07-22-2010 03:34 AM - edited 02-21-2020 04:02 AM
1st qeustion
i am trying to pass my wireless users through nac. i have catalyst 3560 switch to which everything is connected to including the nas,nam,wlc and ap.
the problem is i can see the wireless users registered in the nam but they are unable to pick ip address. what could be the problem i attached every configuration i did on the switch, wlc and nam.
2nd question
how could i fix this error message
"
Solved! Go to Solution.
07-22-2010 07:12 AM
1) On the Device Management > Clean Access Servers > Advanced > Managed Subnet page, uncheck "Enable subnet-based VLAN retag". You don't need that checked to do VLAN mapping, and it breaks most networks.
2) There are two red nag messages. One is complaining that you're using the temporary perfigo end entity certificate, and one that you have the temporary perfigo root in your trusted certificate authorities. The only way to get rid of those messages is to get a CA-signed (non-perfigo) cert. The reasoning behind this is that these certs are only meant for non-production environments, so if this is just a test network, you can just ignore them.
07-22-2010 05:25 AM
looks like the trusted root for the cam or cas is not imported on the respective servers. ...
ie import the cas's public root on the cam and vice versa
07-22-2010 07:12 AM
1) On the Device Management > Clean Access Servers > Advanced > Managed Subnet page, uncheck "Enable subnet-based VLAN retag". You don't need that checked to do VLAN mapping, and it breaks most networks.
2) There are two red nag messages. One is complaining that you're using the temporary perfigo end entity certificate, and one that you have the temporary perfigo root in your trusted certificate authorities. The only way to get rid of those messages is to get a CA-signed (non-perfigo) cert. The reasoning behind this is that these certs are only meant for non-production environments, so if this is just a test network, you can just ignore them.
07-23-2010 02:46 AM
yeah, lauren you were right i needed to uncheck the "Enable subnet-based VLAN retag" and the agents pops up and it works fine.
what about if i don't want to user the agent and rather use the web login? what are the steps i need to follow? does it automatically pops up like the agent does? thank you very much bzw...u really saved my day.
07-23-2010 05:32 AM
If the user is in the auth VLAN and opens up a browser, they should get redirected to the CAS login page. For this to happen, you do need to make sure that whatever web address they're trying to go to is blocked in the unauth traffic policy - so if you had an "allow all" traffic rule in the unauth role for testing, make sure you remove it.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: