Re: NAC 4.7 "CAS unavailable" temporary role

mecampr · ‎07-16-2010

I have a VGW, OOB with layer 3 enabled pilot deployment right now. Everything looks fine. However, about

30% of the time (and its increasing) when I log on using the 4.7 agent, the agent will give me the error that the cas is unavialbe on the network. When I check the CAM, the user can be viewed on the monitoring tab, in-band and placed in the temporary role. (highlighted quarantined)

When i kick the user, more often than not , the user can log back in and it places him in the oob role that he is assigned to and all works fine.

core switch -----------cas/cam

|

distribution switch

|

End user switch---------end user pc

Any ideas as to why when placed in the temp role transitioning to the authenticated role it would lose contact???? and why would it be placed in the in-band section of the monitoring online users?

waqas0612147 · ‎07-16-2010

Dear Rick ,

Check the SSL certificate of the CAS and the CAM .The common name (CN) of the SSL certificate should be the IP address of the CAS and the CAM .

mecampr · ‎07-16-2010

let me check that...i know some things changed in 4.7

Let me confirm ...you say the x509 CN on the CAS should be the CAS IP address, and the X509 CN on the CAM should be the CAM ip address?

I think that is what I have , but it will be Monday before I can check that out. Thanks for replying.

Faisal Sehbai · ‎07-19-2010

Rick,

So trying to understand your topology. You're trying to do L3 OOB VGW? Are your clients multiple hops away from the CAS?

Waqas's point is valid to an extent. Bad certs or misconfigured certs can cause lots of issues in 4.7, but in that instance no logins would happen.

More clarification on how things are laid out at your end would help.

Faisal

mecampr · ‎07-19-2010

the cn name on the cas was indeed wrong. the IP address was that of the CAM.

However, that still hasnt fully fixed the problem.

I took all the checks away from the auth role assigned and it seems to fix the problem.

Yes, Faisal all the end points are Layer 2, no hops in between. I have a 6509E as the core switch. Each vlan on the switch, apart from the Auth vlans have a SVI.

ie. on the core switch

interface GigabitEthernet2/28
description trusted
no ip address
switchport
switchport trunk native vlan 997
switchport trunk allowed vlan 5,100,110,120,130,140,150,160,250,298 >>>Access Vlans
switchport mode trunk
!
interface GigabitEthernet2/29
description untrusted
no ip address
switchport
switchport trunk native vlan 996
switchport trunk allowed vlan 9,10,20,30,40,50,60,400 >>>> Auth Vlans
switchport mode trunk

Example SVI for access VLANS

interface Vlan110
description StaffLowerPT
ip address 1.1.1.1 255.255.255.0
ip helper-address 1.1.1.4
ip pim sparse-dense-mode
ipx network 8

no SVI's for auth vlans.

I remember reading somewhere that if no checks are done (ie if the agent is not running any rules on it) then it moves straight from authenitcation (phase1) to authenticated role (phase 3) without ever hitting the temp user role. Could it be that a rule would cause the CAS to become unavailable if it could not remediate?

I have a AV check rule, and two sus/WSUS rules.

mecampr · ‎07-19-2010

on the temp role policy, only dns request is allowed through. there are several host rules that allow symantec updates etc....but would i need to add the cas/cam ip address (since the CAS is oob, vgw it has no ip address - well its the same ip but just not used)....

Faisal Sehbai · ‎07-20-2010

Rick,

Having requirements shouldn't cause the CAS communication failure notice. There's something else broken in your network I suspect.

You don't have to add the CAS/CAM ip addresses in the roles for this to work. You should however add any remediation resources (which from the post it seems you have)

Please post your CAS and CAM logs here for review. Do a test first, note the time, and then collect the logs. Post the logs and time when you did the test.

Faisal

mecampr · ‎07-20-2010

how do you export the cas/cam logs from the devices?

Faisal Sehbai · ‎07-20-2010

Rick,

From CAM, go to CCA Manager -> Support Logs and Download

From CAS, go to https://IP_ADD_OF_CAS/admin Support Logs -> Download

Faisal

mecampr · ‎07-20-2010

ok here are the attached logs

mecampr · ‎07-20-2010

this is the cam logs, teh previous was cas

mecampr · ‎07-20-2010

here is the cas logs

mecampr · ‎07-21-2010

I noticed my core 6509e was running code Version "12.2(18)SXD7" would that cause any problems

mecampr · ‎07-21-2010

although ive not had any problems with the switches being able to be controlled of the ports not being put in the correct vlans etc

mecampr · ‎07-21-2010

the error seems to be appearing whenever i ask for remediation...if i don't ask for remediation ..or any rules, scanning at all ..i get the cas server not available on the network....i've asked tac to look at , their initial check couldnt see anything wrong with the config, so we're going deeper. Has anyone else experienced this and what was their fix?