NAC L2 OOB Auth and Access VLAN
I'm new to Cisco NAC appliance.
I wanted to deploy L2 OOB VGM for my wired userd.
I wanted to check whether can I have multple Authentication to Access VLAN mapping.
For example :
Authentication VLAN - 111 Map to Trusted VLAN 311
and
Authentication VLAN - 112 Map to Trusted VLAN 312
Therefore, on the port profile of the switch, I can allocated which are the ports that should be using Authentication VLAN 111 and VLAN 112.
Why I wanted to do this, because I need the users to obtain IP addresses that are associated with the trusted segment, so that I do not have to bounch the switch port or utilise DHCP release/renew from the CCA or web client.
Role-based access VLAN mapping for Windows single sign-on (SSO) users can be achieved with this procedure:
Choose Management > Auth Servers and select Auth Type to Active Directory SSO.
Select Default Role for the role that you want Windows SSO users to be in after they are logged in. For example, in this case it should be vencorp.
Choose User Management > User Roles, select the role (vencorp) and click Edit.
Define the Out of Band User Role VLAN to 5 (or any VLAN that you want the users of this role to be).
Save the role.
Choose Switch Management > Profiles > Port > List and click Edit for the control profile.
Change the Access VLAN to User Role VLAN and click Update.
Login through the PC with SSO. You are now logged in the domain and have role-based VLAN mapping
Similar Messages
-
When the interface comes up, the CAM puts the user in the AUTH vlan as expected via the set command (vlan 210)
03:09:09: SNMP: Packet received via UDP from 172.31.200.200 on Vlan220
03:09:09: SNMP: Set request, reqid 2144479366, errstat 0, erridx 0
vmVlan.1 = 210
that works OK
Fa0/21, Fa0/22, Fa0/23
210 VLAN0210 active Fa0/1
211 VLAN0211 active
So SNMP RW works OK,
After the user logs in to the network the user should be put back into vlan 220 (according to the port profile settings) but nothig happens, no set command send, no SNMP traffic at all. The user remains in AUTH vlan and the agent loops
I have tried all the settings, role based, initial VLAN as well, to no avail.
Any ideas? What to check for?
RafalHave you double checked your settings for mapping ports with the VG setup guide?
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_addSrvr.html#wp1089247
Also make sure your OOB port profile is correct and that it switches from auth to access vlan after authentication
http://www.exio.com/en/US/docs/security/nac/appliance/configuration_guide/411/cam/m_oob.html#wp1083087 -
RDP with 802.1x, machine and user auth and dynamic VLAN
Hi,
we have 802.1x implemented with machine and user auth. We also use dynamic VLAN assignment. Our client is AnyConnect 3.1. Operating system is Windows 7. With Windows XP, it works just fine.
When we try to connect to the 802.1x auth desktop with RDP (desktop is machine authenticated, no user is logged in), we are able to authenticate but as soon as VLAN and IP address changes according to user authentication profile, RDP session is terminated. It is not just disconnected but remote user is logged out and AnyConnect reverts 802.1x session back to machine VLAN. We cannot login with RDP and just loop between machine-user-machine authentication.
With this behavior the TermDD message (ID 56) can be seen in system log. Following the response
http://social.technet.microsoft.com/Forums/windows/en-US/b7814ec3-6a49-469c-8773-909c50415942/the-rdp-protocol-component-x224-detected-an-error-in-the-protocol-stream-and-has-disconnected-the
, I was able to get rid of TermDD message but I still loop in machine-user-machine authentication.
The following is TermDD message:
+
System
Provider
[ Name]
TermDD
EventID
56
[ Qualifiers]
49162
Level
2
Task
0
Keywords
0x80000000000000
TimeCreated
[ SystemTime]
2013-06-10T09:25:28.515308700Z
EventRecordID
26643
Channel
System
Computer
XTCSSPWA03.cen.csint.cz
Security
EventData
\Device\Termdd
10.190.64.208
0000040002002C000000000038000AC00000000038000AC000000000000000000000000000000000410200D0
Binary data:
In Words
0000: 00040000 002C0002 00000000 C00A0038
0008: 00000000 C00A0038 00000000 00000000
0010: 00000000 00000000 D0000241
In Bytes
0000: 00 00 04 00 02 00 2C 00 ......,.
