Cisco NAC 4.1.6 vlan bounce

jefflocktsg · ‎10-14-2008

Hi Everyone,

I just upgraded from CAM/CAS 4.1.2.0 to 4.1.6.0 and we are now having problems with all the users not being able to get on the trusted VLAN. 4.2.1.0 worked fine and we had SSO working with the agents just fine. After the upgrade, the agents will authenticate through SSO, change the VLAN to our trusted VLAN, and then 2 seconds later switch back to the untrusted VLAN. During the upgrade, I redid the certificates as required for the untrusted side of the CAS. Any ideas?

felixjai · ‎10-15-2008

I assume you are running OOB mode. Perhaps you can try blocking the SWISS ports on the user vlan (trusted vlan), the ports are UDP 8905 and 8906. You CCA agent might be doing authentication over and over again because the CCA sees the CAS server while already in the trusted vlan.

jefflocktsg · ‎10-16-2008

I am using OOB mode and I blocked the CAS untrusted IP address from the trusted vlan by using an access-list. I was looking at the logs, and I see that what is happening is the agent is sending over the authentication and the MAC of the computer, and then authentication does happen and the port changes according to user role appropriately, but then the CAM picks up the Cisco Phone MAC and tosses the port back into the untrusted VLAN. Our PC's plug into the back of Cisco Phones. What I did was I created a filter to ignore the Cisco Phone MAC and that does seem to work, however, I'm not sure that's the best way to go about it.

rv_viji · ‎10-20-2008

I have a question to you, like you we are also using the OOB mode and I'm running into a small issue...

The issue is that when the computer gets authenticated and CAM moves the switch port into the trusted vlan, the agent sends the ip address release/renew, but on some computers the ip address renew gets failed as the users who are logged in does not have permission to do so....

How can I come across this?? Any inputs..??

felixjai · ‎10-21-2008

The Clean Access Agent has the admin rights to do dhcp release/renew for the user. The logged-in user doesn't need admin rights.

If dhcp release/renew fails, it might be a different issue, check your dhcp server settings for the trusted vlan.

By the way, what version of Clean Access Agent do you have?

rv_viji · ‎10-22-2008

No, but the error message in the clean access agent window clearly states that "Refreshing IP Failed, Please release/renew IP manually"

Kindly find the attached screenshot too...

And when the user with admin rights logs into the computer this error message doesn't come...

Im using clean access agent 4.1.3.1

felixjai · ‎10-22-2008

You should install the NAC Agent Stub with admin rights. The stub installer can be found under the CAM admin page. Device Management -> Clean Access -> Clean Access Agent -> Installation

NAC Agent stub

Cisco NAC Appliance provides a Stub installer to allow users without administrator privileges on their machines to install the Clean Access Agent from the Stub service. The Stub service is required to support the following features for non-admin users:

â€¢ Download and install Agent

â€¢ Upgrade Agent

â€¢ Launch an executable

â€¢ Launch WSUS updates

â€¢ Access to Authentication VLAN change detection

â€¢ Perform IP refresh/renew

west-david · ‎10-22-2008

Actually, that is the only way to run NAC in an IP telephony environment. Did you have the MAC filters in place before upgrading your CAM/CAS? I would have expected you to have the endless re-authentication issues prior to the upgrade without those filters. Just curious...