cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3103
Views
18
Helpful
8
Replies

NAC agent refreshes IP address even though I configured it not to

Xavier Lloyd
Level 1
Level 1

Can anyone explain why this happens?

I configure the NAC agent to not bounce my port and to not refresh my IP address and when I'm logging in, the agent brings up a message saying "refreshing IP address".

This causes the CAM to uncertify my device and kick me off the Auth VLAN even though I pass the authentication test.

I've deployed in L2 OOB VG mode and I'm using version 4.8.0 on CAM, CAS and agent.

The same thing happens when I use the Web Agent...

Anyone ever experienced this/have any idea why this happens?

8 Replies 8

Tiago Antunes
Cisco Employee
Cisco Employee

Hi,

Can you check what is the role on which the user falls into?

Can you send us the screenshot of the Role configuration?

Also, can you check the Port Profile configuration? (OOB Management > Profiles > Port)

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Hi Tiago,

Here are the screens

Login Event Log

Authentication2011-01-28 08:04:45[00:18:8B:70:E0:29  ## 172.16.0.134] engineer - Successfully logged in as out-of-band user,  Provider: Local DB, Role: role_engineer, OS: Windows Vista Business

Online Users

Monitoring > Online Users

View Online Users Display Settings
            In-Band    ·         Out-of-Band  

             
Search For:        

Active users: 1                     (Max users since last reset: 1)

Online Users 1 -             1 of 1 |                               First |                                Previous |                                Next |                                Last |

User Name User IP (Authentication IP/Access IP) User MAC Provider Role Location CCA Server Access VLAN OS Login Time
engineer172.16.0.134/172.16.0.13400:18:8B:70:E0:29Local DBrole_engineerswitch [172.16.0.2] port [Gi0/35] 172.16.0.2514Windows Vista Business2011-01-28 08:04:45.0

User Config

User Management > Local Users

Local Users Guest Users
                List    ·           Edit  

Disable this account
User Name
Password
Confirm Password
Description
Role

    


Role Config

User Management > User Roles

List of Roles Edit Role Traffic Control Bandwidth Schedule

Disable this role
Role Name
Role Description
Role Type
*Max Sessions per User Account             ( Case-Insensitive Session Identifiers             ) (1 – 255; 0 for unlimited)  
Retag Trusted-side Egress Traffic with VLAN (In-Band) (0 – 4095, or leave it  blank)(*This option has been deprecated, and it will be removed in  upcoming  releases)
*Out-of-Band User Role VLAN                (if left blank, it will default to the default access vlan             settings in the Port Profile)
*Bounce Switch Port After Login (OOB) Enable               Disable               (This option is effective only when port profile is set to use it)
*Refresh IP After Login (OOB) Enable               Disable               (This option only applies to L2 OOB Virtual Gateway with Role VLAN             as Access VLAN and switch port is NOT bounced after VLAN change)
*After Successful Login Redirect to previously requested URL
this URL:
(e.g. http://www.cisco.com/)
Redirect Blocked Requests to default access blocked page
this URL or HTML message:
*Show Logged-on Users
User info Logout button
Enable Passive Re-assessment                          (To enable Passive Re-assessment for OOB Agent             connections, you must also enable the OOB Logoff option at             Device Management > Clean Access > General Setup > Agent Login.)
Re-assessment Interval (Minimum of 60 minutes and maximum of 1440 minutes [24 hours])
Grace Timer (Minimum of 5 minutes and maximum of 30 minutes)
Default action on failure
 
             
(*only applies to normal login role)

