I've deployed NAC in L2 OOB VG mode with ADSSO and I'm trying to use the OOB logoff feature but it's not working. The VLAN change detect feature doesn't work either (I think the two problems might be related).
It will work if each user role is assigned a different auth/access VLAN pair but in my setup, everyone has a common auth vlan and separate role-based access vlans. Because of this, I have to use the IP refresh feature as well (this works fine).
I'm running Windows Vista and version 4.8.0 of the NAC software with version 4.8.1.5 of the agent
I checked the release notes and found that caveat CSCth60233 identifies this bug with the VLAN change detect with the workaround being to refresh the IP address automatically after being logged out. Does anyone know of a workaround for this problem to do this automatically? Is a solution for this problem in the works?
Also would anyone be able to help me with my OOB logoff feature not working? I've configured everything according to the documentation.
default access blocked page this URL or HTML message:
*Show Logged-on Users
User info
Logout button
Enable Passive Re-assessment (To enable Passive Re-assessment for OOB Agent connections, you must also enable the OOB Logoff option at Device Management > Clean Access > General Setup > Agent Login.)
Re-assessment Interval
(Minimum of 60 minutes and maximum of 1440 minutes [24 hours])
(By default, 'ALL' settings apply to all client operating systems if no OS-specific settings are specified.)
Enable OOB logoff for Windows NAC Agent and Mac OS X Agent (This global option applies to all OOB CASs and user roles and enables Agent logout and heartbeat timers for OOB Agent connections. You must also enable this option for Passive Re-assessment to function with OOB Agent connections.)
Require use of Agent
(for Windows & Macintosh OSX only)
Agent Download Page Message (or URL):
Require use of Cisco NAC Web Agent (for Windows only)
Cisco NAC Web Agent Launch Page Message (or URL):
Allow restricted network access in case user cannot use NAC Agent or Cisco NAC Web Agent
Restricted Access User Role:
Restricted Access Button Text:
Restricted Network Access Message:
Show Network Policy to NAC Agent and Cisco NAC Web Agent users (for Windows only)
Network Policy Link:
Logoff NAC Agent users from network on their machine logoff or shutdown after
secs (for Windows & In-Band setup, for OOB setup when OOB Logoff is enabled)
(Setting the time to zero secs will logout user immediately. Valid range: 0 - 300 secs.)
Refresh Windows domain group policy after login
(for Windows only)
Automatically close login success screen after
secs
(Setting the time to zero secs will not display the login success screen. Valid range: 0 - 300 secs.)
Automatically close logout success screen after
secs
(for Windows only)
(Setting the time to zero secs will not display the logout success screen. Valid range: 0 - 300 secs.)
I the out of band logoff feature is now working. It wasn't working before because the host couldn't communicate with the NAC Server for some reason. I didn't change any config but now it works.
However, the VLAN Change detect IP refresh is still not working.
How is the host communicating wiht the NAC server ?
In OOB L2 VG, the agent is using swiss protocol (L2 8905 towards default-gateway or L3 8906 towards discovery host), but the nac server does not have an IP in your access-vlan, it only has a management adress i another vlan...
And the discovery host is common your CAM, so the agent wont reach your server on the trusted side.
Cisco sais that acl, pbr or vrf is the answer - but in and L2 oob non of these solutions would not work, because the nac server only has a management adress and no L3 conectivity to access vlan.
And if discovery host should be used - how is multible nac servers supportet ??
Can the cam tell the agent anything or forward the swiss packets ??
At that time, for some strange reason I could ping the NAC Server from the host...I'm not sure how or why but now I can't anymore so I guess that wasn't the real reason.
Thinking about it, the NAC Server and the agent can't speak at all once I've authenticated because of the VLAN mapping and IP addressing. So it must be the NAC Manager that talks to the agent but I'm not sure.
I'd have to sniff my port to find out for sure but I don't know when I'll be able to do that because I'm doing some other testing with my machine and so my PC isn't configured for NAC at the moment.
Yes everything works except VLAN change detect on Windows Vista machines.
Things work fine on XP and Windows 7 but Vista gives a problem for some reason.
Aside from that though, which I've learned to live with since I'm the only person in the office with Vista and I happen to be the NAC administrator. ipconfig /release && ipconfig /renew works just fine
When rebooting NAC server I do it from the Manager interface because I can't communicate with the NAC Server from my computer any at all. No HTTP, no ping, no nothing.
When i enable oob-logoff on cam and reboot cas´s, and then do a " netstat -unl | egrep -w '890[12]' ", i don´t se the cas´s listening on udp 8901/8902...
Does your cas listen on those ports ?
(and i still don´t understand how agent talkes to cam/cas (cisco sais it should be cas...))
I can't access the console of either the NAC manager or server right now. I changed the password and forgot what it was and I haven't done the password recovery yet.
In the mean time, what operating system are you running on your host(s)?
(I don't really understand the communication either...I'll try to sniff my port and see what communication goes on)
Cheers
Xavier
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
