Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1157
Views
0
Helpful
4
Replies

NAC in-band user logout issue

vladimir.agafin
Level 1
Level 1

‎02-11-2010 05:36 AM - edited ‎02-21-2020 03:52 AM

I'm trying to deploy Cisco NAC as in-band and I've got the following issue:

- if user tries to log out (being logged in via web or using Cisco NAC agent), logs off Windows, shuts down PC, nothing happens - the user is still seen on the Online users page and has access to everything.

The only error messages I found on the CAM were in the apache log:

192.168.12.14 - - [11/Feb/2010:10:04:37 +0300] "GET /auth/perfigo_logout.jsp?user_key=192.168.12.14_699SZJNZ84VWG95I HTTP/1.1" 400 -
192.168.12.14 - - [11/Feb/2010:13:33:32 +0300] "POST /auth/client%5flogout%2ejsp HTTP/1.1" 400 -

Could someone help me with it?

0 Helpful
4 Replies 4

Faisal Sehbai
Level 7
Level 7

‎02-11-2010 10:02 AM

Vladimir,

Need more info. What sort of setup is it? Versions (agent/CCA)? VGW/RIP? L2/L3? Any SSO's? Please post your network diagram (L2 and L3 both) and the CAM/CAS logs.

Thanks,

Faisal

0 Helpful

vladimir.agafin
Level 1
Level 1
In response to Faisal Sehbai

‎02-11-2010 11:11 AM

Faisal,

here is the info you requested:

- it's L3 setup, CAS is the Real-IP gateway for user networks;

- version of CCA - 4.7.2, agent's version is the latest, the user's workstation works under Windows XP;

- authentication via local DB of CAM, no SSO.

Can't post any diagram now, can do it tomorrow.

In the CAM's events logs I can see that the user successfully logged in, but after I press the Log out button there is nothing.

No traffic is blocked between the agent, CAS and CAM.

Regards,

Vladimir

0 Helpful

Faisal Sehbai
Level 7
Level 7
In response to vladimir.agafin

‎02-13-2010 07:35 PM

Vladimir,

Okay. Please post the net diagram and your CAM/CAS logs with times when you've done the tests and also the Client logs from the client itself.

Thanks,

Faisal

0 Helpful

Tiago Andrade de Paula
Level 1
Level 1
In response to Faisal Sehbai

‎08-12-2011 08:28 AM

Faisal.
I have the same problem with my customer.

  • So I have: InBand - Virtual Ip Gateway ( L3 deployment )  4.7.2
    1 Cam installed in central site
    1 Cas Installed in central site
    All traffic Remote sites will be pass trought the CAS Inband ( inline vlan 563 to 63 access vlan Central Site )

Some configurations about timers:

User Management / User Role / Schedule / Heartbeat Timer
Enable Heartbeat Timer (Enable)

Log Out Disconnected Users After: 5 minutes


Device Management / Cleans Access / Genereal Setup / Agent Login

User Role - "Remote users"
Operatin system "all"

Enable -  Logoff Nac Agent Users from network on their machine logoff or shutdown after "1 minute."( for windows & In-band setup )

Next we see One user that log out the network but still in the "IB - Online Users" List. If another user connect to the network and take the SAME Ip address. The user do not neet to authenticate, becouse the Ip address still int the list, so user can access normally the all network.

Can you help with this problem?

Tks a lot.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card