NAC 4.7.1 L3 OOB - Temporary Role bugs ?

Hi
We have a L3 OOB routed gateway configuration (with redundant CAS and CAM), We are currently running 4.7.1 on the appliances and the agent is 4.7.10.
We have experienced two problems:
1. On several occasions we can abort a valid logon, but can still be allowed access to the network 'silently' ;
a - without any indication on the CAM i.e. no online users, no certified devices
b - the switch is still in the 'unauthenticated vlan' and the
c - ip address of the client is on the 'untrusted' subnet.
d - the 'unauthenticated' policy DOES NOT ALLOW web traffic.
It would seem that the user is able to trick the system by aborting the logon with the agent i.e. closing the window etc, (the login credentials are
correct and posture fails on an optional check and so amber) but the system DOES NOT show the user at all.
The Temporary role does allow full access, if I disable the policy rule the traffic is stopped.
The problem is there is no indication of this user on the system at all, this happens a couple of times a week.
2. When a user is genuinely placed into a TEMPORARY role (as indicated by the system, note: not the same as above),
about 50% of the time communication is blocked even though the policy allows it (repeated challenges by NAC).
Close the agent and do it the second time and it will work.
I think the symptoms are related as they both seem to be related to the usage of the TEMPORARY ROLE - has anyone else seen this bug ?

Hi,
You said not to configure a quarantine vlan, but by the time the users get connected how is gonna be the process for authentication (quarantine) and access vlan??? I mean how is it going to perform the nac process and how to control what happens if it fails (not in compliance) or if it suceed??
It seems that the version 4.9(1) has the integration, but is not so clear:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cam/m_woob.html#wp1139585
What versions were you running in your deployment.

Similar Messages

  • How to get Celan Access (NAC) reports about users stucked in Temporary role?

    I am using Clean Access 4.7.2.
    If a user does not mett a requirement and is unable to remediate, he is stucked in the Temporary role.
    I checked the "Device Management > Clean Access y Reports" but this does not show any user with failed status with red flag.
    The report shows successfull connection with green flag only.
    How can I obtain report on the CAM about failed checks?
    Thanks
    Csaba

    We had this problem and were told to press Cancel (and then confirm) in the top right corner of the Agent after failing posture assessment. When we did that, the complete report showed up in CAM within seconds and could then be used to manually remediate the machine.
    Hope that helps!

  • NAC 4.7 "CAS unavailable" temporary role

    I have a VGW, OOB with layer 3 enabled pilot deployment right now. Everything looks fine. However, about
    30% of the time (and its increasing) when I log on using the 4.7 agent, the agent will give me the error that the cas is unavialbe on the network. When I check the CAM, the user can be viewed on the monitoring tab, in-band and placed in the temporary role. (highlighted quarantined)
    When i kick the user, more often than not , the user can log back in and it places him in the oob role that he is assigned to and all works fine.
    core switch -----------cas/cam
         |
    distribution switch
         |
    End user switch---------end user pc
    Any ideas as to why when placed in the temp role transitioning to the authenticated role it would lose contact???? and why would it be placed in the in-band section of the monitoring online users?

    the cn name on the cas was indeed wrong. the IP address was that of the CAM.
    However, that still hasnt fully fixed the problem.
    I took all the checks away from the auth role assigned and it seems to fix the problem.
    Yes, Faisal all the end points are Layer 2, no hops in between. I have a 6509E as the core switch. Each vlan on the switch, apart from the Auth vlans have a SVI.
    ie. on the core switch
    interface GigabitEthernet2/28
    description trusted
    no ip address
    switchport
    switchport trunk native vlan 997
    switchport trunk allowed vlan 5,100,110,120,130,140,150,160,250,298 >>>Access Vlans
    switchport mode trunk
    interface GigabitEthernet2/29
    description untrusted
    no ip address
    switchport
    switchport trunk native vlan 996
    switchport trunk allowed vlan 9,10,20,30,40,50,60,400 >>>> Auth Vlans
    switchport mode trunk
    Example SVI for access VLANS
    interface Vlan110
    description StaffLowerPT
    ip address 1.1.1.1 255.255.255.0
    ip helper-address 1.1.1.4
    ip pim sparse-dense-mode
    ipx network 8
    no SVI's for auth vlans.
    I remember reading somewhere that if no checks are done (ie if the agent is not running any rules on it) then it moves straight from authenitcation (phase1) to authenticated role (phase 3) without ever hitting the temp user role. Could it be that a rule would cause the CAS to become unavailable if it could not remediate?
    I have a AV check rule, and two sus/WSUS rules.

