08-10-2011 10:46 AM - edited 03-10-2019 06:17 PM
Hi,
I have the following message in the events logs of the NAC:
SWISS detected second access VLAN IP:10.175.201.50 for [00:13:55:C7:61:89 ## 10.175.236.26/10.175.236.26] from CAS [10.3.2.13]. Removed user from CAM.
This issue happens on several workstations and I know for a fact that the workstations don't change VLAN. The removal of the user causes the workstation to be NAC'ed several times until it finally left in the access VLAN.
Has anybody have an explanation for this behaviour ?
Thanks !
08-10-2011 11:46 PM
Is this is an initial configuration and I assume that you are working with an OOB deployment. Are you working with an L3 deployment?
I have seen this issue crop up on an L3 oob deployment when the discovery packets are hitting the CAS appliance. If that is the case then you will need to setup a PBR or an ACL to force the clients swiss traffic to hit the trusted side when their are in the access vlan.
Thanks,
Tarik
08-11-2011 07:26 AM
Hi Tarik,
FYI, It's a OOB deployment. Also, I've been running the NAC over 2 years now.
I read about what you're discussing on your post. My deployment includes PBR and ACL.
In my case, I think I'm having a latency issue(15 ms latency).
I'm playing around with the SwissTimeout within the XML file. I'll let you know if I resolve this issue.
Thanks !
Tony
08-23-2011 12:31 PM
Hi Tarik,
FYI, experimenting with the SwissTimeout did not resolve my issue.
When you mention:
If that is the case then you will need to setup a PBR or an ACL to force the clients swiss traffic to hit the trusted side when their are in the access vlan
When my computer is in the access vlan, I can ping my Untrusted side of the CAS. However, my NAC agent client is configured with the CAM Discovery host. I don't see why the client in access VLAN would need to talk to untrusted side.
Also, Page 4-21 of the Cisco NAC Appliance - Clean Access Server Configuration Guide
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/cas48ug.pdf
First paragraph, it mentions,
Note In a Layer 3 Out-of-Band deployment, Cisco recommends adding an ACL on your network access switch(es) to prevent SWISS packets from traversing the access VLAN. This simultaneously cuts down on unnecessary packets on the access network, and can help prevent authentication looping on the client machine when SWISS packets make it back to the CAS.
I suppose this is what you're talking about ? I thought the client needs to talk to the CAM when it's in the access VLAN through port 8905 or 6 ?? If I add an ACL, I will prevent that to happened.
I will definitely explore this option. However, I would appreciate some input on this matter.
Thanks !
Tony
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide