01-27-2011 10:13 AM - edited 02-21-2020 04:14 AM
Can anyone explain why this happens?
I configure the NAC agent to not bounce my port and to not refresh my IP address and when I'm logging in, the agent brings up a message saying "refreshing IP address".
This causes the CAM to uncertify my device and kick me off the Auth VLAN even though I pass the authentication test.
I've deployed in L2 OOB VG mode and I'm using version 4.8.0 on CAM, CAS and agent.
The same thing happens when I use the Web Agent...
Anyone ever experienced this/have any idea why this happens?
01-28-2011 12:59 AM
Hi,
Can you check what is the role on which the user falls into?
Can you send us the screenshot of the Role configuration?
Also, can you check the Port Profile configuration? (OOB Management > Profiles > Port)
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
01-28-2011 05:20 AM
Hi Tiago,
Here are the screens
Login Event Log
Authentication | 2011-01-28 08:04:45 | [00:18:8B:70:E0:29 ## 172.16.0.134] engineer - Successfully logged in as out-of-band user, Provider: Local DB, Role: role_engineer, OS: Windows Vista Business |
Online Users
Monitoring > Online Users | |
View Online Users | Display Settings | ||
In-Band · Out-of-Band |
Active users: 1 (Max users since last reset: 1) |
Online Users 1 - 1 of 1 | First | Previous | Next | Last | |
User Name | User IP (Authentication IP/Access IP) | User MAC | Provider | Role | Location | CCA Server | Access VLAN | OS | Login Time | |
---|---|---|---|---|---|---|---|---|---|---|
engineer | 172.16.0.134/172.16.0.134 | 00:18:8B:70:E0:29 | Local DB | role_engineer | switch [172.16.0.2] port [Gi0/35] | 172.16.0.25 | 14 | Windows Vista Business | 2011-01-28 08:04:45.0 |
User Config
User Management > Local Users | |
Local Users | Guest Users | ||||
List · Edit |
Disable this account | |
User Name | |
Password | |
Confirm Password | |
Description | |
Role | |
|
Role Config
User Management > User Roles | |
List of Roles | Edit Role | Traffic Control | Bandwidth | Schedule | |||||
Disable this role | |||
Role Name | |||
Role Description | |||
Role Type | |||
*Max Sessions per User Account ( Case-Insensitive Session Identifiers ) | (1 – 255; 0 for unlimited) | ||
Retag Trusted-side Egress Traffic with VLAN (In-Band) | (0 – 4095, or leave it blank)(*This option has been deprecated, and it will be removed in upcoming releases) | ||
*Out-of-Band User Role VLAN | (if left blank, it will default to the default access vlan settings in the Port Profile) | ||
*Bounce Switch Port After Login (OOB) | Enable Disable (This option is effective only when port profile is set to use it) | ||
*Refresh IP After Login (OOB) | Enable Disable (This option only applies to L2 OOB Virtual Gateway with Role VLAN as Access VLAN and switch port is NOT bounced after VLAN change) | ||
*After Successful Login Redirect to | previously requested URL this URL: (e.g. http://www.cisco.com/) | ||
Redirect Blocked Requests to | default access blocked page this URL or HTML message: | ||
*Show Logged-on Users |
| ||
Enable Passive Re-assessment (To enable Passive Re-assessment for OOB Agent connections, you must also enable the OOB Logoff option at Device Management > Clean Access > General Setup > Agent Login.) | |||
Re-assessment Interval | (Minimum of 60 minutes and maximum of 1440 minutes [24 hours]) | ||
Grace Timer | (Minimum of 5 minutes and maximum of 30 minutes) | ||
Default action on failure | |||
| |||
(*only applies to normal login role) |
Port Profile
OOB Management > Profiles | |
Group | Device | Port | VLAN | SNMP Receiver | |||||
List · New · Edit |
Profile Name | |
Description | |
Manage this port | |
VLAN Settings | |
Supported VLAN Name format: abc, *abc, abc*, *abc*. The switch will use the first match for wildcard VLAN Name. | |
Auth VLAN | |
Default Access VLAN | |
Access VLAN | |
VLAN Profile | |
Options: Device Connected to Port | |
The CAM discovers the device connected to the switch port when it receives SNMP mac-notification or linkup traps for the device. The CAM then instructs the switch to assign the Auth VLAN to the port if the device is not certified, or Access VLAN if the device is certified and user is authenticated. You can additionally configure the following options: | |
Change VLAN according to global device filter list (device must be in list). When set, the VLAN of the port will be assigned by global device filter settings (ALLOW=Default Access VLAN, DENY=Auth VLAN, ROLE/CHECK=User Role VLAN, IGNORE=ignore SNMP traps from managed switches (IP Phones)). | |
Change to if the device is certified but not in the out-of-band user list. Select the VLAN to assign when device is certified and user is reconnecting to network. | |
Bounce the port after VLAN is changed. Check this box to help clients update their IP settings for non-Virtual Gateways. You can leave this field unchecked for Virtual Gateways. | |
Bounce the port based on role settings after VLAN is changed. | |
Generate event logs when there are multiple MAC addresses detected on the same switch port. | |
Do not bounce port to generate Linkup trap if MAC address query failed. Check this box for Wake-on-LAN devices or if you are using MAC-NOTIFICATION trap to discover connected devices | |
Options: Device Disconnected from Port | |
The device is considered disconnected after: SNMP linkdown trap received or admin removal of user. Additional configuration options are: | |
Remove out-of-band online user when SNMP linkdown trap is received, and then Ensure Access VLAN client is removed from OOB online user list if disconnecting/reconnecting to same port. | |
Remove other out-of-band online users on the switch port when a new user is detected on the same port. Ensure only one valid user is allowed on one switch port at the same time. | |
Remove out-of-band online user without bouncing the port. This prevents port bouncing for IP phone connected users. | |
01-28-2011 05:29 AM
When I try to post the screenshot it makes the picture very small.
Thanks for helping out Tiago, it's much appreciated =]
Once the user is authenticated, the device becomes certified for about a second and then the IP address refreshes and I lose my access. I'm still listed as online (as you'll see above) but I'm not in the certified devices list and my VLAN is the Auth VLAN (30).
I had all this config on version 4.7.0 and it was working with some test VLANs and subnets. I upgraded to 4.8.0 and now I'm migrating to my production network VLANs and subnets and I'm getting this bug.
~ Xavier
01-28-2011 05:33 AM
Hi Alex,
Ok, the port conifg is correct and everything looks fine.
Now, please note that you have VLAN change based on Role, which means you MUST NOT retain the same IP address after login as the VLAN will change to a VLAN that is different from the default Access VLAN.
How are you reacing the conclusion that the port is bouncing?
(Please note that port bounce, means a shut/no shut event on the switch port)
Also, please note that the agent has a feature called VLAN change detection, which is used to detect if the VLAN has changed, and if yes, it automaticaly tells the Operating System to refresh the IP.
So, having all this in mind I am seeing an expected behavior...
Now if you say that "This causes the CAM to uncertify my device and kick me off the Auth VLAN even though I pass the authentication test.", then you have here a problem and it may be a bug if it came only after upgrade to 4.8.
I would advise you to open a TAC SR and we could get into your devices and troubleshoot live.
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
01-28-2011 06:02 AM
My port isn't being bounced. The agent does an IP refresh/renew. I'll turn off the role-based VLAN change and leave it to the port defaults and see if that works. Is there any way to turn off VLAN detect? I did a bit of research on it from before but from what I gather, on Windows it's disabled by default (maybe I misunderstood the document).
Thanks for the assistance thus far Tiago
~ Xavier
01-28-2011 06:14 AM
Hi Xavier,
And further details:
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
01-28-2011 07:02 AM
Right, as I thought the VLAN Detect is disabled by default on Windows. I'm still at a loss though.
When you configure L2 OOB VG mode, you're supposed to get the correct access IP address from the start from DHCP which is the way I've configured it. There should be no need for port bouncing or IP renew/refresh in this configuration and yet it does it.
Sorry I didn't answer your question from before. I know it's being refreshed by two things:
Thanks anyway Tiago, I think I'm just going to downgrade to 4.7.0 and see if I still have this problem. I'll post if I have any updates.
~ Xavier
01-28-2011 07:11 AM
Update:
I just did some fiddling with the SNMP receiver settings and it's actually not even switching my VLAN at all.
I set both the DHCP refresh and renew delays to 0 and the VLAN change delay to 60 seconds. After the "refresh and renew" that seem to not even happen anymore (I don't see the "refreshing your IP address" message on the agent) my pings will reach the trusted side of the network. The surprising thing though is that my VLAN hasn't changed and it doesn't show me as certified. It seems to be behaving inband...allowing my packets to travel through the CAS and back out via the VLAN mapping.
Here's the question now...why isn't my VLAN changing?
Ah bwoooy...back to the troubleshooting drawing board *sigh*
Peace out
~ Xavier
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide