NAC - Global Device Filter in OOB deployment

boris.senker · ‎01-18-2012

Hi,

Some help would be appriciated. I'm trying to bypass authentication/posture assessment for a printer in an OOB NAC deployment (CAM/CAS Version 4.9.0
).

I added the device MAC address in the global device filter, with the ALLOW access type set.

"Change VLAN according to global device filter list" option is checked in the port profile set on the corresponding switch port.

However, the device ends up in the Auth VLAN every time...

What am I missing?

Tarik Admani · ‎01-21-2012

Are you managing the switch port in the CAM database and do you have a port profile assigned to the port? Also check your snmp settings, one more thing...what do you see in the event logs?

You can also set the OOB logging to debug and shut and no shut the port, check the nac manager.log file after downloading the logs and see what the logs show.

thanks,

Tarik Admani

boris.senker · ‎01-24-2012

Hi Tarik,

Yes, the port is managed and a test profile named 'Printer_test' is currently assigned to the port.

Here is what I see in the nac manager.log file (level set to debug) after the port comes up:

2012-01-24 14:41:08.219 +0100 DefaultUDPTransportMapping_0.0.0.0/162 DEBUG com.perfigo.wlan.web.sms.SnmpTrapListener - Received trap event SwitchTrapEvent [type=LINK_UP switch_ip=10.1.0.32 mac=null port=10035 dot1dBasePort=0 vlan=0]

2012-01-24 14:41:08.219 +0100 DefaultUDPTransportMapping_0.0.0.0/162 DEBUG com.perfigo.wlan.web.sms.SnmpRunnable - SnmpRunnable com.perfigo.wlan.web.sms.task.SwitchNotificationTask id=5091348 is created: SwitchTrapEvent [type=LINK_UP switch_ip=10.1.0.32 mac=null port=10035 dot1dBasePort=0 vlan=0]

2012-01-24 14:41:08.219 +0100 DefaultUDPTransportMapping_0.0.0.0/162 DEBUG com.perfigo.wlan.web.sms.SnmpManager - Task from device 10.1.0.32 submitted with task id 5091348

2012-01-24 14:41:08.219 +0100 pool-3-thread-16 DEBUG com.perfigo.wlan.web.sms.SnmpRunnable - SnmpRunnable com.perfigo.wlan.web.sms.task.SwitchNotificationTask id=5091348 starts run() after 0ms.

2012-01-24 14:41:08.219 +0100 pool-3-thread-16 DEBUG com.perfigo.wlan.web.sms.SnmpRunnable - Resolved PortProfile Switch Port Profile [ id=4 name='Printer_test' type='normal' auth_vlan=100 access_vlan=15 idle_vlan=-1 attributes=635 vlan_profile_id=0 description='' reserved='' ] from event SwitchTrapEvent [type=LINK_UP switch_ip=10.1.0.32 mac=null port=10035 dot1dBasePort=0 vlan=0]

2012-01-24 14:41:08.220 +0100 pool-3-thread-16 INFO com.perfigo.wlan.web.sms.SnmpRunnable - Received SNMP LINK_UP trap, but switch 10.1.0.32 is not using LINK_UP for task 5091348

2012-01-24 14:41:08.220 +0100 pool-3-thread-16 DEBUG com.perfigo.wlan.web.sms.SnmpRunnable - Trap does not need to processed: SwitchTrapEvent [type=LINK_UP switch_ip=10.1.0.32 mac=null port=10035 dot1dBasePort=0 vlan=0] for task 5091348

2012-01-24 14:41:08.220 +0100 pool-3-thread-16 DEBUG com.perfigo.wlan.web.sms.SnmpRunnable - SnmpRunnable com.perfigo.wlan.web.sms.task.SwitchNotificationTask id=5091348 ends run() after 1ms.

2012-01-24 14:41:08.220 +0100 pool-3-thread-16 DEBUG com.perfigo.wlan.web.sms.SnmpRunnable - SnmpRunnable com.perfigo.wlan.web.sms.task.SwitchNotificationTask id=5091348 finishes after 1ms.

mgraham50 · ‎04-11-2012

Was this ever resolved?

We are having issues as well and you can see in the above log the mac-address value is NULL. The NAC wont operate without knowing the mac-address of the client on the switchport.