Hi Kamil,

In Mapping Rule setup, the condition VLAN ID is available for all Auth Servers.

I intend to use the condition type VLAN ID and not Attribute.

In my environment, this condition is more appropriate.

In the example you gave, you use Attribute.

See my illustrated attached file.

Thanks for the reply, but i believe it does not solve my problem.

Kind Regards,

Daniel Stefani

Hi Daniel,

Show me how are you configure rules for users? Why are try tu use LDAP, it has any information about VLAN ID that you want to use?

I think better for you is to create port profile for a dedicated role and assign user to this role.

By the way, I verify to what you want to do and as I mention above the mapping rule is not your solution.

You must create port profile and assign port on a switch to this profile.

Kamil

Hi Kamil,

The settings are attached.

I'm using LDAP to use AD as a base of users and an authentication option for users who are not on the Domain but have accounts in AD.

The method of authentication via SSO is the default, but the same problem happens in Mapping Rule.

I chose to use User Role VLAN because i'm configuring the Guest access too.

Thus, a switch port may be in the Employees Network or Guest Network .

My network does not propagate VLANs on a switch to the other, the entire L3.

The focus on solving the problem should be in the nac_manager.log messages I sent in the first post.

Finding the solution to the error will solve my problem.

For some reason, NAC Manager can not read the Auth VLAN ID of the user for mapping it correctly.

It can be a SNMP problem, but not sure yet.

I am sending my SNMP settings for you see.

Kind regards,

Daniel Stefani

The SNMP settings on a CAT switch are in mode read-only, so verify when you changed this SNMP settings for CAM's only to read-write.

Kamil

I imagine that the SNMP settings are correct.

If I make a snmpwalk of CAM for the switch, got the following output

[root@srvtatcam001 ~]# snmpwalk -v 1 -c nac-ro 10.5.0.121 | more

SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, s3223_rp Software (s3223_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(33)SXH5, RELEA

SE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2009 by Cisco Systems, Inc.

Compiled Thu 16-Apr-09 01:34 by prod

SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.400

DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (320415575) 37 days, 2:02:35.75

SNMPv2-MIB::sysContact.0 = STRING:

SNMPv2-MIB::sysName.0 = STRING: SWITATIDF002

SNMPv2-MIB::sysLocation.0 = STRING:

SNMPv2-MIB::sysServices.0 = INTEGER: 78

SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00

IF-MIB::ifNumber.0 = INTEGER: 357

IF-MIB::ifIndex.1 = INTEGER: 1

IF-MIB::ifIndex.2 = INTEGER: 2

IF-MIB::ifIndex.3 = INTEGER: 3

IF-MIB::ifIndex.4 = INTEGER: 4

IF-MIB::ifIndex.5 = INTEGER: 5

IF-MIB::ifIndex.6 = INTEGER: 6

IF-MIB::ifIndex.7 = INTEGER: 7

IF-MIB::ifIndex.8 = INTEGER: 8

IF-MIB::ifIndex.9 = INTEGER: 9

.

.

.

Kind Regards,

Daniel Stefani

Could you test when you changed CAT 6500 and CAM switch profile to SNMP version 2?

Kamil

Hi,

remains the same behavior, users are still being mapped out for Unauthenticated Role.

-

Mensagem original

In AD create a user and test through Auth test and show a CAM's response.

Kamil

See attached files...

So, you have an answer why users are put in Unautheticated Role.

In mapping role change the value 908 to 380 and test it with a acsadmin user.

Kamil

Hi,

The users are put in Unautheticated Role because the NAC Manager is unable to obtain the VLAN ID of the switch port where User is connected.

This can be seen in the file nac_manager.log

2011-02-28 16:37:55.601 +0100 [TP-Processor22] INFO  c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator  - Cond#1:AuthServerMapCondition: mapid=4 condId=1 type=2 lOp=VLAN ID op=equals rOp=908

2011-02-28 16:37:55.601 +0100 [TP-Processor22] INFO  c.perfigo.wlan.web.auth.expr.RoleMappingEvaluator  - conditions - {1=false}

the result of the condition should be conditions - {1=true}.

In consequence of the condition is false, the NAC Manager puts the switch port  in the Default Vlan Access configured in Port Profile and the user in the Unauthenticated Role, which is the default LDAP Auth Server

But the big question to be answered is why it(NAC Manager) can not read this VLAN ID?.

In the user guide says:

"The Mapping Rules forms can be used to map users into user role(s) based on the following parameters:

•The VLAN ID of user traffic originating from the UNTRUSTED SIDE of the CAS (all auth server types). ------> IN MY CASE IS THE VLAN 908

•Authentication attributes passed from LDAP and RADIUS auth servers (and RADIUS attributes passed from Cisco VPN Concentrators)"

Kind Regards,

Daniel Stefani

Hi,

Read this document about Cisco NAC Appliance Switch and Wireless LAN Controller Support.

http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/switch_spt.html#wp89679

There is a command try it on the CAM.

snmpget -v 1 -c 1.3.6.1.2.1.1.2.0

If CAM response with the same OID as above, your SNMP settings are correct but test more SNMP settings on CAM and on a switch.

As far sa i know you have supported IOS on CAT6500 by CAM or maybe are some bugs in your IOS version?

The simple way to check SNMP go to port profile on CAM chose the proper port on a switch an bounce port to which is connected a PC.

In that way you verify of CAM communication thtough SNMP.

Kamil

Hi,

I did a test with snmpget using the OID of VLAN ID.

# snmpget -v 1 -c nac-ro 10.5.0.121 1.3.6.1.4.1.9.9.68.1.2.2.1.2.88

SNMPv2-SMI::enterprises.9.9.68.1.2.2.1.2.88 = INTEGER: 908

Also collected packets between the switch and NAC Manager during

Authentication.

See attached file.

Kind Regards,

Daniel Stefani