topic NAC OOB logoff feature not working in Network Security

NAC OOB logoff feature not working

Xavier Lloyd — Fri, 21 Feb 2020 12:14:47 GMT

Hi all,

I've deployed NAC in L2 OOB VG mode with ADSSO and I'm trying to use the OOB logoff feature but it's not working. The VLAN change detect feature doesn't work either (I think the two problems might be related).

It will work if each user role is assigned a different auth/access VLAN pair but in my setup, everyone has a common auth vlan and separate role-based access vlans. Because of this, I have to use the IP refresh feature as well (this works fine).

I'm running Windows Vista and version 4.8.0 of the NAC software with version 4.8.1.5 of the agent

I checked the release notes and found that caveat CSCth60233 identifies this bug with the VLAN change detect with the workaround being to refresh the IP address automatically after being logged out. Does anyone know of a workaround for this problem to do this automatically? Is a solution for this problem in the works?

Also would anyone be able to help me with my OOB logoff feature not working? I've configured everything according to the documentation.

I appreciate your responses

~Xavier

Re: NAC OOB logoff feature not working

Xavier Lloyd — Thu, 10 Feb 2011 21:34:43 GMT

Here are my configs if necessary. Tell me if anything else is needed.

User Management > User Roles

List of Roles		Edit Role		Traffic Control		Bandwidth		Schedule

Disable this role

Role Name

Role Description

Role Type

*Max Sessions per User Account ( Case-Insensitive Session Identifiers )

(1 – 255; 0 for unlimited)

Retag Trusted-side Egress Traffic with VLAN (In-Band)

(0 – 4095, or leave it blank)(*This option has been deprecated, and it will be removed in upcoming releases)

*Out-of-Band User Role VLAN

(if left blank, it will default to the default access vlan settings in the Port Profile)

*Bounce Switch Port After Login (OOB)

Enable Disable (This option is effective only when port profile is set to use it)

*Refresh IP After Login (OOB)

Enable Disable (This option only applies to L2 OOB Virtual Gateway with Role VLAN as Access VLAN and switch port is NOT bounced after VLAN change)

*After Successful Login Redirect to

previously requested URL
this URL:
(e.g. http://www.cisco.com/)

Redirect Blocked Requests to

default access blocked page
this URL or HTML message:

*Show Logged-on Users

User info

Logout button

Enable Passive Re-assessment (To enable Passive Re-assessment for OOB Agent connections, you must also enable the OOB Logoff option at Device Management > Clean Access > General Setup > Agent Login.)

Re-assessment Interval

(Minimum of 60 minutes and maximum of 1440 minutes [24 hours])

Grace Timer

(Minimum of 5 minutes and maximum of 30 minutes)

Default action on failure

(*only applies to normal login role)

Device Management > Clean Access

Certified Devices	General Setup	Network Scanner	Clean Access Agent	Updates
Web Login · Agent Login

User Role
Operating System
(By default, 'ALL' settings apply to all client operating systems if no OS-specific settings are specified.)

Enable OOB logoff for Windows NAC Agent and Mac OS X Agent (This global option applies to all OOB CASs and user roles and enables Agent logout and heartbeat timers for OOB Agent connections. You must also enable this option for Passive Re-assessment to function with OOB Agent connections.)

Require use of Agent

(for Windows & Macintosh OSX only)

Agent Download Page Message (or URL):

Network Security Notice: This network is protected by a Cisco NAC Appliance Agent, a component of the Cisco NAC Appliance Suite. The Agent ensures that your computer meets the requirements for accessing this network, and helps you keep your computer secure and up-to-date. Please use the Agent to log in to the network. If you don't have the Agent software yet, download it by clicking the button below. After downloading the installation file, run it to complete the installation. If you have already downloaded and installed the Agent, please close this window and right-click the Agent icon in the system tray and choose Login from the menu. Enter your usual network user name and password in the login window.

Require use of Cisco NAC Web Agent (for Windows only)

Cisco NAC Web Agent Launch Page Message (or URL):

Network Security Notice: This network is protected by the Cisco NAC Web Agent, a component of the Cisco NAC Appliance Suite. The Cisco NAC Web Agent ensures that your computer meets the requirements for accessing this network, and helps you keep your computer secure and up-to-date. Please launch Cisco NAC Web Agent by clicking the button below.

Allow restricted network access in case user cannot use NAC Agent or Cisco NAC Web Agent

Restricted Access User Role:

Restricted Access Button Text:

Restricted Network Access Message:

Restricted Network Access: If you cannot use a Cisco NAC Appliance Agent, you can obtain restricted network access temporarily by clicking the button below.

Show Network Policy to NAC Agent and Cisco NAC Web Agent users (for Windows only)

Network Policy Link:

Logoff NAC Agent users from network on their machine logoff or shutdown after

secs (for Windows & In-Band setup, for OOB setup when OOB Logoff is enabled)

(Setting the time to zero secs will logout user immediately. Valid range: 0 - 300 secs.)

Refresh Windows domain group policy after login

(for Windows only)

Automatically close login success screen after

secs

(Setting the time to zero secs will not display the login success screen. Valid range: 0 - 300 secs.)

Automatically close logout success screen after

secs

(for Windows only)

(Setting the time to zero secs will not display the logout success screen. Valid range: 0 - 300 secs.)

Re: NAC OOB logoff feature not working

Xavier Lloyd — Tue, 15 Feb 2011 15:47:29 GMT

I the out of band logoff feature is now working. It wasn't working before because the host couldn't communicate with the NAC Server for some reason. I didn't change any config but now it works.

However, the VLAN Change detect IP refresh is still not working.

Thanks for your help.

Re: NAC OOB logoff feature not working

henrikj — Mon, 20 Jun 2011 21:03:42 GMT

Hi Xavier

How is the host communicating wiht the NAC server ?

In OOB L2 VG, the agent is using swiss protocol (L2 8905 towards default-gateway or L3 8906 towards discovery host), but the nac server does not have an IP in your access-vlan, it only has a management adress i another vlan...

And the discovery host is common your CAM, so the agent wont reach your server on the trusted side.

Cisco sais that acl, pbr or vrf is the answer - but in and L2 oob non of these solutions would not work, because the nac server only has a management adress and no L3 conectivity to access vlan.

And if discovery host should be used - how is multible nac servers supportet ??

Can the cam tell the agent anything or forward the swiss packets ??

Am i missing something ??

Regards Henrik

Re: NAC OOB logoff feature not working

Xavier Lloyd — Mon, 20 Jun 2011 22:10:34 GMT

Hi Henrik,

At that time, for some strange reason I could ping the NAC Server from the host...I'm not sure how or why but now I can't anymore so I guess that wasn't the real reason.

Thinking about it, the NAC Server and the agent can't speak at all once I've authenticated because of the VLAN mapping and IP addressing. So it must be the NAC Manager that talks to the agent but I'm not sure.

I'd have to sniff my port to find out for sure but I don't know when I'll be able to do that because I'm doing some other testing with my machine and so my PC isn't configured for NAC at the moment.

Re: NAC OOB logoff feature not working

henrikj — Tue, 21 Jun 2011 07:47:23 GMT

Ok - but it is still working??

regards Henrik

Re: NAC OOB logoff feature not working

Xavier Lloyd — Tue, 21 Jun 2011 13:45:11 GMT

Yes everything works except VLAN change detect on Windows Vista machines.

Things work fine on XP and Windows 7 but Vista gives a problem for some reason.

Aside from that though, which I've learned to live with since I'm the only person in the office with Vista and I happen to be the NAC administrator. ipconfig /release && ipconfig /renew works just fine

Re: NAC OOB logoff feature not working

henrikj — Tue, 21 Jun 2011 13:53:02 GMT

Ok.

When you rebooted the nacservers, did you do this from whithin tha CAM or did you just reboot from cas interface ?

can you still not ping cas-server (certificate subject name) form your host ??

Regards Henrik

Re: NAC OOB logoff feature not working

Xavier Lloyd — Tue, 21 Jun 2011 13:55:34 GMT

When rebooting NAC server I do it from the Manager interface because I can't communicate with the NAC Server from my computer any at all. No HTTP, no ping, no nothing.

Re: NAC OOB logoff feature not working

henrikj — Tue, 21 Jun 2011 13:59:36 GMT

Ok, thanks

I´ll try rebooting my cas´s from the cam, to see if this works (before i did it from a server vlan directly on cas).

Do you run a HA setup (both cas/cam) ?

Regards Henrik

Re: NAC OOB logoff feature not working

Xavier Lloyd — Tue, 21 Jun 2011 14:01:59 GMT

No I'm not running HA.

What's your problem exactly though?

~ Xavier

Re: NAC OOB logoff feature not working

henrikj — Tue, 21 Jun 2011 14:09:05 GMT

My problem is that oob-logoff doesn´t work.

When i enable oob-logoff on cam and reboot cas´s, and then do a " netstat -unl | egrep -w '890[12]' ", i don´t se the cas´s listening on udp 8901/8902...

Does your cas listen on those ports ?

(and i still don´t understand how agent talkes to cam/cas (cisco sais it should be cas...))

Regards Henrik

Re: NAC OOB logoff feature not working

Xavier Lloyd — Tue, 21 Jun 2011 17:00:12 GMT

I can't access the console of either the NAC manager or server right now. I changed the password and forgot what it was and I haven't done the password recovery yet.

In the mean time, what operating system are you running on your host(s)?

(I don't really understand the communication either...I'll try to sniff my port and see what communication goes on)

Cheers

Xavier