This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
We have a working L2 OOB VG deployment. The NAC agent pops up then says it has granted full access. The issue is about 45 seconds later it pops again then says it has granted full netowrk access. Then it does it again...etc.... The CAM thinks things are fine as it just keeps adding the user to the OUL. Anyune seen this before?
Is this a new deployment? If so, then you need to configure an ACL which blocks all discovery traffic to the CAS untrusted interface. If you have oob logging configured then you will need to redirect these discover packets to the CAS trusted interface.
The ports that you need to redirect are tcp/udp 8905 and udp 8906.
*Please rate helpful posts*
It was an SNMP issue with 12.2(33)SXH. This is below the recommended minimum as stated in the NAC 4.9 documentation. Also, the ACL is no longer needed. Apparently the new verison of NAC does not allow the entry in the click tables. We have three other locations working fine without the ACL in L2 OOB VG mode. The switch was upgraded to 12.2(33)SXI9, our current tested production standard, and it worked fine
Good find, I am curious as to what you found wrong with snmp process, was it not moving the cllients over?
Sent from Cisco Technical Support iPad App
When you looked at the SNMP info sent in the trap it was not complete. We did a grep on the set and request and found they were getting to the CAM. We then looked at the actual packet via TCPDUMP and found the vlan information was not in there, so the port did not transition from auth to access VLAN.