cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

378
Views
0
Helpful
1
Replies
Highlighted
Beginner

cisco nac ADSSO issue

Hi ,

I implemented cisco nac 4.9 in our environment as OOB VG L2 with ADSSO integration ,

before ADSSO was implemented  everything had worked correctly  ,

I  have unauthenticated and access vlan that have diffrenet IP range , when I do not have ADSSO started  , clients after  posture assessment  put in access vlan and with DHCP release/request feature the ip address range change based on access vlan  , and when the client push log out option in NAC agent , the client return to unauthenticated vlan and ip address change again,

but with ADSSO i have 2 problems :

1. when my domain users logg in to domain the LOG OUT option on cisco nac agent become grey out and they do not log out ,  so they had to logg off on domian to come back to unauthenticated vlan .

2. when the client comes back to unauthenticated vlan the ip address never change  , i mean they put in unauthenticated vlan with access vlan ip address.

how should I do for these situation ? is it norml that domain users can not log out via nac agent >?

thanks ,

Everyone's tags (4)
1 REPLY 1
Advocate

cisco nac ADSSO issue

Here are you answers in line:

1. when my domain users logg in to domain the LOG OUT option on cisco  nac agent become grey out and they do not log out ,  so they had to  logg off on domian to come back to unauthenticated vlan. With ADSSO the login and logout commands are unavailable because this is how ADSSO works. If you are on the domain and in a clean access environment you will be logged in automatically. Below is the link that covers this behavior.


http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/416/CAM/m_cca.html#wp1095060

2.  when the client comes back to unauthenticated vlan the ip address never  change  , i mean they put in unauthenticated vlan with access vlan ip  address.

You will have to modify the xml file in order to enable the vlan detect option, this requires the agent to be installed and running. You can pull the NACAgentCFG.xml from the workstation make the change to the "0" You can set this value to 3, so you wont have issues with ip conflict anymore.

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html#wp1348376

Thanks and please remember to rate helpful posts.

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*