Showing results for 
Search instead for 
Did you mean: 

NAC 4.7.1 L3 OOB - Temporary Role bugs ?


We have a L3 OOB routed gateway configuration (with redundant CAS and CAM), We are currently running 4.7.1 on the appliances and the agent is 4.7.10.

We have experienced two problems:

1. On several occasions we can abort a valid logon, but can still be allowed access to the network 'silently' ;

a - without any indication on the CAM i.e. no online users, no certified devices
b - the switch is still in the 'unauthenticated vlan' and the
c - ip address of the client is on the 'untrusted' subnet.
d - the 'unauthenticated' policy DOES NOT ALLOW web traffic.

It would seem that the user is able to trick the system by aborting the logon with the agent i.e. closing the window etc, (the login credentials are
correct and posture fails on an optional check and so amber) but the system DOES NOT show the user at all.

The Temporary role does allow full access, if I disable the policy rule the traffic is stopped.

The problem is there is no indication of this user on the system at all, this happens a couple of times a week.

2. When a user is genuinely placed into a TEMPORARY role (as indicated by the system, note: not the same as above),
about 50% of the time communication is blocked even though the policy allows it (repeated challenges by NAC).

Close the agent and do it the second time and it will work.

I think the symptoms are related as they both seem to be related to the usage of the TEMPORARY ROLE - has anyone else seen this bug ?