https://community.cisco.com/t5/network-security/nac-manager-doesn-t-change-auth-vlan-to-access-vlan/m-p/1453579#M827943 <HTML><HEAD></HEAD><BODY><P>Zoran,</P><P></P><P>This is as expected. If your client is in one of the managed subnet, then by default the CAS sends out all traffic through it's untrusted interface. That's why when you're already authenticated, and you try to access the CAS, the replies to those queries/attempts would go out the untrusted interface and never reach your client back.</P><P></P><P>HTH,</P><P>Faisal</P></BODY></HTML> Thu, 29 Apr 2010 15:40:46 GMT Faisal Sehbai 2010-04-29T15:40:46Z https://community.cisco.com/t5/network-security/nac-manager-doesn-t-change-auth-vlan-to-access-vlan/m-p/1453574#M827812 <P>Hi,</P><P></P><P>I am trying to install L2 out-of band NAC in my LAN but I have problem for which I don't seem to find any solutions.</P><P>The problem is that NAC manager simply doesn't change switchport from authentication to access vlan although user</P><P>is authenticated and all CAA requirements have been met.</P><P>I connect my laptop to switch and NAM changes vlan to auth. vlan and laptop gets IP address from access vlan (vlan mapping</P><P>configured on NAM). Then CCA login pops out and I enter username and password. After that CAA says: "Successfully logged in</P><P>to network" but laptop stays in auth. vlan and I can see my user in "out of band" users list (on NAM) but laptop (his MAC address) is not</P><P>in the certified devices list. And Manager keeps it in auth. vlan. So when I click OK in CAA, the login window pops out again because I'm still</P><P>in authentication vlan.</P><P>What could be the problem? I really tried everything and I don't know why manager doesn't put laptop to certified devices list (I repeat, user is in out</P><P>of band users list) and CCA says successfully logged in to network, and all requirements are met too.</P> Fri, 21 Feb 2020 11:56:48 GMT https://community.cisco.com/t5/network-security/nac-manager-doesn-t-change-auth-vlan-to-access-vlan/m-p/1453574#M827812 zoran.suica 2020-02-21T11:56:48Z https://community.cisco.com/t5/network-security/nac-manager-doesn-t-change-auth-vlan-to-access-vlan/m-p/1453575#M827838 <HTML><HEAD></HEAD><BODY><P>Zoran,</P><P></P><P>Check the SNMP strings to ensure you have everything set right on the CAM and the switches. First thought suggests that the CAM is unable to write to the switch, which means your RW strings might be messed up.</P><P></P><P>HTH,</P><P>Faisal</P></BODY></HTML> Wed, 28 Apr 2010 20:08:26 GMT https://community.cisco.com/t5/network-security/nac-manager-doesn-t-change-auth-vlan-to-access-vlan/m-p/1453575#M827838 Faisal Sehbai 2010-04-28T20:08:26Z https://community.cisco.com/t5/network-security/nac-manager-doesn-t-change-auth-vlan-to-access-vlan/m-p/1453576#M827866 <HTML><HEAD></HEAD><BODY><P>Faisal,</P><P></P><P>thanks for quick answer. SNMP is ok because when I manually enter access vlan in NAM, NAM sets port to that vlan. And then</P><P>again when I connect my laptop to that port, NAM again changes vlan to authentication. So that seems to be ok.</P><P></P><P>And I do not see laptops MAC in certified devices list so I think that is the reason why NAM doesn't put port to access vlan.</P></BODY></HTML> Wed, 28 Apr 2010 20:20:34 GMT https://community.cisco.com/t5/network-security/nac-manager-doesn-t-change-auth-vlan-to-access-vlan/m-p/1453576#M827866 zoran.suica 2010-04-28T20:20:34Z https://community.cisco.com/t5/network-security/nac-manager-doesn-t-change-auth-vlan-to-access-vlan/m-p/1453577#M827884 <HTML><HEAD></HEAD><BODY><P>Zoran,</P><P></P><P>You have a managed subnet entry for the subnet you're working with? Please post screenshots of your CAS config pages, your SNMP Receiver page and sanitized output from your switch.</P><P></P><P>Thanks</P><P>Faisal</P></BODY></HTML> Thu, 29 Apr 2010 02:47:58 GMT https://community.cisco.com/t5/network-security/nac-manager-doesn-t-change-auth-vlan-to-access-vlan/m-p/1453577#M827884 Faisal Sehbai 2010-04-29T02:47:58Z https://community.cisco.com/t5/network-security/nac-manager-doesn-t-change-auth-vlan-to-access-vlan/m-p/1453578#M827926 <HTML><HEAD></HEAD><BODY><P>Faisal,</P><P></P><P>thank you very much, yes that was the problem. I didn't have managed subnet entry. Now it works fine, but I have another problem. When I added managed</P><P>subnet I cannot connect to NAC server from my PC which has IP address from that subnet range. I cannot ping neither connect via https, totally</P><P>inaccessible.</P><P>What can I do to have that managed subnet entry, and still to be able to connect to server from that subnet (VLAN)?</P><P></P><P>I tried adding managed subnet entry with auth. vlan (400) and then with access vlan (110) and no-vlan (-1) but the situation is same - clean access</P><P>works fine, but I cannot reach server from my PC.</P></BODY></HTML> Thu, 29 Apr 2010 11:37:59 GMT https://community.cisco.com/t5/network-security/nac-manager-doesn-t-change-auth-vlan-to-access-vlan/m-p/1453578#M827926 zoran.suica 2010-04-29T11:37:59Z https://community.cisco.com/t5/network-security/nac-manager-doesn-t-change-auth-vlan-to-access-vlan/m-p/1453579#M827943 <HTML><HEAD></HEAD><BODY><P>Zoran,</P><P></P><P>This is as expected. If your client is in one of the managed subnet, then by default the CAS sends out all traffic through it's untrusted interface. That's why when you're already authenticated, and you try to access the CAS, the replies to those queries/attempts would go out the untrusted interface and never reach your client back.</P><P></P><P>HTH,</P><P>Faisal</P></BODY></HTML> Thu, 29 Apr 2010 15:40:46 GMT https://community.cisco.com/t5/network-security/nac-manager-doesn-t-change-auth-vlan-to-access-vlan/m-p/1453579#M827943 Faisal Sehbai 2010-04-29T15:40:46Z