  • NAC Temporary Role

    Folks, I am
    configuring the NAC CAM 4.7.1 and I created two roles, Employ1 and
    Employ2 but when that roles are into posture assessment with CCAA (Clean Access Agent) I saw that role Employ1 fall in Temporary role and Employ2 fall in Unauthenticated role, I don't know why that difference.
    I want to put each profile with a specified quarantine role, How can I do this?
    thanks a lot

    Hi Faisal,
    thanks for your attention.
    Well, I saw that when I put requeriments on Employ1 for example WSUS requeriment and the client needs to update, that client fall in Unauthenticate role while Employ2 with the same WSUS requeriment fall in temporary role.
    This way I had to generate ACLs in both roles Unauthenticated role and temporary role.
    thanks

  • Cisco NAC - How know why a machine is in Temporary Role?

    Hello,
    In our environment, workstatios that do not conform with the requirements remain under Temporary Role until the remediation is done.
    In Event Logs I see that the Workstation is just under Temporary Role, but do not know why it is in Temporary Role.
    How can I see this information?
    Ex:
    Authentication
    2011-01-21 11:12:26
    [00:21:9B:37:00:F0 ## x.x.x.x] user@domain - Successfully logged in temporary role, Provider: ADSSO, L2 MAC address: 00:21:9B:37:00:F0, Role: Temporary Role, OS: Windows XP Pro/Home
    Tanks
    Daniel Stefani

    Hi Daniel,
    you can check the info about this user/machine on the NAC agent reports:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_report.html#wp1481407
    There you get details about what checks failed on the client during the posture assessment phase.
    I hope this helps.
    Regards,
    Federico
    If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

  • NAC for wireless layer 3 oob

    Hi,
    Anyone implemented nac for wireless layer 3 oob? This is using nac appliance not ise.
    What I did is to configure wlc as per layer 2 oob setup. Configure svi 669 (authentication/quarantine vlan) on switches that’s with the wism. Pbr all vlan 669 traffic to test cas untrusted interface.
    Problem now I’m not able to get an ip from dhcp after associating. DHCP works when tested on wired. Is there any additional config to be done on WLC or am i doing it right??
    The test cas/cam are ugraded to ver 4.8.2.
    Regards
    Joachim

    Everyone can do a mistake and it seems I did a big one :-)
    l3 wireless OOB was not supported until last version :
    §Wireless L3 OOB RIP has been introduced in 4.8.2.
    §In order to support wireless in L3 OOB RIP deployment – DHCP release and renew values were propagated from CAS to the client so that client can perform IP refresh.
    §The configuration of WLC and AP’s needs to be done like in Wireless L2 OOB VGW deployments.
    §There are no ports in WLC hence Port profile is not required
    §WLC allows only two VLAN’s namely Quarantine (Auth) and Access VLAN’s. Hence the support for User role Vlans is not there in Wireless deployments.
    §iPhone/iPad support is also not present. Reason being IP address cannot be refreshed in iPhone/iPad due to lack of support for Java Applet/ActiveX.
    §The authentication trap control needs to be checked in order for the WLC to send 599.0.4 trap.

  • OIM 11g support for Temporary roles with expiration date

    Dear All,
    Is there a support provided for temporary roles in OIM 11g?
    If not, what is the recommendation as for implementation?
    Kind regards
    Maria Adair

    I'm also interested if someone has any recommendation as for how to implement such a feature. Anyone has any ideas?