Port Profile

OOB Management > Profiles

Group Device Port VLAN SNMP Receiver
             List   ·  New   ·  Edit 

Profile Name
Description

Manage this port            
VLAN Settings
Supported VLAN Name format: abc, *abc,             abc*, *abc*. The switch will use the first             match for wildcard VLAN Name.
Auth VLAN                 
Default Access VLAN                 
Access VLAN 
VLAN Profile 
Options: Device Connected to Port
The CAM discovers the device connected to the switch port             when it receives SNMP mac-notification or linkup traps for             the device. The CAM then instructs the switch to assign the             Auth VLAN to the port if the device is not certified,             or Access VLAN if the device is certified and user is             authenticated.            
You can additionally configure the following options:
Change VLAN according to global device filter list             (device must be in list).            
                  When set, the VLAN of the port will be assigned by global             device filter settings (ALLOW=Default Access VLAN,             DENY=Auth VLAN, ROLE/CHECK=User Role VLAN,             IGNORE=ignore SNMP traps from managed switches (IP Phones)).
Change to              if the device is certified but not in the out-of-band user list.             
                  Select the VLAN to assign when device is certified and user is             reconnecting to network.
Bounce the port after VLAN is changed.            
                  Check this box to help clients update their IP settings for             non-Virtual Gateways. You can leave this field unchecked for             Virtual Gateways.
                 Bounce the port based on role settings after VLAN is changed.
Generate event logs when there are multiple MAC addresses detected             on the same switch port.
Do not bounce port to generate Linkup trap if MAC address query failed.            
                  Check this box for Wake-on-LAN devices or if you are using MAC-NOTIFICATION trap to discover connected devices
Options: Device Disconnected from Port
The device is considered disconnected after: SNMP linkdown             trap received or admin removal of user. Additional configuration             options are:
Remove out-of-band online user when SNMP linkdown trap is received,             and then                            
                  Ensure Access VLAN client is removed from OOB online user list             if disconnecting/reconnecting to same port.
Remove other out-of-band online users on the switch port             when a new user is detected on the same port.            
                  Ensure only one valid user is allowed on one switch port at the             same time.
Remove out-of-band online user without bouncing the port.            
                  This prevents port bouncing for IP phone connected users.

When I try to post the screenshot it makes the picture very small.

Thanks for helping out Tiago, it's much appreciated =]

Once the user is authenticated, the device becomes certified for about a second and then the IP address refreshes and I lose my access. I'm still listed as online (as you'll see above) but I'm not in the certified devices list and my VLAN is the Auth VLAN (30).

I had all this config on version 4.7.0 and it was working with some test VLANs and subnets. I upgraded to 4.8.0 and now I'm migrating to my production network VLANs and subnets and I'm getting this bug.

~ Xavier

Hi Alex,


Ok, the port conifg is correct and everything looks fine.

Now, please note that you have VLAN change based on Role, which means you MUST NOT retain the same IP address after login as the VLAN will change to a VLAN that is different from the default Access VLAN.


How are you reacing the conclusion that the port is bouncing?
(Please note that port bounce, means a shut/no shut event on the switch port)


Also, please note that the agent has a feature called VLAN change detection, which is used to detect if the VLAN has changed, and if yes, it automaticaly tells the Operating System to refresh the IP.


So, having all this in mind I am seeing an expected behavior...

Now if you say that "This causes the CAM to uncertify my device and kick me off the Auth VLAN even though I pass the authentication test.", then you have here a problem and it may be a bug if it came only after upgrade to 4.8.

I would advise you to open a TAC SR and we could get into your devices and troubleshoot live.

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

My port isn't being bounced. The agent does an IP refresh/renew. I'll turn off the role-based VLAN change and leave it to the port defaults and see if that works. Is there any way to turn off VLAN detect? I did a bit of research on it from before but from what I gather, on Windows it's disabled by default (maybe I misunderstood the document).

Thanks for the assistance thus far Tiago

~ Xavier

Hi Xavier,

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_oob.html#wpxref36407.

And further details:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html#wp1638761.

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Right, as I thought the VLAN Detect is disabled by default on Windows. I'm still at a loss though.

When you configure L2 OOB VG mode, you're supposed to get the correct access IP address from the start from DHCP which is the way I've configured it. There should be no need for port bouncing or IP renew/refresh in this configuration and yet it does it.

Sorry I didn't answer your question from before. I know it's being refreshed by two things:

  1. The NAC agent says "refreshing your IP address" once I've logged in on the PC
  2. I set up a continuous ping to the trusted network which I shouldn't be able to reach. The pings fail before I'm authenticated, at the moment I pass the authentication 1 or 2 pings MIGHT get through, then I get an error message saying "PING: transmit failed, error code 1231" which happens when the network card is disabled or doesn't have an IP address due to lack of connectivity. After 3 or 4 of those errors, normal timeout messages appear.

Thanks anyway Tiago, I think I'm just going to downgrade to 4.7.0 and see if I still have this problem. I'll post if I have any updates.

~ Xavier

Update:

I just did some fiddling with the SNMP receiver settings and it's actually not even switching my VLAN at all.

I set both the DHCP refresh and renew delays to 0 and the VLAN change delay to 60 seconds. After the "refresh and renew" that seem to not even happen anymore (I don't see the "refreshing your IP address" message on the agent) my pings will reach the trusted side of the network. The surprising thing though is that my VLAN hasn't changed and it doesn't show me as certified. It seems to be behaving inband...allowing my packets to travel through the CAS and back out via the VLAN mapping.

Here's the question now...why isn't my VLAN changing?

Ah bwoooy...back to the troubleshooting drawing board *sigh*

Peace out

~ Xavier

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: