cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
607
Views
5
Helpful
7
Replies

Auth VLAN and Access vlan

rkazmierczak
Level 1
Level 1

When the interface comes up, the CAM puts the user in the AUTH vlan as expected via the set command (vlan 210)

03:09:09: SNMP: Packet received via UDP from 172.31.200.200 on Vlan220

03:09:09: SNMP: Set request, reqid 2144479366, errstat 0, erridx 0

vmVlan.1 = 210

that works OK

Fa0/21, Fa0/22, Fa0/23

210 VLAN0210 active Fa0/1

211 VLAN0211 active

So SNMP RW works OK,

After the user logs in to the network the user should be put back into vlan 220 (according to the port profile settings) but nothig happens, no set command send, no SNMP traffic at all. The user remains in AUTH vlan and the agent loops

I have tried all the settings, role based, initial VLAN as well, to no avail.

Any ideas? What to check for?

Rafal

7 Replies 7

gojericho0
Level 1
Level 1

Hi Rafal,

Hopefully I can help, but I have so questions:

What do you mean when you say the agent loops? Does it keep trying to authenticate the user?

Is this a layer3 or layer2 configuration?

thanks for reply,

yes, precisely, because the user remains in the auth vlan, HTTP request is redirected to the CAS, even after the user was authenticated, passed posture validation and logged to the network.

it is layer 2 OOB with VG, basic setup just know, proof of concept actually.

Rafal

OK, I believe this is more of an authentication issue than a SNMP/VLAN issue, but it could be both so lets start with authentication and some more questions :)

Are you using a clean access agent to perform authentication that is installed on the local PC, or the web agent?

What type of authentication is occurring (AD SSO, LDAP, local)?

local authentication and I've been using web agent. the user seems to ge authenticated and appears as an online user

Have you double checked your settings for mapping ports with the VG setup guide?

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_addSrvr.html#wp1089247

Also make sure your OOB port profile is correct and that it switches from auth to access vlan after authentication

http://www.exio.com/en/US/docs/security/nac/appliance/configuration_guide/411/cam/m_oob.html#wp1083087

Thanks for you help. The problem was with managed subnet config. The ip address was from the trusted access subnet but the vlan id should be the untrusted one (I put the trusted access one)

Good Job! NAC is tricky because it has so many moving parts.