Showing results for 
Search instead for 
Did you mean: 

Ask the Expert- SD-WAN


Cisco NAC Agent pop up twice (Login twice)

Dear All:

We have NAC  version 4.8.0 and the agent version is The deployment type is Out-Of-band virtual gateway. Windows SSO is enable and working as a champion but the problem is when the agent successfully login the users the CAM logs out it after a while (NAC agent pop up again) I found that the switch port is changed back to the unauthenticated VLAN by the CAM and then to the access VLAN.

The host under testing: IP, MAC 78:E7:D1: CD: D8:8A and the switch port is 10048 (FA0/48)

The log for kicking out the user is:

2011-03-09 13:15:30.450 +0300 [Timer-199783] DEBUG c.p.wlan.web.admin.DelayedOobLogoutInfoManager     - DLIM: delete DLI for from CAS user_key=''

2011-03-09 13:15:30.451 +0300 [Thread-334356] DEBUG c.p.wlan.web.admin.DelayedOobLogoutInfoManager     - DLIM: userip = = 78:E7:D1:CD:D8:8Auserkey = user_key=''

And the log for login is:

2011-03-09 13:15:57.335 +0300 [TP-Processor24] TRACE com.perfigo.wlan.web.sms.SnmpTimerTask             - SnmpTimerTask com.perfigo.wlan.web.sms.task.SwitchCertifiedTask id=2004989 is created: set port [10048] to Access VLAN [308] on switch [] for [78:E7:D1:CD:D8:8A]

I don’t know the meaning of “DLIM: delete DLI for from CAS” and why this is happening. Would you please help?

Attached log file.

Everyone's tags (4)

Re: Cisco NAC Agent pop up twice (Login twice)


Maybe my answer will help you.

So, I had a similar problem with my Out-of-Band Real-IP-Gateway deployment. The reason was that NAC agent was still commnicating with untrusted interface of the NAC server, after logging in with Windows AD login/password. And of course, NAC agent pop up again, after client successfully looged in with active directory login\password, and his computer were transferring from "auth" vlan to "access" vlan.

Cisco experts says, that it's better to brake communication between NAC agent and NAC server, if the client machine is in access vlan. You can implement, for example, an access-list for "access" vlan. The goal of that access-list is to deny all packets destined for NAC server, and permit all other packets.