Layer 2 OOB NAC Issue

Similar Messages

• NAC for wireless layer 3 oob

  Hi,
  Anyone implemented nac for wireless layer 3 oob? This is using nac appliance not ise.
  What I did is to configure wlc as per layer 2 oob setup. Configure svi 669 (authentication/quarantine vlan) on switches that’s with the wism. Pbr all vlan 669 traffic to test cas untrusted interface.
  Problem now I’m not able to get an ip from dhcp after associating. DHCP works when tested on wired. Is there any additional config to be done on WLC or am i doing it right??
  The test cas/cam are ugraded to ver 4.8.2.
  Regards
  Joachim

  Everyone can do a mistake and it seems I did a big one :-)
  l3 wireless OOB was not supported until last version :
  §Wireless L3 OOB RIP has been introduced in 4.8.2.
  §In order to support wireless in L3 OOB RIP deployment – DHCP release and renew values were propagated from CAS to the client so that client can perform IP refresh.
  §The configuration of WLC and AP’s needs to be done like in Wireless L2 OOB VGW deployments.
  §There are no ports in WLC hence Port profile is not required
  §WLC allows only two VLAN’s namely Quarantine (Auth) and Access VLAN’s. Hence the support for User role Vlans is not there in Wireless deployments.
  §iPhone/iPad support is also not present. Reason being IP address cannot be refreshed in iPhone/iPad due to lack of support for Java Applet/ActiveX.
  §The authentication trap control needs to be checked in order for the WLC to send 599.0.4 trap.

• Cisco NAC Layer 3 OOB Support for Wireless

  We are currently using NAC 4.7.2 and I am curious if Layer 3 OOB for Wireless users is on the roadmap. We have a WISM and 5500 controllers. Thanks.

  Hello,
  I know it's being worked on, but isn't in the near releases coming out soon. 4.8 is expected very soon and it's not in that release.
  So long story short, don't know, but it will be there eventually.
  HTH,
  Faisal

• NAC 4.7.2 OOB SNMP issues

  Hello,
  I am setting up a NAC CAM and CAS 4.7.2 OOB setup in a test environment (NAC failover for CAM and CAS), and I am seeing some strange SNMP issues.  I am testing with a 3750 switch (12.2(53)SE1) using SNMP v2 and v3 since v3 and accessing the switch port configuration in the NAC manager is extremely slow.  I click OOB Management -> devices -> switch XXX and it takes several minutes for the port listing to display.  Then sometimes it comes up quickly but a 'show debug snmp' on the switch shows that it isn't polling the switch so it apparently starts pulling the ports page from cache, but I can see now logic in how it does this.
  Q1) When and why does the ports page pull cached info?
  Q2) Why is SNMP queries operating so slowly with NAC 4.7.2 OOB?
  Here is my test switch/NAC SNMP config (with pseudo names and fake passwords):
  snmp-server community switch_read ro   (matches OOB Management -> Profiles -> Device -> SNMP Read v2 settings)
  snmp-server view v1default iso included
  snmp-server user switch_write switch_group v3 auth md5 <my-password>  (matches OOB Management -> Profiles -> Device -> SNMP Write v3 settings)
  snmp-server group switch_group v3 auth read v1default write v1default
  snmp-server user cam_notify cam_group v3 auth md5 <my-password>
  snmp-server host 10.200.11.100 traps version 3 auth cam_notify mac-notification snmp  (matches OOB Management ->  Profiles -> SNMP Receiver v3 settings)
  snmp-server group cam_group v3 auth read v1default write v1default notify v1default
  What is wrong with my setup?  Any help is appreciated.

  Did anyone ever find a solution to this issue? I'm having the same problem.... it takes minutes to open the ports on a switch in the CAM. It shouldn't take minutes to manage ports for each switch, it should take less than 10 seconds...

• NAC OOB config issue

  Dear fellows,
  I have installed CAM and CAS version 4.0.3 in OOB mode and having this problem of clean access agent repeatedly popping up even after successfuly logging on to the server.
  Also the clients are always requested to download and install the clean access agent even when it is already installed in the system.
  After the succesfull log on I can see the respective client as sucessfully logged on to the system. Also the VLANs are correctly switched from Authentication to User VLANs, but still I'm repeatedly asked to log on to the system.
  These symptoms familar to anybody and appreciate any idea to help me come out of this.
  Thanks.

  Insert the distribution CD-ROM that contains the CAM or CAS .iso file into the CD drive of the installation server machine.
  Connect to the machine directly with a keyboard and monitor, or by terminal emulation console over a serial connection.
  Reboot the machine. The installation script starts automatically after the machine restarts.
  At the "boot:" prompt, type custom and press Enter.
  The program will prompt you for the driver diskette, then the update diskette. The installation then proceeds normally.

• AD SSO NAC issue

  Dear All,
  1) I have configured AD SSO and users gets authenticated. But when the user puts his credentials in windows machines, it takes minimum 5 minutes for the person to log in and also for the nac agent popping up. I disabled the ADSSO and the user can login in less that 1 minute. Anyways to solve this issues?
  2) On a single CAS server, i am using it for both wired and wireless. Wired supports ADSSO with ldap. Can I use ADSSO with LDAP for Wireless? I have deployed the Servers with L2 OOB VGW
  Please guide me
  Prasanth Mathews

  Sorry I misunderstood. Actually, there are 2 authentication servers. One is Kerberos and the other one is AD SSO. Both are pointed to the same domain controller. The reason I created the Kerberos is for allowing user to login through web login for downloading agent at the first time. After that, AD SSO will be used for authenticating.
  Anyway, the problem is if user, laptop, does not login to the domain, the agent dialog will display and still allow user to login via the Kerberos. I do not want thing like this. How can I do? Please advice.
  Thanks,
  Nitass

• List of Values in Data foundation Layer Bi 4.0 Issues?

  I have an issue surrounding list of values’ created in the data foundation layer created using SQL. 
  The LOV can be associated with an object within the business layer. The business layer is then saved and closed, however on re-opening the association with the LOV is now displaying an error.
  We are currently on patch 15 of sp2,  are you aware of any issues using LOV from the data foundation layer. 

  This has now been fixed in sp4.

• SharePoint 2013 OOB workflow issue

  Hi,
  We are having issue with OOB workflow as below. Any help?
  Thanks
  srabon

  if you click on the "show error details", what details you getting?
  check this link for same kind of information....check the last
  comment at the end
  Also check this blog, how to fix this error.
  http://blogs.microsoft.co.il/lior/2012/03/29/sharepoint-workflows-the-specified-form-template-could-not-be-found/
  Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog

• Ctrl Layer vs Marquee Selection Issue

  Ok so my problem is that I have one layer filled with blue a second layer a third the size filled with white.
  I control click the thumbnail of the white layer (second layer) to get precise size then click the blue layer (with the marching ants still moving) and hit delete.
  Ok now that part of the blue layer is gone, which is what I wanted but when I hit control T for transform of the blue layer it now includes the deleted area not just the remaining blue.
  I know right?
  But when I marquee over the blue layer where the white is and then hit delete it removes that selection and and now when I control T it conforms to the blue not including the deleted area.
  But I fear I wont get a precise selection and this is why I like doing it the first way.
  I have been doing this for years and using PS since version 3 and today I have an issue.
  I reset my pref. and tool reset all. Nothing else is acting strange just this.
  I am on a windows 64bit system.
  Many thanks for any input.

  It's a wee bit tricky following your post, which is probably why it has gone so long without an answer up till now.
  I never like making holes in layers because it is so permanent.  I would place the blue layer above the white BG, ctrl click the layer with the shape I wanted, then add a layer mask to the blue layer.  That way I can edit the mask to control the hole.   You can unlink the mask, and FT the mask, or layer separately etc.
  I'd also leave the white layer even if not being used, because I could come back and load it as a selection at any time by ctrl clicking it.  I find this flexible and fast, and much better than saving alpha channels.
  If I am going in the wrong direction here then I can only say sorry, but as I said, it was tricky following your post with my tired old eyes.

• Access Point Switchport configuration for OOB NAC

  Hello.
  Here we have to implement Out of Band with WLC and NAC, I have already checked this guide:
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml
  But I have a little doubt. On the document showed above does not specific which vlan should be configured on switch's access port facing access points. Should I configure this with trusted or untrusted VLAN? I know all traffic from wireless clients go to WLC through a CAPWAP tunnel, but I am not really sure on the Out of Band deployment which access vlan should be for access points.
  Greettings.

  Just to add again to another one of Steve's post:)  You don't want to put the AP traffic through NAC, but only the traffic for the wireless clients which egress out of the WLC.  So if your wireless clients are being placed in VLAN30 (just an example), you can have an untrusted layer 2 vlan VLAN29 which hit the NAC untrusted and if remediation id good, then placed in VLAN30.  Makes sense?
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Layer Style - Zoom In Issue

  I have a jpg image in AE CS3 - I used a layer style - stroke of about 10 pixels to make it look like it had a white border.
  When I put the image into 3d space and zoom move it further into z space, the stroke gets very big - as I zoom in the stroke gets smaller.
  How can I make the stroke appear to stay the same size? I'm zooming in and out with a camera.
  Thanks!

  I've found a solution for this...I put my jpeg into a pre-composition and moved all of it's attributes to the new composition. The stroke now stays in place.

• NAC issue with DHCP

  There are a few computers in the building that when they start i have to do a repair in the connection. If i put those same computers in the admin Vlan(doesn't goes through NAC) i dont need to do the repair. I think something is blocking in the unauthenticated role. But the rare thing is that i'm allowing the DHCP and Active directory servers on the unauthenticated role.

  The "Enable VLAN Pruning" option is enabled by default for CAS Virtual Gateways. Make sure that "Enable VLAN Pruning" is turned off when "VLAN Mapping" is disabled. Turning the "Enable VLAN Pruning" option on when the "VLAN Mapping" option is disabled can cause the CAS to discard all VLAN packets from passing through in either direction.

• NAC Issue

  Hi
  i want to setup client that access to network with default ip, gateway and webpage startup. Could i use NAC to do this ?
  thanks

  Hi,
  You can use DHCP server to assign IP address, gateway and possibly other attributes (DNS server ...)
  NAC can do webpage redirect, but only as a tool serving to assess/remediate connecting client/s.
  What is your intention in doing webpage redirect?

• L3 OOB NAC Server loadbalanced by ACE

  Hi is there any documentation or information on NAC server loadbalance by cisco ACE? I want to know typically how is the setup like and what is the traffic flow? is there a way to configure NAC clients to talk to the NAC directly after being loadbalanced by the ACE? meaning traffic flow going
  users>ACE>NAC Server Untrusted interface>user <---- during authentication
  instead of
  user>ACE>NAC Server Untrusted interface>ACE>user.

  Adrian,
  I've seem some internal documents on this. Please ping your account team and they can possibly help you out with the design for this.
  HTH,
  Faisal

• Cisco NAC: Issue for the Wireless Users being assigned "Un-Authenticated Role" to stop accessing the Network !!!

  Hi,
  I am looking for a solution to deal with the wireless NAC users being authenticating (Web Login Only) from a particular AD group. The mapped users gets into a particular role and access VLAN but un-mapped users get the default role which is "Un-Authentication Role" but also gets the same Access VLAN. So, the un-wanted users gets also the same access which is undesired.
  I tried with one solution which is, i put those users into a role named as "Deny_Role" and Enable a Timer of 1 minute (least Time) on it, which seems working but i can see that user is disconnecting (session timeout) after 3 or 5 minutes. I want to limit this but again, i do not find this as an appropriate solution.
  We could deal with wired users easily, bounce the port and get them again in "Unauthenticated Role" and VLAN will be "Un-Auth VLAN" with no network access or rediect them into a particular role with a specific VLAN. But, this is not valid in case of "Wireless Users".
  So, I am looking for a solution to deal with the wireless users in this situation...
  Please advise or give an idea.
  BR,
  Mubasher Sultan

  Hi,
  Any idea or suggestion...
  BR,
  Mubasher Sultan