  • NAC Server Fallback Feature and OOB Deployment

    Hi,
    I would like to know how the Nac Server fallback feature works in an OOB deployment.
    The documentation says that there three option (ignore, allow all, block all).
    Whe you have the allow all option enable, does the NAC put the user in an access vlan or the user just access to the network through the authentication VLAN?

    Hi,
    Assuming the CAM has failed, the CAS would allow all traffic from the AUTH VLAN to the ACCESS VLAN. Since the CAM has failed, the switchports which are not in the AUTH VLAN would behave per the rules/ACLs on the VLAN they're in and won't get flipped over.
    HTH,
    Faisal

  • NAC - Global Device Filter in OOB deployment

    Hi,
    Some help would be appriciated. I'm trying to bypass authentication/posture assessment for a printer in an OOB NAC deployment (CAM/CAS Version 4.9.0
    I added the device MAC address in the global device filter, with the ALLOW access type set.
    "Change VLAN according to global device filter list" option is checked in the port profile set on the corresponding switch port.
    However, the device ends up in the Auth VLAN every time...
    What am I missing?

    Hi Tarik,
    Yes, the port is managed and a test profile named 'Printer_test' is currently assigned to the port.
    Here is what I see in the nac manager.log file (level set to debug) after the port comes up:
    2012-01-24 14:41:08.219 +0100   DefaultUDPTransportMapping_0.0.0.0/162 DEBUG com.perfigo.wlan.web.sms.SnmpTrapListener          - Received trap event SwitchTrapEvent [type=LINK_UP switch_ip=10.1.0.32 mac=null port=10035 dot1dBasePort=0 vlan=0]
    2012-01-24 14:41:08.219 +0100   DefaultUDPTransportMapping_0.0.0.0/162 DEBUG com.perfigo.wlan.web.sms.SnmpRunnable              - SnmpRunnable com.perfigo.wlan.web.sms.task.SwitchNotificationTask id=5091348 is created: SwitchTrapEvent [type=LINK_UP switch_ip=10.1.0.32 mac=null port=10035 dot1dBasePort=0 vlan=0]
    2012-01-24 14:41:08.219 +0100   DefaultUDPTransportMapping_0.0.0.0/162 DEBUG com.perfigo.wlan.web.sms.SnmpManager               - Task from device 10.1.0.32 submitted with task id 5091348
    2012-01-24 14:41:08.219 +0100   pool-3-thread-16 DEBUG com.perfigo.wlan.web.sms.SnmpRunnable              - SnmpRunnable com.perfigo.wlan.web.sms.task.SwitchNotificationTask id=5091348 starts run() after 0ms.
    2012-01-24 14:41:08.219 +0100   pool-3-thread-16 DEBUG com.perfigo.wlan.web.sms.SnmpRunnable              - Resolved PortProfile Switch Port Profile [ id=4 name='Printer_test' type='normal' auth_vlan=100 access_vlan=15 idle_vlan=-1 attributes=635 vlan_profile_id=0 description='' reserved='' ] from event SwitchTrapEvent [type=LINK_UP switch_ip=10.1.0.32 mac=null port=10035 dot1dBasePort=0 vlan=0]
    2012-01-24 14:41:08.220 +0100   pool-3-thread-16 INFO  com.perfigo.wlan.web.sms.SnmpRunnable              - Received SNMP LINK_UP trap, but switch 10.1.0.32 is not using LINK_UP  for task 5091348
    2012-01-24 14:41:08.220 +0100   pool-3-thread-16 DEBUG com.perfigo.wlan.web.sms.SnmpRunnable              - Trap does not need to processed: SwitchTrapEvent [type=LINK_UP switch_ip=10.1.0.32 mac=null port=10035 dot1dBasePort=0 vlan=0] for task 5091348
    2012-01-24 14:41:08.220 +0100   pool-3-thread-16 DEBUG com.perfigo.wlan.web.sms.SnmpRunnable              - SnmpRunnable com.perfigo.wlan.web.sms.task.SwitchNotificationTask id=5091348 ends run() after 1ms.
    2012-01-24 14:41:08.220 +0100   pool-3-thread-16 DEBUG com.perfigo.wlan.web.sms.SnmpRunnable              - SnmpRunnable com.perfigo.wlan.web.sms.task.SwitchNotificationTask id=5091348 finishes after 1ms.

