Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
685
Views
0
Helpful
1
Replies

cisco nac ADSSO issue

narges3707
Level 1
Level 1

‎08-07-2012 11:55 PM - edited ‎03-10-2019 07:23 PM

Hi ,

I implemented cisco nac 4.9 in our environment as OOB VG L2 with ADSSO integration ,

before ADSSO was implemented  everything had worked correctly  ,

I  have unauthenticated and access vlan that have diffrenet IP range , when I do not have ADSSO started  , clients after  posture assessment  put in access vlan and with DHCP release/request feature the ip address range change based on access vlan  , and when the client push log out option in NAC agent , the client return to unauthenticated vlan and ip address change again,

but with ADSSO i have 2 problems :

1. when my domain users logg in to domain the LOG OUT option on cisco nac agent become grey out and they do not log out ,  so they had to logg off on domian to come back to unauthenticated vlan .

2. when the client comes back to unauthenticated vlan the ip address never change  , i mean they put in unauthenticated vlan with access vlan ip address.

how should I do for these situation ? is it norml that domain users can not log out via nac agent >?

thanks ,

Labels:
0 Helpful
1 Reply 1

Tarik Admani
VIP Alumni
VIP Alumni

‎08-08-2012 06:35 AM

Here are you answers in line:

1. when my domain users logg in to domain the LOG OUT option on cisco  nac agent become grey out and they do not log out ,  so they had to  logg off on domian to come back to unauthenticated vlan. With ADSSO the login and logout commands are unavailable because this is how ADSSO works. If you are on the domain and in a clean access environment you will be logged in automatically. Below is the link that covers this behavior.


http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/416/CAM/m_cca.html#wp1095060

2.  when the client comes back to unauthenticated vlan the ip address never  change  , i mean they put in unauthenticated vlan with access vlan ip  address.

You will have to modify the xml file in order to enable the vlan detect option, this requires the agent to be installed and running. You can pull the NACAgentCFG.xml from the workstation make the change to the "0" You can set this value to 3, so you wont have issues with ip conflict anymore.

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html#wp1348376

Thanks and please remember to rate helpful posts.

Tarik Admani
*Please rate helpful posts*

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents