Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1223
Views
0
Helpful
1
Replies

Cisco NAC Agent pop up twice (Login twice)

abu_khair
Level 1
Level 1

ā€Ž03-09-2011 03:44 AM - edited ā€Ž02-21-2020 04:16 AM

Dear All:

We have NAC  version 4.8.0 and the agent version is 4.8.1.5. The deployment type is Out-Of-band virtual gateway. Windows SSO is enable and working as a champion but the problem is when the agent successfully login the users the CAM logs out it after a while (NAC agent pop up again) I found that the switch port is changed back to the unauthenticated VLAN by the CAM and then to the access VLAN.

The host under testing: IP 10.30.8.207, MAC 78:E7:D1: CD: D8:8A and the switch port is 10048 (FA0/48)

The log for kicking out the user is:

2011-03-09 13:15:30.450 +0300 [Timer-199783] DEBUG c.p.wlan.web.admin.DelayedOobLogoutInfoManager     - DLIM: delete DLI for 10.30.8.207 from CAS user_key='10.30.8.207_VTMJDKPIR41ABQLT'

2011-03-09 13:15:30.451 +0300 [Thread-334356] DEBUG c.p.wlan.web.admin.DelayedOobLogoutInfoManager     - DLIM: userip = 10.30.8.207maclist = 78:E7:D1:CD:D8:8Auserkey = user_key='10.30.8.207_VTMJDKPIR41ABQLT'

And the log for login is:

2011-03-09 13:15:57.335 +0300 [TP-Processor24] TRACE com.perfigo.wlan.web.sms.SnmpTimerTask             - SnmpTimerTask com.perfigo.wlan.web.sms.task.SwitchCertifiedTask id=2004989 is created: set port [10048] to Access VLAN [308] on switch [10.1.40.14] for [78:E7:D1:CD:D8:8A]

I donā€™t know the meaning of ā€œDLIM: delete DLI for 10.30.8.207 from CASā€ and why this is happening. Would you please help?

Attached log file.

82954-nac_manager.log.zip
0 Helpful
1 Reply 1

Petr Nagernyuk
Level 1
Level 1

ā€Ž03-13-2011 11:40 AM

Hello!

Maybe my answer will help you.

So, I had a similar problem with my Out-of-Band Real-IP-Gateway deployment. The reason was that NAC agent was still commnicating with untrusted interface of the NAC server, after logging in with Windows AD login/password. And of course, NAC agent pop up again, after client successfully looged in with active directory login\password, and his computer were transferring from "auth" vlan to "access" vlan.

Cisco experts says, that it's better to brake communication between NAC agent and NAC server, if the client machine is in access vlan. You can implement, for example, an access-list for "access" vlan. The goal of that access-list is to deny all packets destined for NAC server, and permit all other packets.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card