Solved: Re: Cisco NAC appliance - After a success login users doesn't ch

rgarreton · ‎02-13-2012

Hello,

I'm new on cisco NAC appliaces and i have to troubleshoot an implementation. This is a OOB Real IP gateway configuration. The users can log in whit the CCA but after this success login they remain on the unauthenticated role, and also on that vlan. I checked the SNMP and seems to be working fine. Also I checked the logs on nac_manager.log and there's nothing strange, in fact I cannot see anything regarding that user or the IP that logs in.

Also the user doesn't appear on the online users list on CAM.

Can someone help me to figure out how can I fix this? the version is 4.8, I will post any information requested

Thanks

mgraham50 · ‎03-02-2012

We recently had issue with Windows AD SSO and Windows 7 clients.

XP clients would authenticate just fine, however, the Windows 7 clients would not authenticate and would just remain on the unauthenticated vlan.

Our issue was with the CAS lookup SSO account we installed on AD. It only supported DES encryption which Windows 7 64 did not. We turned off "Use DES encrytion" on the AD SSO account and re-tested.

What are the settings for the port-profile that is applied to the switchport?

What is the vlan-mapping settings for the untrusted/trusted trunk ports?

View solution in original post

rgarreton · ‎02-28-2012

After several test what i discovered is this:

- Once the user connects to the port the vlan changes to the unauthenticated vlan, in this case, vlan 504, so SNMP looks good.

- Then the user's MAC address appears on the discovered devices

- The users tries to log in, in this case trying whit web login to a local user but the session seems to timed out.

- I checked the logs on perfigo/control/tomcat/logs/nac_manager.log for CAM and also on /perfigo/access/tomcat/logs/nac_server.log for the CAS servers but I cannot see any error.

If someone has any idea please let me know, I'm stuck on this so I really need help

Thanks

mgraham50 · ‎03-02-2012

Are you using AD SSO and the CAS local user database login screen comes up instead?

rgarreton · ‎03-02-2012

Yes, i'm using AD SSO and no the CAS login doesn't appear this is what happen.

-Users whit the agent installed can succesfully login and pass the antivirus check but the vlan doesn't change it stays on the unauthenticated vlan. I also tested the connection whit the AD and looks good

-When I tested whitout the agent, I open a web browser and it redirects to the cas login I try whit a local user but the login screen seems to timed out (no login error pops up or anything)

As I mentioned before nothing appears on the logs on CAM or CAS but the device appears a "discovered devices" but they seems to be unable to log in locally so the unauthenticated vlan doesn't change. And whit the agent I don't know why they appear as logged in on the agent but doesn't appear as a online user on CAM just as a discovered device

If you need any configuration or something please let me know, I'm really stuck on this

Regards

mgraham50 · ‎03-02-2012

We recently had issue with Windows AD SSO and Windows 7 clients.

XP clients would authenticate just fine, however, the Windows 7 clients would not authenticate and would just remain on the unauthenticated vlan.

Our issue was with the CAS lookup SSO account we installed on AD. It only supported DES encryption which Windows 7 64 did not. We turned off "Use DES encrytion" on the AD SSO account and re-tested.

What are the settings for the port-profile that is applied to the switchport?

What is the vlan-mapping settings for the untrusted/trusted trunk ports?

rgarreton · ‎03-02-2012

I'm sorry I put this as correct answer in error and don't know how to delete it

Anyway is this the information you requested?

Also where can I change the enccription to turn off the DES encription?

Thanks

rgarreton · ‎03-02-2012

I'm looking on the server lookup and seems to be whitout any encription

mgraham50 · ‎03-02-2012

We use AD SSO in an out-of-band virtual gateway, so, we don't use lookup server, we just use the auth server AD SSO in the Auth Servers tab.

Anyway, the CAS's user account (naclookup) in active directory needed to be changed to NOT use DES encryption in the account properties page of the user.

If authenticating with a CCA local user database and then assigning a VLAN Role by using the LDAP lookup server, you need to be sure the user account can query the AD database, and that a mapping condition has been correctly setup to assign a role based on the results of the mapping rule setup for that lookup server.

We used in the past: Type Attribute, Left Operand memberOf, Operator contains, Right Operand users and then mapped that the the authorized user role.

Hope this helps.

rgarreton · ‎03-02-2012

I will check that, but what about the local DB user. They try to login using the weblogin (seems they are not in the AD) but after they type their credentials the browser seems to time out and the unauthenticated vlan stays and the log doesn't show anything, what can cause that?

Cisco NAC appliance - After a success login users doesn't change to the propper vlan