07-31-2012 08:36 AM - edited 03-10-2019 07:21 PM
We have a working L2 OOB VG deployment. The NAC agent pops up then says it has granted full access. The issue is about 45 seconds later it pops again then says it has granted full netowrk access. Then it does it again...etc.... The CAM thinks things are fine as it just keeps adding the user to the OUL. Anyune seen this before?
07-31-2012 09:00 AM
Is this a new deployment? If so, then you need to configure an ACL which blocks all discovery traffic to the CAS untrusted interface. If you have oob logging configured then you will need to redirect these discover packets to the CAS trusted interface.
The ports that you need to redirect are tcp/udp 8905 and udp 8906.
Thanks,
Tarik Admani
*Please rate helpful posts*
07-31-2012 01:57 PM
It was an SNMP issue with 12.2(33)SXH. This is below the recommended minimum as stated in the NAC 4.9 documentation. Also, the ACL is no longer needed. Apparently the new verison of NAC does not allow the entry in the click tables. We have three other locations working fine without the ACL in L2 OOB VG mode. The switch was upgraded to 12.2(33)SXI9, our current tested production standard, and it worked fine
08-01-2012 03:56 AM
Good find, I am curious as to what you found wrong with snmp process, was it not moving the cllients over?
Sent from Cisco Technical Support iPad App
08-01-2012 04:29 AM
When you looked at the SNMP info sent in the trap it was not complete. We did a grep on the set and request and found they were getting to the CAM. We then looked at the actual packet via TCPDUMP and found the vlan information was not in there, so the port did not transition from auth to access VLAN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide