Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1066
Views
0
Helpful
3
Replies

NAC/CAM kicking users

tachyon05
Level 1
Level 1

‎06-28-2012 10:09 AM - edited ‎03-10-2019 07:15 PM

Normally, the event logs on the CAM would show the following when a user logs out of his system and CAM kicks the user session:

SW_Management2012-06-28 09:43:03Kicked OOB user [OOB ## 00:24:E8:12:11:D7 ## 10.1.80.30/10.1.80.30] userID@abcde.com on port 423 of switch 10.1.254.81
Client2012-06-28 09:43:02[OOB ## 00:24:E8:12:11:D7 ## 10.1.80.30] userID@abcde.com - Logout request


As far as I know, this is all normal, especially before lunch time and before 5pm as users leave their desks. 

However, we recently noticed logs showing "Kicked OOB user" messages without a "Logout request" messages (several every day).  Additionally, for a couple of times in the past several month, we experienced an issue where over a period of a minute or two minutes, hundreds of users got kicked by the CAM - event logs should pages of Kicks messages without "logout request" messages.

Some users would be re-authenticated automatically, however, some would need to restart their computers.  Also, some would be stuck in the In Band mode - this should never happen as all users should be Out of Band once authenticated and successfully posture assessed.  We would then need to manually kick those users stuck in the In Band mode forcing them to re-authenticate.

Any ideas on what is causing KICKs without the logout request and why users would be stuck in the In Band mode?

Thanks

Labels:
0 Helpful
3 Replies 3

Tarik Admani
VIP Alumni
VIP Alumni

‎06-29-2012 05:40 AM

Hi,

If the users are getting kicked without the the logout messages could be the session timer expires for the user role they are associated to, also if they are manually kicked, meaning if you have a new administrator on the NAC appliance and they are trying to choose a specific user but then they end up kicking the entire users on the table.

As far as users being stuck in the 'in band' role, are they coming up stuck in the temporary role? If so, are you using SSO from a wireless controller or users coming through the ASA? Also, what version are you on, if you are on 4.7.2 and you are using wildcard filters, there is a patch that Cisco can provide that will help fix this.

Thanks,

Tarik Admani

0 Helpful

tachyon05
Level 1
Level 1

‎06-29-2012 06:41 AM

Tarik,

I looked for messages that would indicate admin kicking all users.  However, I found non leading up to the time this issue occured.  Specifically there were no "admin logon" or "manual kick" messages.  As for session timer expired, is this timer based on user logon time (different for each user)?  The reason I am asking is all users got kick within a matter of 2 minutes.

We are using version 4.8.  Users are not coming through the ASAs.

Thanks

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to tachyon05

‎06-30-2012 08:33 PM

I thought I posted a response but I guess it never posted.

What, you can do is raise the logging on the manager for the top three entries to trace.

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_admin.html#wp1161914

Then you can grab a support bundle once you open it you can grab the nac_manager.lg file and see what event triggered the manager kicking the users.

Thanks,

Tarik admani

0 Helpful
Customers Also Viewed These Support Documents