What would cause NAC to issue an Untrusted and Trusted IP Addres

karendrew · ‎10-05-2011

We have c3750s running NAC 4.8. Occassionally, a workstation will flap between the untrusted and trusted vlans. We updated the NIC drivers on the workstation, we verified SNMP was functioning correctly on the switch, and we allowed the phones to act as the pass-through between the workstation and the switch. What could cause the workstation IP Address to not redirect to a TRUSTED VLAN from the NAC_UNTRUST VLAN? All updates have been downloaded to the workstation.

Shrikant Sundaresh · ‎10-06-2011

Hi Karen,

If I understand the problem correctly, it is an OOB setup, with PCs behind IP phones, and sometimes, authenticated users, are put back in the unauthenticated role. (or, users in access VLAN are put back into authentication VLAN even though they didn't log off).

1. Is there any session timeout for the role that they are in when they are authenticated?

2. Is some one else connecting to the same phone? (Cisco IP phones can act as a 3 port switch. 1 port for the phone, and upto two computers). When the switch learns a different mac address, it sets the port to authentication vlan, since that mac address is not in the trusted user list.

3. Is this issue reproducible easily and consistently?

4. What happens on the user pc, when the VLAN changes back to authentication VLAN?

5. If possible, please collect the cam trace logs at the time of the incident, and post them here.

Live logs can be collected using the command "tail -f /perfigo/control/tomcat/logs/nac_manager.log" on the CAM CLI.

-Shrikant

What would cause NAC to issue an Untrusted and Trusted IP Address at the same time?