04-25-2008 07:47 AM - edited 03-09-2019 08:35 PM
When the interface comes up, the CAM puts the user in the AUTH vlan as expected via the set command (vlan 210)
03:09:09: SNMP: Packet received via UDP from 172.31.200.200 on Vlan220
03:09:09: SNMP: Set request, reqid 2144479366, errstat 0, erridx 0
vmVlan.1 = 210
that works OK
Fa0/21, Fa0/22, Fa0/23
210 VLAN0210 active Fa0/1
211 VLAN0211 active
So SNMP RW works OK,
After the user logs in to the network the user should be put back into vlan 220 (according to the port profile settings) but nothig happens, no set command send, no SNMP traffic at all. The user remains in AUTH vlan and the agent loops
I have tried all the settings, role based, initial VLAN as well, to no avail.
Any ideas? What to check for?
Rafal
04-26-2008 04:04 AM
Hi Rafal,
Hopefully I can help, but I have so questions:
What do you mean when you say the agent loops? Does it keep trying to authenticate the user?
Is this a layer3 or layer2 configuration?
04-26-2008 07:00 AM
thanks for reply,
yes, precisely, because the user remains in the auth vlan, HTTP request is redirected to the CAS, even after the user was authenticated, passed posture validation and logged to the network.
it is layer 2 OOB with VG, basic setup just know, proof of concept actually.
Rafal
04-26-2008 08:06 AM
OK, I believe this is more of an authentication issue than a SNMP/VLAN issue, but it could be both so lets start with authentication and some more questions :)
Are you using a clean access agent to perform authentication that is installed on the local PC, or the web agent?
What type of authentication is occurring (AD SSO, LDAP, local)?
04-26-2008 09:40 AM
local authentication and I've been using web agent. the user seems to ge authenticated and appears as an online user
04-26-2008 10:44 AM
Have you double checked your settings for mapping ports with the VG setup guide?
Also make sure your OOB port profile is correct and that it switches from auth to access vlan after authentication
04-29-2008 11:17 AM
Thanks for you help. The problem was with managed subnet config. The ip address was from the trusted access subnet but the vlan id should be the untrusted one (I put the trusted access one)
04-29-2008 11:42 AM
Good Job! NAC is tricky because it has so many moving parts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide