Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


What would cause NAC to issue an Untrusted and Trusted IP Address at the same time?

We have c3750s running NAC 4.8.  Occassionally, a workstation will flap between the untrusted and trusted vlans.  We updated the NIC drivers on the workstation, we verified SNMP was functioning correctly on the switch, and we allowed the phones to act as the pass-through between the workstation and the switch.  What could cause the workstation IP Address to not redirect to a TRUSTED VLAN from the NAC_UNTRUST VLAN?  All updates have been downloaded to the workstation.

Shrikant Sundaresh
Cisco Employee

Hi Karen,

If I understand the problem correctly, it is an OOB setup, with PCs behind IP phones, and sometimes, authenticated users, are put back in the unauthenticated role. (or, users in access VLAN are put back into authentication VLAN even though they didn't log off).

1. Is there any session timeout for the role that they are in when they are authenticated?

2. Is some one else connecting to the same phone? (Cisco IP phones can act as a 3 port switch. 1 port for the phone, and upto two computers). When the switch learns a different mac address, it sets the port to authentication vlan, since that mac address is not in the trusted user list.

3. Is this issue reproducible easily and consistently?

4. What happens on the user pc, when the VLAN changes back to authentication VLAN?

5. If possible, please collect the cam trace logs at the time of the incident, and post them here.

Live logs can be collected using the command "tail -f /perfigo/control/tomcat/logs/nac_manager.log" on the CAM CLI.


Content for Community-Ad