we've got a L3-real ip oob implementation.
One of the roles use web login authentication and vlan change based on user role. The users are able to authenticate but the pop-up showing the session time and the logout button doesn't appear.
Does The pop-up work in a L3 oob implementation? are there any special requeriments for the pop-up?
If users can't logout manually the switch ports are not moved back to the authentication vlan so we have to wait until the certified devices timers (one per day for roles based on web authentication)
Is there any workaround for loging out users or moving back ports to authentication vlan? (apart from nac agent or nac web agent)
In pre-4.8 setups, there's no logout button. Basically, the design then was that once the user was in the access VLAN, they should no longer communicate with the CAS, and if they can't communicate with the CAS, they can't log themselves out. If the devices are directly plugged in to the switchport, you can use SNMP linkdown traps to remove them from the OUL, but if they're behind another device like an IP phone, pretty much the only option is to use a CDL timer.
4.8 introduced the OOB logoff feature, which will work as you described - that is, users stay in communication with the CAS even in the access VLAN, and can log themselves out either through the agent or by logging off of Windows. Here's some more information on that: http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/48rn.html#wp1105594
thanks for your answer.
We are using 4.8 and we've implemented oob logoff feature and it's working as expected. The problem is that feature is for users or roles with nac client.
My question was regarding a role based on web authentication (without client). I think the only way to logout those users is using the logout feature from the pop-up. But that pop-up is not shown to the users. Should it appear to the users or is just an inline feature?