Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1586
Views
0
Helpful
5
Replies

NAC manager doesn't change auth vlan to access vlan

zoran.suica
Level 1
Level 1

‎04-28-2010 01:06 PM - edited ‎02-21-2020 03:56 AM

Hi,

I am trying to install L2 out-of band NAC in my LAN but I have problem for which I don't seem to find any solutions.

The problem is that NAC manager simply doesn't change switchport from authentication to access vlan although user

is authenticated and all CAA requirements have been met.

I connect my laptop to switch and NAM changes vlan to auth. vlan and laptop gets IP address from access vlan (vlan mapping

configured on NAM). Then CCA login pops out and I enter username and password. After that CAA says: "Successfully logged in

to network" but laptop stays in auth. vlan and I can see my user in "out of band" users list (on NAM) but laptop (his MAC address) is not

in the certified devices list. And Manager keeps it in auth. vlan. So when I click OK in CAA, the login window pops out again because I'm still

in authentication vlan.

What could be the problem? I really tried everything and I don't know why manager doesn't put laptop to certified devices list (I repeat, user is in out

of band users list) and CCA says successfully logged in to network, and all requirements are met too.

0 Helpful
5 Replies 5

Faisal Sehbai
Level 7
Level 7

‎04-28-2010 01:08 PM

Zoran,

Check the SNMP strings to ensure you have everything set right on the CAM and the switches. First thought suggests that the CAM is unable to write to the switch, which means your RW strings might be messed up.

HTH,

Faisal

0 Helpful

zoran.suica
Level 1
Level 1
In response to Faisal Sehbai

‎04-28-2010 01:20 PM

Faisal,

thanks for quick answer. SNMP is ok because when I manually enter access vlan in NAM, NAM sets port to that vlan. And then

again when I connect my laptop to that port, NAM again changes vlan to authentication. So that seems to be ok.

And I do not see laptops MAC in certified devices list so I think that is the reason why NAM doesn't put port to access vlan.

0 Helpful

Faisal Sehbai
Level 7
Level 7
In response to zoran.suica

‎04-28-2010 07:47 PM

Zoran,

You have a managed subnet entry for the subnet you're working with? Please post screenshots of your CAS config pages, your SNMP Receiver page and sanitized output from your switch.

Thanks

Faisal

0 Helpful

zoran.suica
Level 1
Level 1
In response to Faisal Sehbai

‎04-29-2010 04:37 AM

Faisal,

thank you very much, yes that was the problem. I didn't have managed subnet entry. Now it works fine, but I have another problem. When I added managed

subnet I cannot connect to NAC server from my PC which has IP address from that subnet range. I cannot ping neither connect via https, totally

inaccessible.

What can I do to have that managed subnet entry, and still to be able to connect to server from that subnet (VLAN)?

I tried adding managed subnet entry with auth. vlan (400) and then with access vlan (110) and no-vlan (-1) but the situation is same - clean access

works fine, but I cannot reach server from my PC.

0 Helpful

Faisal Sehbai
Level 7
Level 7
In response to zoran.suica

‎04-29-2010 08:40 AM

Zoran,

This is as expected. If your client is in one of the managed subnet, then by default the CAS sends out all traffic through it's untrusted interface. That's why when you're already authenticated, and you try to access the CAS, the replies to those queries/attempts would go out the untrusted interface and never reach your client back.

HTH,

Faisal

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card