Here is troubleshooting steps for the Cisco NAC Appliance (Clean Access) Login Issue follow the procedure it may help you
What actually happens when you open a browser on the client - do you get allowed through to the page you are trying to access, or does it just time out completely and never bring up a login page?
If it brings up the page you are trying to goto instead of the login page then there could be two issues:
1) Traffic not blocked in unauthenticated role. Make sure you don't have a host or IP based rule allowing traffic (or a filter for the client's IP or MAC).
2) Traffic not being sent into CAS - ensure that the trunking (for L2 mode) or the Policy Based Routing (for L3 mode) is configured to correctly dump all the clients traffic into the untrusted CAS interface.
If the page is just timing out completely, then you would want to check the following:
1) Does the CAS have a route back for the client range - in L2 mode this is configured on the CAS as a Managed Subnet. In L3 mode it is configured on the CAS as a Static Route (all under the Advanced tab when managing the CAS from the CAM GUI).
2) Does the client have name resolution for the site you are trying to reach? If not it will never send out an HTTP GET request and thus the CAS will never try to redirect the client. Try an nslookup from the client. If it doesn't work ensure that you allow udp/53 in your unauthenticated role traffic policies. The client will also have to resolve the name in the CAS certificate, so if that certificate is issued to a name, ensure that is in your DNS server as well.
thanks for your Mail.
This problem solved,the issue was switch limitation and not NAC problem.I
was using 3550 switch.
On Wed, Sep 8, 2010 at 5:33 PM, naaustin <