Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
829
Views
0
Helpful
3
Replies

Strange message in the NAC manager

tonyp8581
Level 1
Level 1

‎08-10-2011 10:46 AM - edited ‎03-10-2019 06:17 PM

Hi,

I have the following message in the events logs of the NAC:

SWISS detected second access VLAN IP:10.175.201.50 for [00:13:55:C7:61:89 ## 10.175.236.26/10.175.236.26] from CAS [10.3.2.13]. Removed user from CAM.

This issue happens on several workstations and I know for a fact that the workstations don't change VLAN.  The removal of the user causes the workstation to be NAC'ed several times until it finally left in the access VLAN.

Has anybody have an explanation for this behaviour ?

Thanks !

Labels:
0 Helpful
3 Replies 3

Tarik Admani
VIP Alumni
VIP Alumni

‎08-10-2011 11:46 PM

Is this is an initial configuration and I assume that you are working with an OOB deployment. Are you working with an L3 deployment?

I have seen this issue crop up on an L3 oob deployment when the discovery packets are hitting the CAS appliance. If that is the case then you will need to setup a PBR or an ACL to force the clients swiss traffic to hit the trusted side when their are in the access vlan.

Thanks,

Tarik

0 Helpful

tonyp8581
Level 1
Level 1
In response to Tarik Admani

‎08-11-2011 07:26 AM

Hi Tarik,

FYI, It's a OOB deployment. Also, I've been running the NAC over 2 years now.

I read about what you're discussing on your post.  My deployment includes PBR and ACL.

In my case, I think I'm having a latency issue(15 ms latency).

I'm playing around with the SwissTimeout within the XML file.  I'll let you know if I resolve this issue.

Thanks !

Tony

0 Helpful

tonyp8581
Level 1
Level 1
In response to Tarik Admani

‎08-23-2011 12:31 PM

Hi Tarik,

FYI, experimenting with the SwissTimeout did not resolve my issue.

When you mention:

If that is the case then you will need to setup a PBR or an ACL to force the clients swiss traffic to hit the trusted side when their are in the access vlan

When my computer is in the access vlan,  I can ping my Untrusted side of the CAS.  However, my NAC agent client is configured with the CAM Discovery host.  I don't see why the client in access VLAN would need to talk to untrusted side.

Also, Page 4-21 of the Cisco NAC Appliance - Clean Access Server Configuration Guide

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/cas48ug.pdf

First paragraph, it mentions,

Note In a Layer 3 Out-of-Band deployment, Cisco recommends adding an ACL on your network access switch(es) to prevent SWISS packets from traversing the access VLAN. This simultaneously cuts down on unnecessary packets on the access network, and can help prevent authentication looping on the client machine when SWISS packets make it back to the CAS.

I suppose this is what you're talking about ?  I thought the client needs to talk to the CAM when it's in the access VLAN through port 8905 or 6 ??  If I add an ACL, I will prevent that to happened.

I will definitely explore this option.  However, I would appreciate some input on this matter.

Thanks !

Tony

0 Helpful
Customers Also Viewed These Support Documents