Cisco NAC Online User List Problem and Multiple MAC Scenario ?

dumlutimuralp · ‎07-06-2010

Hi all,

I am performing Cisco NAC demo at a customer. Have two vital questions.

1_ Customer is willing to do posture assessment whenever it is possible., like everytime a user connects and disconnects from and to the network. For wired connections I have emhasized "remove online user when disconnected" setting in port profile. This works great. However for users who are wireless or behind IP phones , there is no such setting. So if a user switches from wireless to wired, that user is still on Online User List so it does not get assessed against NAC Server. It continues to work without any posture validation. Is there any other setting to remove the Online User who is wireless o behing an IP phone once it gets disconnected from the network ?

2_ What exactly happens when there are multiple devices on a switchport (I know I could see it for myself but time is tight ) ? I mean if there are multiple devices who are members of different roles, is the switchport assigned a different VLAN whenever that clients posture validation gets completed ?

What is the recommended approach for this ?

Thanks in advance.

Dumlu

Faisal Sehbai · ‎07-06-2010

Dumlu,

For 1, you can have the user removed from OUL in OOB scenarios, but behind IP phones it's difficult since we won't know when the PC is offline from there. Only way to know that is when CAM receives a MAC-Notification of a new MAC address being learnt. In IB, you can use heartbeat timers to log them out

For 2, when a new MAC address is seen on the port, the MAC-Notification is sent out, and depending on your port profile the switchport will change or not. Check your port profile settings for more details on how you have it setup.

HTH,

Faisal