  • NAC L3 OOB - Online Users not correct

    I'm testing a NAC 4.1.3 L3 OOB Real IP configuration and have come across an anomaly. Can someone help please.
    I have configured two switches to be managed by NAC and have configured a role for Web Authentication and set all ports to be controlled.
    When I connect a PC to switch 1 and authenticate all works well and the View Online Users displays the PC/role/Switch Port correctly.
    I then disconnect the PC and patch it into the Switch 2. I then authenticate but instead of the port being moved to the correct VLAN it is left in the authentication VLAN and the Web Login cycles and asks me to log in again. Looking at the Online Users display it says I'm online on Switch 1 on the port I have disconnected from. This is INCORRECT!
    Looking at switch 1, it has moved the port I was connected to the VLAN it should be after authentication. This should have been done to the port I'm now on at the Switch 2!
    MAc notifications are used and Linkup/downs are enabled on the switches. They are not stacked. When disconnecting from the switches it correctly removes me from the online users. After authentication on the new switch it puts me back on the original switch where I was!!!!!!
    This is most infuriating, it means the product is useless if I have users moving from one desk to another ending up on a different switch where they will no longer be able to work as they cannot get past authentication.
    All help is gratefully received.
    Thanks,
    Paul Kyte

    Hi, Paul
    >>I then disconnect the PC and patch it into the Switch 2. I then authenticate but instead of the port being moved to the correct VLAN it is left in the authentication VLAN and the Web Login cycles and asks me to log in again. Looking at the Online Users display it says I'm online on Switch 1 on the port I have disconnected from. This is INCORRECT!
    Have a look at the Switch Management ->Port Profiles and below "Options: Device Connected to Port" (the second one) "Change to .... if the device is certified" there should be Access VLAN option -make it active.

  • Nac remediation failed

    Hi All,
    Anyone encountered this issue. Recently upgraded to 4.9. Using L2 OOB wireless. Symantec endpoint protection ver 11, virus definition is out of date, when user clicked repair, takes a long time to remediate and then gave a failed error. "The remediation you are attempting had a failure. If the problem persist contact the system admin"
    Traffic control is allowing update in temporary role, and there's no blocking from quarantine vlan to symantec server. Also we notice that the definition gets updated after a while.
    Thanks.
    Regards
    Joachim

    Hi Joachim,
    In my enviroment, we have workstations with SEP ver 11 too and i would like to know  where your users are searching for updates during the remediation process.
    We have Symantec Endpoint Protection Manager acting as antivirus server  and when the NAC Agent calls the Symantec LiveUpdate to perform the repair, users will get updates on the Internet and not on
    Antivirus Server.
    Could you give me more information about your environment?
    regards,
    Daniel Stefani

  • WSUS - NAC Best Practice

    Hello every one,
    I'm making a Demo of NAC in both IB and OOB VG enviroments. I'm trying to add a WSUS policy to be checked on the client machines. The firs I tried Take around 5 min every time I log in. I understand this happens because I using the severity option when I configure the requirement. If I use the the Cisco Rules option will this be faster?
    Is there a site I can consult to see what the Pre-Configured rules check for.
    Can anybody tell me a good configuration for this requirement knowing this is a demo and I just want it to work.
    Thanks in advance.

    For new deployments of Cisco NAC Appliance, by default all traffic from the trusted to the untrusted network is allowed, and traffic from the untrusted network to the trusted network is blocked for the default system roles (Unauthenticated, Temporary, Quarantine) and new user roles you create. This allows you to expand access as necessary for traffic sourced from the untrusted network.

