https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528192#M834126 <HTML><HEAD></HEAD><BODY><P>Vikram,</P><P></P><P>Did you fix the things I detailed? Can you share your certificate setups on CAS and CAM?</P><P></P><P>Faisal</P></BODY></HTML> Thu, 16 Sep 2010 14:56:57 GMT Faisal Sehbai 2010-09-16T14:56:57Z https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528188#M834110 <P>I have configuired nac but login page when i am entering user name password then password field becom empty and nothing happend</P><P></P><P></P><P>interface GigabitEthernet1/0/18<BR /> switchport trunk encapsulation dot1q<BR /> switchport trunk native vlan 998<BR /> switchport trunk allowed vlan 507,513,540<BR /> switchport mode trunk</P><P></P><P></P><P>interface GigabitEthernet1/0/15<BR /> switchport trunk encapsulation dot1q<BR /> switchport trunk native vlan 999<BR /> switchport trunk allowed vlan 504<BR /> switchport mode trunk</P><P></P><P></P><P>User in VLAN 513</P> Fri, 21 Feb 2020 12:05:09 GMT https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528188#M834110 k_vikrams 2020-02-21T12:05:09Z https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528189#M834115 <HTML><HEAD></HEAD><BODY><P>reply if any thinf missing</P></BODY></HTML> Tue, 14 Sep 2010 12:02:24 GMT https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528189#M834115 k_vikrams 2010-09-14T12:02:24Z https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528190#M834120 <HTML><HEAD></HEAD><BODY><P>Vikram,</P><P></P><P>Can you share what your certs look like on the CAS and the CAM?</P><P></P><P>Also, your managed subnet is for VLAN 501, and your mappings are for 504-&gt;513.</P><P></P><P>You're also requiring the web agent AND the agent on the unauthenticated role which doesn't make sense.</P><P></P><P>You also have the Web Login options turned on for the consultant role. These are used only for Nessus scanning, so you should turn those off.</P><P></P><P>Please fix these and send me what your certs look like from both the CAM and the CAS.</P><P></P><P>Faisal</P></BODY></HTML> Tue, 14 Sep 2010 21:19:18 GMT https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528190#M834120 Faisal Sehbai 2010-09-14T21:19:18Z https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528191#M834123 <HTML><HEAD></HEAD><BODY><P><!--[if gte mso 9]><xml> <o:OfficeDocumentSettings> <o:AllowPNG></o:AllowPNG> </o:OfficeDocumentSettings> </xml><![endif]--><!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} </style> <![endif]--></P><P class="MsoNormal">I am getting user login page but when I am trying to enter user name and password</P><P class="MsoNormal">Password box got blank and nothing happened, What settings I should check</P><P></P></BODY></HTML> Thu, 16 Sep 2010 10:54:39 GMT https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528191#M834123 k_vikrams 2010-09-16T10:54:39Z https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528192#M834126 <HTML><HEAD></HEAD><BODY><P>Vikram,</P><P></P><P>Did you fix the things I detailed? Can you share your certificate setups on CAS and CAM?</P><P></P><P>Faisal</P></BODY></HTML> Thu, 16 Sep 2010 14:56:57 GMT https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528192#M834126 Faisal Sehbai 2010-09-16T14:56:57Z https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528193#M834129 <HTML><HEAD></HEAD><BODY><P>Hi faisal</P><P></P><P>I have followed the proces...</P><P>without adding management subnet i was able to ping gateway</P><P></P><P>but now(after Changes) I am not able to ping nac server as well as gateway</P><P>please find the attachements</P><P></P><P></P><P></P><P>Consultant VLAN- 513&nbsp;&nbsp; IP - 10.20.20.0</P><P>Untrusted- 504 NO IP</P><P></P><P></P><P></P><P>L2</P><P>interface FastEthernet0/46<BR /> switchport access vlan 504&nbsp;&nbsp; ***** Consultant PC******<SPAN style="color: #ff0000;"> ( It Should Consultant VLAN 513 or untrusted VLAN 504)</SPAN><BR /> switchport mode access<BR /> snmp trap mac-notification added<BR /> spanning-tree