05-01-2007 07:22 AM - edited 02-21-2020 01:30 AM
Hi, we are doing a testbed with NAC appliance. We are doing basical tests with latest version 4.1.1 (30 april).
We are in an OOB test with virtual gateway mode. Our problem is very basic. For this test we are using local database.
TEST1
When we authenticate trough the Web Page (no agent required) all is good we are moved to the access vlan and we can work. Sniffing we can see snmp that reatributes the access vlan. In this case the state and the display in logged in users is consistent, we are shown with the AllAccess role.
TEST2
If we authenticate through the CAA, the authentication is displayed as successfull on the agent. The logged OOB users displays the test user with our AllAccess profile, but the logs show that we were moved to the Temporary Role (discrepancy here). If we snif SNMP from CAM to Switch, no SNMP is generated from the cam to switch. In this case we stay in the Auth vlan and we loop always for reauthentication. As the CAM consider us as logged in but didn't move the vlan. For this test we use a compliant machine).
TEST3
If we test with an uncompliant machine, we stay in the AuthVlan, wich is normal, and we can access sites for remediation (normal behaviour).
In the three cases the config of roles etc is exacltly the same, the only difference is that we authenticated via a different way.
So for a compliant machine with authentication through CAA, we have a problem.
Did anyone experienced the same issue??
Best Regards
Miguel Luna
05-03-2007 11:13 AM
Miguel,
I seen this error when the Client can't reach the CAS server. You are doing a Central or Edge Deployment? Are you behind an IP phone?
How are the VLAN's configured?
Regards,
Pedro Cabarga
05-09-2007 12:51 AM
Hi Pedro, nop we could find a configuration
mistake on CAS. The issue is now resolved. I was so suprised to see a discrepency that I thought it could be a bug.
In fact it was very simple, the list of managed Vlan's was not correct on CAS. So in this case, yes there is a communication problem and the discrepency on CAM appears.
Thank you very much for your answer.
Miguel
05-09-2007 07:09 AM
Yes - the documentation is a bit confusing for CAS configuration for L2 OOB. I just had the same mistake not configuring a managed subnet for the L2 OOB vlan I've trunked to the trusted side.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide