P>Kind Regards,</P><P></P><P>Daniel Stefani</P></BODY></HTML> Sun, 27 Feb 2011 22:34:29 GMT https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637362#M825605 Daniel Stefani 2011-02-27T22:34:29Z Re: Cisco NAC - Mapping Rules with VLAN ID https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637363#M825618 <HTML><HEAD></HEAD><BODY><P>Hi Daniel,</P><P></P><P>Show me how are you configure rules for users? Why are try tu use LDAP, it has any information about VLAN ID that you want to use?</P><P>I think better for you is to create port profile for a dedicated role and assign user to this role.</P><P></P><P>By the way, I verify to what you want to do and as I mention above the mapping rule is not your solution.</P><P>You must create port profile and assign port on a switch to this profile.</P><P></P><P>Kamil</P></BODY></HTML> Mon, 28 Feb 2011 08:35:26 GMT https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637363#M825618 wkamil123 2011-02-28T08:35:26Z Re: Cisco NAC - Mapping Rules with VLAN ID https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637364#M825626 <HTML><HEAD></HEAD><BODY><P>Hi Kamil,</P><P></P><P>The settings are attached.</P><P>I'm using LDAP to use AD as a base of users and an authentication option for users who are not on the Domain but have accounts in AD.</P><P>The method of authentication via SSO is the default, but the same problem happens in Mapping Rule.</P><P>I chose to use User Role VLAN because i'm configuring the Guest access too.</P><P>Thus, a switch port may be in the Employees Network or Guest Network .</P><P></P><P>My network does not propagate VLANs on a switch to the other, the entire L3.</P><P></P><P></P><P>The focus on solving the problem should be in the nac_manager.log messages I sent in the first post.</P><P>Finding the solution to the error will solve my problem.</P><P>For some reason, NAC Manager can not read the Auth VLAN ID of the user for mapping it correctly.</P><P></P><P>It can be a SNMP problem, but not sure yet.</P><P></P><P>I am sending my SNMP settings for you see.</P><P></P><P>Kind regards,</P><P>Daniel Stefani</P></BODY></HTML> Mon, 28 Feb 2011 10:23:59 GMT https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637364#M825626 Daniel Stefani 2011-02-28T10:23:59Z Re: Cisco NAC - Mapping Rules with VLAN ID https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637365#M825634 <HTML><HEAD></HEAD><BODY><P>The SNMP settings on a CAT switch are in mode read-only, so verify when you changed this SNMP settings for CAM's only to read-write.</P><P></P><P>Kamil</P></BODY></HTML> Mon, 28 Feb 2011 10:36:44 GMT https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637365#M825634 wkamil123 2011-02-28T10:36:44Z Re: Cisco NAC - Mapping Rules with VLAN ID https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637366#M825643 <HTML><HEAD></HEAD><BODY><P><SPAN class="hps" title="Clique para mostrar traduções alternativas">I</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">imagine</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">that</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">the</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">SNMP settings</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">are correct</SPAN><SPAN title="Clique para mostrar traduções alternativas">.</SPAN></P><P></P><P><SPAN class="hps" title="Clique para mostrar traduções alternativas">If</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">I make</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">a</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">snmpwalk</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">of</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">CAM</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">for the</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">switch</SPAN><SPAN title="Clique para mostrar traduções alternativas">,</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">got the</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">following</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">output</SPAN></P><P></P><P></P><P style="padding-left: 30px;"><SPAN style="color: #000080;">[root@srvtatcam001 ~]# snmpwalk -v 1 -c nac-ro 10.5.0.121 | more</SPAN></P><P style="padding-left: 30px;"><SPAN style="color: #000080;">SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, s3223_rp Software (s3223_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(33)SXH5, RELEA</SPAN></P><P style="padding-left: 30px;"><SPAN style="color: #000080;">SE SOFTWARE (fc1)</SPAN></P><P style="padding-left: 30px;"><SPAN style="color: #000080;"><SPAN>Technical Support: </SPAN><A class="jive-link-external-small" href="http://www.cisco.com/techsupport">http://www.cisco.com/techsupport</A></SPAN></P><P style="padding-left: 30px;"><SPAN style="color: #000080;">Copyright (c) 1986-2009 by Cisco Systems, Inc.</SPAN></P><P style="padding-left: 30px;"><SPAN style="color: #000080;">Compiled Thu 16-Apr-09 01:34 by prod</SPAN></P><P style="padding-left: 30px;"><SPAN style="color: #000080;">SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.400</SPAN></P><P style="padding-left: 30px;"><SPAN style="color: #000080;">DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (320415575) 37 days, 2:02:35.75</SPAN></P><P style="padding-left: 30px;"><SPAN style="color: #000080;">SNMPv2-MIB::sysContact.0 = STRING: </SPAN></P><P style="padding-left: 30px;"><SPAN style="color: #000080;">SNMPv2-MIB::sysName.0 = STRING: SWITATIDF002</SPAN></P><P style="padding-left: 30px;"><SPAN style="color: #000080;">SNMPv2-MIB::sysLocation.0 = STRING: </SPAN></P><P style="padding-left: 30px;"><SPAN style="color: #000080;">SNMPv2-MIB::sysServices.0 = INTEGER: 78</SPAN></P><P style="padding-left: 30px;"><SPAN style="color: #000080;">SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00</SPAN></P><P style="padding-left: 30px;"><SPAN style="color: #000080;">IF-MIB::ifNumber.0 = INTEGER: 357</SPAN></P><P style="padding-left: 30px;"><SPAN style="color: #000080;">IF-MIB::ifIndex.1 = INTEGER: 1</SPAN></P><P style="padding-left: 30px;"><SPAN style="color: #000080;">IF-MIB::ifIndex.2 = INTEGER: 2</SPAN></P><P style="padding-left: 30px;"><SPAN style="color: #000080;">IF-MIB::ifIndex.3 = INTEGER: 3</SPAN></P><P style="padding-left: 30px;"><SPAN style="color: #000080;">IF-MIB::ifIndex.4 = INTEGER: 4</SPAN></P><P style="padding-left: 30px;"><SPAN style="color: #000080;">IF-MIB::ifIndex.5 = INTEGER: 5</SPAN></P><P style="padding-left: 30px;"><SPAN style="color: #000080;">IF-MIB::ifIndex.6 = INTEGER: 6</SPAN></P><P style="padding-left: 30px;"><SPAN style="color: #000080;">IF-MIB::ifIndex.7 = INTEGER: 7</SPAN></P><P style="padding-left: 30px;"><SPAN style="color: #000080;">IF-MIB::ifIndex.8 = INTEGER: 8</SPAN></P><P style="padding-left: 30px;"><SPAN style="color: #000080;">IF-MIB::ifIndex.9 = INTEGER: 9</SPAN></P><P></P><P style="padding-left: 30px;">.</P><P style="padding-left: 30px;">.</P><P style="padding-left: 30px;">.</P><P></P><P>Kind Regards,</P><P>Daniel Stefani</P></BODY></HTML> Mon, 28 Feb 2011 11:08:45 GMT https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637366#M825643 Daniel Stefani 2011-02-28T11:08:45Z Re: Cisco NAC - Mapping Rules with VLAN ID https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637367#M825651 <HTML><HEAD></HEAD><BODY><P>Could you test when you changed CAT 6500 and CAM switch profile to SNMP version 2?</P><P></P><P>Kamil</P></BODY></HTML> Mon, 28 Feb 2011 11:38:53 GMT https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637367#M825651 wkamil123 2011-02-28T11:38:53Z Re: Cisco NAC - Mapping Rules with VLAN ID https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637368#M825662 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>remains the same behavior, users are still being mapped out for Unauthenticated Role.</P><P></P><P></P><P></P><P>-</P><HR originaltext="---" /><P>Mensagem original</P></BODY></HTML> Mon, 28 Feb 2011 14:04:00 GMT https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637368#M825662 Daniel Stefani 2011-02-28T14:04:00Z Re: Cisco NAC - Mapping Rules with VLAN ID https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637369#M825672 <HTML><HEAD></HEAD><BODY><P>In AD create a user and test through Auth test and show a CAM's response.</P><P></P><P>Kamil</P></BODY></HTML> Mon, 28 Feb 2011 14:18:43 GMT https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637369#M825672 wkamil123 2011-02-28T14:18:43Z Re: Cisco NAC - Mapping Rules with VLAN ID https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637370#M825681 <HTML><HEAD></HEAD><BODY><P>See attached files...</P></BODY></HTML> Mon, 28 Feb 2011 14:37:01 GMT https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637370#M825681 Daniel Stefani 2011-02-28T14:37:01Z Re: Cisco NAC - Mapping Rules with VLAN ID https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637371#M825692 <HTML><HEAD></HEAD><BODY><P>So, you have an answer why users are put in Unautheticated Role.</P><P>In mapping role change the value 908 to 380 and test it with a acsadmin user.</P><P></P><P>Kamil</P></BODY></HTML> Mon, 28 Feb 2011 14:59:10 GMT https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637371#M825692 wkamil123 2011-02-28T14:59:10Z Re: Cisco NAC - Mapping Rules with VLAN ID https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637372#M825702 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P></P><P class="MsoPlainText"><SPAN lang="EN-US">The users are put in Unautheticated Role because the NAC Manager is unable to obtain the VLAN ID of the switch port where User is connected.