Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
637
Views
0
Helpful
4
Replies

NAC multiple issues

Go to solution
mshebelle
Level 1
Level 1

‎07-22-2010 03:34 AM - edited ‎02-21-2020 04:02 AM

1st qeustion

i am trying to pass my wireless users through nac. i have catalyst 3560 switch to which everything is connected to including the nas,nam,wlc and ap.

the problem is i can see the wireless users registered in the nam but they are unable to pick ip address. what could be the problem i attached every configuration i did on the switch, wlc and nam.

2nd question

how could i fix this error message

"

error1.png

Preview file
2584 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Lauren Sullivan
Level 1
Level 1

‎07-22-2010 07:12 AM

1) On the Device Management > Clean Access Servers > Advanced > Managed Subnet page, uncheck "Enable subnet-based VLAN retag".  You don't need that checked to do VLAN mapping, and it breaks most networks.

2) There are two red nag messages.  One is complaining that you're using the temporary perfigo end entity certificate, and one that you have the temporary perfigo root in your trusted certificate authorities.  The only way to get rid of those messages is to get a CA-signed (non-perfigo) cert.  The reasoning behind this is that these certs are only meant for non-production environments, so if this is just a test network, you can just ignore them.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
mecampr
Level 1
Level 1

‎07-22-2010 05:25 AM

looks like the trusted root for the cam or cas is not imported on the respective servers. ...

ie import the cas's public root on the cam and vice versa

0 Helpful

Go to solution
Lauren Sullivan
Level 1
Level 1

‎07-22-2010 07:12 AM

1) On the Device Management > Clean Access Servers > Advanced > Managed Subnet page, uncheck "Enable subnet-based VLAN retag".  You don't need that checked to do VLAN mapping, and it breaks most networks.

2) There are two red nag messages.  One is complaining that you're using the temporary perfigo end entity certificate, and one that you have the temporary perfigo root in your trusted certificate authorities.  The only way to get rid of those messages is to get a CA-signed (non-perfigo) cert.  The reasoning behind this is that these certs are only meant for non-production environments, so if this is just a test network, you can just ignore them.

0 Helpful

Go to solution
mshebelle
Level 1
Level 1
In response to Lauren Sullivan

‎07-23-2010 02:46 AM

yeah, lauren you were right i needed to uncheck the "Enable subnet-based VLAN retag" and the agents pops up and it works fine.

what about if i don't want to user the agent and rather use the web login? what are the steps i need to follow? does it automatically pops up like the agent does? thank you very much bzw...u really saved my day.

0 Helpful

Go to solution
Lauren Sullivan
Level 1
Level 1
In response to mshebelle

‎07-23-2010 05:32 AM

If the user is in the auth VLAN and opens up a browser, they should get redirected to the CAS login page.  For this to happen, you do need to make sure that whatever web address they're trying to go to is blocked in the unauth traffic policy - so if  you had an "allow all" traffic rule in the unauth role for testing, make sure you remove it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card