  • NAC Agent Issue

    Hi
    I have implemented Cisco NAC for remote VPN users. As part of this they go through 3 checks:
    1. Antivirus installation check
    2. Antivirus definition check
    3. File check
    I have configured the definition check to remediate via internal update servers if 30 days or more out of date.
    The issue I'm seeing is that the end user recieves the following Cisco Agent error during the remediation process (while in the temporary role):
    "The remediation you are attempting is reporting an access denied error. This is usually due to a privilege issue. Please contact your system administrator."
    The definition update happens in the background though (I have allowed the required access through the NAC server) and once complete places the user in the correct role. Therefore It's no so much an issue, just a misleading message displayed to the user.
    Has anyone seen this before or know where this is configure?
    Kind Regards
    Terry

    Hi Faisal,
    I am still having this problem.
    Even though the agent displays that error message, the AV still updates in the background. The problem then is that the agent fails to realise that the definitions are then fully up to date and does not re-check posture automaticly. therefore i am having to disconnect and re-connect the network cable for the agent to realise that I am not fully compliant.
    Is there anything that i can do to make this posture / remediation process, automatic and seemless?
    Mario

  • NAC/Wireless Design

    Hi!
    Looking for some input on some design options for NAC with a wireless deployment since OOB and IB are now both options.
    In a campus environment of up to 300 wireless users, in-band seems good so that we can have one SSID, but restrict a user login to a role and apply restrictions on the appliance, but I'm concerned about the common issue of the appliance becoming a bottleneck.
    My other thought too would be have multiple SSIDs (VLANs) and have multiple appliances handle certain VLANs, but this is pricey.
    In wireless OOB, it appears you can only have one "access" VLAN to maps users to (I guess b/c that is all the WLC supports?), so that does not work for us as we need to have employees and guests (among others, separated).
    Please correct me on any misunderstandings.
    All insight appreciated. Thanks for the input!

    Your understanding is correct.
    For 300 wireless users, you may want to go inband and do enforcement at the NAC server level.
    For OOB, you need to make different SSID for different roles.
    e.g. Guest, Employees and Contractor
    You can look at the configuration example too for OOB Wireless NAC 4.5 here:
    http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml

  • NAC posture assessment error?

    Hi experts
    i have a NAC with 4.8.3 IOS installed. Everything works perfect if i am not putting any posture assesment like WSUS or AV check. Ican authenticate successfully and VLAN shifts ok. but if i put any posture assesment rule than NAC windows agent says NAC server is not available at network. And user goes to temporary role.
    any suggestions?
    Sent from Cisco Technical Support iPhone App

    Please check the links for the Configuration and Troubleshoot of NAC
    www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/48/cam/48cam-book/m_agntd.html
    www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/47/cam/47cam-book/m_agntd.html#wp1234860

Maybe you are looking for

  • Can I migrate data from "old" user account to new user after clean install?

    I've just done a clean install of Snow Leopard on a MacBook Pro (I erased system drive before install). I've upgraded SL to 10.6.2 using a generic administrator account. And I have an exact bootable clone of my old data (SuperDuper backup on external

  • Ichat doesn't sound anymore

    ok, so my speakers are on max. my "speech volume" in ichat > preferences > alerts for every one is max. i can here itunes etc. i can even here the preview for the sound. but no sound in my ichat. it was working just a while ago...i don't know what ha

  • Cannot install camera driver

    I just bought a new ideapad s205 and i installed windows 7 x64 on it. windows installed a generic driver for the camera, a 2006 driver, and i cannot change it...windows says it's the best driver. the problem is that the image is very dark...you can o

  • Printing same Smartfom using single click on PRINT for many employee no.

    Hi All, This is my first question that i'm posting in the forum, hope u dont disappont me. We made a smart form for HR-pay slip. It is working fine for one employee, but when a range of employees are selected it asks a print preview screen each time

  • Choosing Sharing of Airport Disk by Airport PW/Disk PW/Account

    I have a USB disk connected to my Airport Extreme Dual Band. I use it to share files and for TM. All is well. Using the Airport Utility > Manual Setup > Disks > File Sharing, I have With Airport Extreme Password selected. There are two other options,