</SPAN></P><P class="MsoPlainText"><SPAN lang="EN-US">This can be seen in the file nac_manager.log</SPAN></P><P class="MsoPlainText"><SPAN lang="EN-US"> </SPAN></P><P class="MsoPlainText"><SPAN lang="EN-US"><SPAN style="color: #000080;">2011-02-28 16:37:55.601 +0100 [TP-Processor22] INFO  c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator  - Cond#1:AuthServerMapCondition: mapid=4 condId=1 type=2 lOp=</SPAN><STRONG style="color: #ff0000; ">VLAN ID</STRONG><SPAN style="color: #000080;"> op=equals rOp=</SPAN><STRONG style="color: #ff0000; ">908</STRONG></SPAN></P><P class="MsoPlainText"><SPAN lang="EN-US"><SPAN style="color: #000080;">2011-02-28 16:37:55.601 +0100 [TP-Processor22] INFO  c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator  - conditions - {</SPAN><STRONG style="color: #ff0000; ">1=false</STRONG><SPAN style="color: #000080;">}</SPAN></SPAN></P><P class="MsoPlainText"><SPAN lang="EN-US"> </SPAN></P><P class="MsoPlainText"><SPAN class="hps" title="Clique para mostrar traduções alternativas">the result of</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">the</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">condition</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">should</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">be </SPAN><SPAN style="color: #000080;">conditions - {</SPAN><STRONG style="color: #003300; ">1=true</STRONG><SPAN style="color: #000080;">}.</SPAN></P><P class="MsoPlainText"></P><P class="MsoPlainText"><SPAN class="hps" title="Clique para mostrar traduções alternativas">In consequence of</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">the</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">condition</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">is</SPAN><STRONG> </STRONG><SPAN class="hps" title="Clique para mostrar traduções alternativas"><SPAN style="color: #ff0000;"><STRONG>false</STRONG></SPAN>,</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">the</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">NAC</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">Manager</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">puts</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">the switch port</SPAN>  <SPAN class="hps" title="Clique para mostrar traduções alternativas">in the</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">Default</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">Vlan</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">Access</SPAN> configured in <SPAN class="hps" title="Clique para mostrar traduções alternativas">Port</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">Profile</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">and the</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">user</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">in the</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">Unauthenticated</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">Role, </SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">which is </SPAN><SPAN class="hps" title="Clique para mostrar traduções alternativas">the</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">default</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">LDAP</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">Auth</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">Server</SPAN> </P><P class="MsoPlainText"><SPAN lang="EN-US"> </SPAN></P><P class="MsoPlainText"><SPAN lang="EN-US"><STRONG>But the big question to be answered is why it(NAC Manager) can not read this VLAN ID?.</STRONG></SPAN></P><P class="MsoPlainText"><SPAN lang="EN-US"> </SPAN></P><P class="MsoPlainText"><SPAN lang="EN-US">In the user guide says:</SPAN></P><P class="MsoPlainText"><SPAN lang="EN-US">"The Mapping Rules forms can be used to map users into user role(s) based on the following parameters:</SPAN></P><P class="MsoPlainText"><SPAN lang="EN-US"> </SPAN></P><P class="MsoPlainText" style="padding-left: 30px;"><SPAN lang="EN-US">•The <STRONG>VLAN ID</STRONG> of user traffic originating from the <STRONG>UNTRUSTED SIDE</STRONG> of the CAS (all auth server types). ------> <STRONG>IN MY CASE IS THE VLAN 908</STRONG></SPAN></P><P class="MsoPlainText"></P><P class="MsoPlainText"></P><P class="MsoPlainText" style="padding-left: 30px;"><SPAN lang="EN-US">•Authentication attributes passed from LDAP and RADIUS auth servers (and RADIUS attributes passed from Cisco VPN Concentrators)"</SPAN></P><P></P><P class="MsoPlainText"></P><P class="MsoPlainText">Kind Regards,</P><P class="MsoPlainText">Daniel Stefani</P></BODY></HTML> Mon, 28 Feb 2011 16:03:48 GMT https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637372#M825702 Daniel Stefani 2011-02-28T16:03:48Z Re: Cisco NAC - Mapping Rules with VLAN ID https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637373#M825708 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Read this document about<SPAN style="font-size: 10pt;"> Cisco NAC Appliance Switch and Wireless LAN Controller Support.</SPAN></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/switch_spt.html#wp89679">http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/switch_spt.html#wp89679</A></P><P></P><P>There is a command try it on the CAM.