Core issue
This error is recieved when the Port profile is not set to user role vlan.
Resolution
For a workaround, follow these steps.
Role-based access VLAN mapping for Windows single sign-on (SSO) users can be achieved with this procedure:
- Choose Management > Auth Servers and select Auth Type to Active Directory SSO.
- Select Default Role for the role that you want Windows SSO users to be in after they are logged in. For example, in this case it should be vencorp.
- Choose User Management > User Roles, select the role (vencorp) and click Edit.
- Define the Out of Band User Role VLAN to 5 (or any VLAN that you want the users of this role to be).
- Save the role.
- Choose Switch Management > Profiles > Port > List and click Edit for the control profile.
- Change the Access VLAN to User Role VLAN and click Update.
- Login through the PC with SSO. You are now logged in the domain and have role-based VLAN mapping.
For more information, refer to the Clean Access Manager Installation and Configuration Guide for the Cisco NAC Appliance (Clean Access).