portfast</P><P></P><P></P><P></P><P>L3</P><P>interface GigabitEthernet1/0/15&nbsp;&nbsp; **** NAC Srv untrusted***<BR /> switchport trunk encapsulation dot1q<BR /> switchport trunk native vlan 999<BR /> switchport trunk allowed vlan 501,504<BR /> switchport mode trunk</P><P></P><P>interface GigabitEthernet1/0/18&nbsp;&nbsp; ***** NAC Srv Trusted****<BR /> switchport trunk encapsulation dot1q<BR /> switchport trunk native vlan 998<BR /> switchport trunk allowed vlan 507,513,540<BR /> switchport mode trunk</P><P></P><P></P><P>interface GigabitEthernet1/0/10&nbsp;&nbsp; ***** NAC Mgr ****<BR /> switchport access vlan 506<BR /> spanning-tree portfast</P><P></P><P></P><P></P><P>route</P><P>10.0.0.0 10.1.8.2&nbsp; ( 10.1.8.2- Firewall IP )</P></BODY></HTML> Fri, 17 Sep 2010 11:57:39 GMT https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528193#M834129 k_vikrams 2010-09-17T11:57:39Z https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528194#M834131 <HTML><HEAD></HEAD><BODY><P>Vikram,</P><P></P><P>Please turn the checkbox marked "Enable Subnet-Based VLAN retag" off, reboot your CAS and try again.</P><P></P><P>Thanks,</P><P>Faisal</P></BODY></HTML> Sun, 19 Sep 2010 12:54:46 GMT https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528194#M834131 Faisal Sehbai 2010-09-19T12:54:46Z https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528195#M834134 <HTML><HEAD></HEAD><BODY><P>Thanks Faisal Bhai</P><P></P><P>Thank you...............</P></BODY></HTML> Mon, 20 Sep 2010 04:29:20 GMT https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528195#M834134 k_vikrams 2010-09-20T04:29:20Z https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528196#M834137 <HTML><HEAD></HEAD><BODY><P>wireless user is not able to authenticate getting following error</P><P></P><P>Unable to process out-of-band login request from [00:21:5D:80:9C:00 ##&nbsp; 10.20.20.5] vikram. Cause: OOB client 00:21:5D:80:9C:00/10.20.20.5 not found.</P></BODY></HTML> Tue, 21 Sep 2010 11:46:05 GMT https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528196#M834137 k_vikrams 2010-09-21T11:46:05Z https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528197#M834139 <HTML><HEAD></HEAD><BODY><P>Vikram,</P><P></P><P>Have you added a trap-receiver in your WLC? The error means CAM didn't get the trap.</P><P></P><P>Faisal</P></BODY></HTML> Tue, 21 Sep 2010 14:05:03 GMT https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528197#M834139 Faisal Sehbai 2010-09-21T14:05:03Z https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528198#M834142 <HTML><HEAD></HEAD><BODY><P>Hi faisal there was the mismatch the community name</P><P></P><P></P><P>thankssss.....</P></BODY></HTML> Tue, 21 Sep 2010 15:28:18 GMT https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528198#M834142 k_vikrams 2010-09-21T15:28:18Z https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528199#M834145 <HTML><HEAD></HEAD><BODY><P>Dear Faisal</P><P></P><P>Some times user is not able to ping nac server thats why they&nbsp; are not able to redirect to nac server</P><P>user is getting directly internet connection</P></BODY></HTML> Wed, 29 Sep 2010 14:53:34 GMT https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528199#M834145 k_vikrams 2010-09-29T14:53:34Z https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528200#M834148 <HTML><HEAD></HEAD><BODY><P>Another issue I have found that results in this error is two MAC addresses showing up in the cam table of the switch.&nbsp; If the first one to show up is not the one used when the user tried to authenticate it will result in this error.</P><P></P><P>You can verify the cam entries either from the switch or from OOB Management --&gt; Devices.&nbsp; Look at the Client MAC entry for the port.</P><P></P><P>Haven't quite figured out how/why the device has two MAC addresses but that is the issue.</P></BODY></HTML> Thu, 24 Mar 2011 16:48:10 GMT https://community.cisco.com/t5/network-security/nac-implementation/m-p/1528200#M834148 cbradt 2011-03-24T16:48:10Z