</P><P>snmpget -v 1 -c <SWITCH_SNMP_COMMUNITY_STRING> <SWITCH_IP> 1.3.6.1.2.1.1.2.0</SWITCH_IP></SWITCH_SNMP_COMMUNITY_STRING></P><P></P><P>If CAM response with the same OID as above, your SNMP settings are correct but test more SNMP settings on CAM and on a switch.</P><P>As far sa i know you have supported IOS on CAT6500 by CAM or maybe are some bugs in your IOS version?</P><P></P><P>The simple way to check SNMP go to port profile on CAM chose the proper port on a switch an bounce port to which is connected a PC.</P><P>In that way you verify of CAM communication thtough SNMP.</P><P></P><P>Kamil</P></BODY></HTML> Mon, 28 Feb 2011 17:27:24 GMT https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637373#M825708 wkamil123 2011-02-28T17:27:24Z Re: Cisco NAC - Mapping Rules with VLAN ID https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637374#M825716 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I did a test with snmpget using the OID of VLAN ID.</P><P></P><P><A href="root@srvtatcam001 mibs"></A># snmpget -v 1 -c nac-ro 10.5.0.121 1.3.6.1.4.1.9.9.68.1.2.2.1.2.88</P><P>SNMPv2-SMI::enterprises.9.9.68.1.2.2.1.2.88 = INTEGER: 908</P><P></P><P>Also collected packets between the switch and NAC Manager during</P><P>Authentication.</P><P></P><P>See attached file.</P><P></P><P>Kind Regards,</P><P>Daniel Stefani</P></BODY></HTML> Mon, 28 Feb 2011 20:56:30 GMT https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637374#M825716 Daniel Stefani 2011-02-28T20:56:30Z Re: Cisco NAC - Mapping Rules with VLAN ID https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637375#M825721 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I could not open attached file, please send this file as a txt.</P><P></P><P>Kamil</P></BODY></HTML> Tue, 01 Mar 2011 09:35:05 GMT https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637375#M825721 wkamil123 2011-03-01T09:35:05Z Re: Cisco NAC - Mapping Rules with VLAN ID https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637376#M825728 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P><SPAN class="hps" title="Clique para mostrar traduções alternativas">Captured</SPAN> by <SPAN class="hps" title="Clique para mostrar traduções alternativas">TCPDUMP</SPAN> in <SPAN class="hps" title="Clique para mostrar traduções alternativas">NAC</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">MANAGER</SPAN> the <SPAN class="hps" title="Clique para mostrar traduções alternativas">communications between the</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">Switch</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">and </SPAN><SPAN class="hps" title="Clique para mostrar traduções alternativas">CAM</SPAN><SPAN title="Clique para mostrar traduções alternativas">.</SPAN></P><P></P><P><SPAN class="hps" title="Clique para mostrar traduções alternativas">We can</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">see</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">in line</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">14</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">that</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">the</SPAN> S<SPAN class="hps" title="Clique para mostrar traduções alternativas">witch</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">responds</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">to requests from the</SPAN> <SPAN class="hps atn" title="Clique para mostrar traduções alternativas">get-</SPAN><SPAN title="Clique para mostrar traduções alternativas">request</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">made</SPAN><SPAN class="hps" title="Clique para mostrar traduções alternativas">by</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">CAM</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">with</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">the</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">VLAN</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">ID</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">information</SPAN><SPAN title="Clique para mostrar traduções alternativas">.</SPAN></P><P></P><P>Help...</P><P></P><P></P><P>Kind Regards,</P><P>Daniel Stefani</P></BODY></HTML> Tue, 01 Mar 2011 09:42:22 GMT https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637376#M825728 Daniel Stefani 2011-03-01T09:42:22Z Re: Cisco NAC - Mapping Rules with VLAN ID https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637377#M825733 <HTML><HEAD></HEAD><BODY><P>First of all, solve the problem of SNMP and when are you sure that is OK move to next step.</P><P>The attached file show capture from wireshark but every log which you send is always massage of SNMPv2.</P><P>Why are you refers to the VLAN 908 all the time, it's just Auth VLAN.</P><P>Do you get proper OID from the switch on CAM?</P><P>Are you able manage switch ports by CAM on port profile?</P><P></P><P>Kamil</P></BODY></HTML> Tue, 01 Mar 2011 10:06:24 GMT https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637377#M825733 wkamil123 2011-03-01T10:06:24Z Re: Cisco NAC - Mapping Rules with VLAN ID https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637378#M825735 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P><SPAN class="hps" title="Clique para mostrar traduções alternativas">ok</SPAN><SPAN title="Clique para mostrar traduções alternativas">, I think</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">the</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">snmp</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">is working</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">properly.</SPAN><BR /><SPAN class="hps" title="Clique para mostrar traduções alternativas">somehow</SPAN><SPAN title="Clique para mostrar traduções alternativas">,</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">the</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">NAC</SPAN> app <SPAN class="hps" title="Clique para mostrar traduções alternativas">does not receive</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">the</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">information</SPAN> of the  <SPAN class="hps" title="Clique para mostrar traduções alternativas">VLAN</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">ID</SPAN> during <SPAN class="hps" title="Clique para mostrar traduções alternativas">conditional tests</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">of the</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">Mapping</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">Rule</SPAN><SPAN title="Clique para mostrar traduções alternativas">.</SPAN></P><P></P><P><SPAN class="hps" title="Clique para mostrar traduções alternativas">how</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">do I get</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">the</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">proper</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">OID</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">on</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">NAC</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">from the</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">switch</SPAN><SPAN title="Clique para mostrar traduções alternativas">? </SPAN></P><P><SPAN title="Clique para mostrar traduções alternativas"></SPAN>On captures <SPAN class="hps" title="Clique para mostrar traduções alternativas">I just</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">see the</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">OIDs</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">that</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">the</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">NAC</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">itself</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">sends</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">to the</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">switch</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">during</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">a</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">process</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">of </SPAN><SPAN class="hps" title="Clique para mostrar traduções alternativas">user authentication.</SPAN></P><P></P><P><SPAN class="hps" title="Clique para mostrar traduções alternativas">Yes</SPAN><SPAN title="Clique para mostrar traduções alternativas">, I can</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">manage</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">the</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">switch ports</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">through</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">the</SPAN> <SPAN class="hps" title="Clique para mostrar traduções alternativas">CAM, see att file...</SPAN></P><P></P><P>Daniel Stefani</P></BODY></HTML> Tue, 01 Mar 2011 10:38:33 GMT https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637378#M825735 Daniel Stefani 2011-03-01T10:38:33Z Re: Cisco NAC - Mapping Rules with VLAN ID https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637379#M825739 <HTML><HEAD></HEAD><BODY><P>I send you a link to the <SPAN class="content"></SPAN>Switch OID Support and there is a command how to verify.</P><P>This command also I send you earlier and is snmpget.</P><P>What happend when you bounce the port 88. Is the CAM change VLAN to 908?</P><P>If yes, verify also on a switch console for this port.</P><P>You can verify how CAM see detail about connected switch.</P><P></P><P>Kamil</P></BODY></HTML> Tue, 01 Mar 2011 11:04:51 GMT https://community.cisco.com/t5/network-security/cisco-nac-mapping-rules-with-vlan-id/m-p/1637379#M825739 wkamil123 2011-03-01T11:04:51Z