0008: 00 00 00 00 38 00 0A C0 ....8..À
0010: 00 00 00 00 38 00 0A C0 ....8..À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 41 02 00 D0 A..Ð
Also AnyConnect shows that upon successful authentication and DHCP operation, it catches some exception and reverts back from user to machine VLAN:
3876: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-6-INFO_MSG: %[tid=1436][mac=1,6,d4:85:64:b8:43:61]: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: Authentication Success
3877: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} canceling existing DHCP work
3878: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: ipv4: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} stop
3879: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: CDI_8023_FRAME_IO_ECHO, ifIndex(1), pData(0x0103FA38), dataLen(0) (cimdIo.cpp 2156)
3880: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: echo (cimdIo.cpp 2270)
3881: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} creating a new DHCP work
3882: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1448]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: executing: CancelCmd [state: COMPLETE]
3883: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-6-INFO_MSG: %[tid=1436][mac=1,6,d4:85:64:b8:43:61]: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: DHCP: Sending DHCP request
3884: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: queueing DHCP work
3885: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: ipv4: {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} start
3886: XTCSSPWA03: 6 10 2013 11:24:44.259 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: CDI_8023_FRAME_IO_ECHO, ifIndex(1), pData(0x0103FA3C), dataLen(2) (cimdIo.cpp 2156)
3887: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) data follows ... (cimdIo.cpp 2159)
3888: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) 08 06 .. (cimdIo.cpp 2159)
3889: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: echo (cimdIo.cpp 2270)
3890: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) pEthTypes data follows ... (cimdIo.cpp 2273)
3891: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) 06 08 .. (cimdIo.cpp 2273)
3892: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv6 Connect {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2} starting
3893: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1448]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: executing: StartCmd [state: COMPLETE]
3894: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (0) S_ndisIoControl: returning cached xmitLinkSpeed: 100000000 bps (cimdIo.cpp 3558)
3895: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (0) NDIS OID: ifIndex=1 GET OID_GEN_LINK_SPEED(0x10107) datalen=4, cbRW=4 cbNeeded=0 acErr=0 winErr=0 (cimdIo.cpp 3686)
3898: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Network CS-wired-pass: AccessStateMachine current state = ACCESS_CONNECTED, received adapterState = authenticated
3899: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Network CS-wired-pass: port authentication succeeded
3900: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Network CS-wired-pass: AccessStateMachine new state = ACCESS_CONNECTED
3901: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: received Cancel event [state: COMPLETE]
3902: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: state: COMPLETE -> INIT
3903: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: received Get-Connectivity event [state: INIT]
3904: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: state: INIT -> WAIT_FOR_CONNECTIVITY
3905: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 Connectivity Result: IN_PROGRESS
3906: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1448]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: executing: GetConnectiviyCmd [state: WAIT_FOR_CONNECTIVITY]
3907: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv6 Connectivity Result: FAILURE
3908: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: received Check-Connectivity event [state: WAIT_FOR_CONNECTIVITY]
3909: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: (initial) ipCfg: IP:10.190.95.74(255.255.255.248) GW:10.190.64.1
3910: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1448]: Ipv4 {94B69AD2-E98C-4C94-BBC8-A94DC3894FE2}: executing: TestConnectivityCmd [state: WAIT_FOR_CONNECTIVITY]
3911: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: API (3) event: complete (portWorkList.c 130)
80: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAMSSO-7-DEBUG_MSG: %[tid=1524]: Tx CP Msg: <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ssc="http://www.cisco.com/ssc" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body> <networkStateEvent> <sequenceNumber>19</sequenceNumber> <groupName>Local networks</groupName> <networkName>CS-wired-pass</networkName> <networkState>AcquiringIpAddress</networkState> <adapterName>Broadcom NetXtreme Gigabit Ethernet</adapterName> <serverVerifiedName>ise-2.csint.cz</serverVerifiedName> </networkStateEvent> </SOAP-ENV:Body></SOAP-ENV:Envelope>
3912: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: PORT (3) port: ARP_REQ (portMsg.c 731)
3913: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: NET (3) cdiOsIoctlSet: CDI_8023_FRAME_IO_SEND, ifIndex(1), pData(0x024EEB40), dataLen(64) (cimdIo.cpp 2156)
3914: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: NET (3) data follows ... (cimdIo.cpp 2159)
3915: XTCSSPWA03: 6 10 2013 11:24:44.275 -0100: %NAM-7-DEBUG_MSG: %[tid=1468][comp=SAE]: NET (3) 00 00 00 00 FF FF FF FF FF FF D4 85 64 B8 43 61 ........ ....d.Ca 08 06 00 01 08 00 06 04 00 01 D4 85 64 B8 43 61 ........ ....d.Ca 0A BE 5F 4A 00 00 00 00 00 00 0A BE 40 01 00 00 .._J.... ....@... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ (cimdIo.cpp 2159)
3941: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (3) cdiOsIoctlSet: echo (cimdIo.cpp 2270)
3942: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv4 Connectivity Result: SUCCESS
3943: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: Ipv6 Connectivity Result: FAILURE
3944: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: ACE: adapter SM current: state(STATE_AUTHENTICATED), event(EVENT_IP_CONNECTIVITY)
3945: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: ACE: adapter SM state change: STATE_AUTHENTICATED -> STATE_CONNECTED
3946: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: handleEventAndDoStateTransitionAction action : ACTION_IP_CONNECTIVITY
3947: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (0) S_ndisIoControl: returning cached xmitLinkSpeed: 100000000 bps (cimdIo.cpp 3558)
3948: XTCSSPWA03: 6 10 2013 11:24:44.290 -0100: %NAM-7-DEBUG_MSG: %[tid=1436][comp=SAE]: NET (0) NDIS OID: ifIndex=1 GET OID_GEN_LINK_SPEED(0x10107) datalen=4, cbRW=4 cbNeeded=0 acErr=0 winErr=0 (cimdIo.cpp 3686)
1: XTCSSPWA03: 6 10 2013 11:24:54.007 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {25CBB996-92ED-457E-B28C-4774084BD562} LogLevel=0xF
2: XTCSSPWA03: 6 10 2013 11:24:54.007 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\authui.dll.
3: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({25CBB996-92ED-457E-B28C-4774084BD562}): Attempting to load Dir=C:\windows\system32, FileName=authui.dll
4: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000001FC050) instantiated for CLSID:{25CBB996-92ED-457E-B28C-4774084BD562}
5: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {3DD6BEC0-8193-4FFE-AE25-E08E39EA4063} LogLevel=0xF
6: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\authui.dll.
7: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({3DD6BEC0-8193-4FFE-AE25-E08E39EA4063}): Attempting to load Dir=C:\windows\system32, FileName=authui.dll
8: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000001FC850) instantiated for CLSID:{3DD6BEC0-8193-4FFE-AE25-E08E39EA4063}
9: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {503739D0-4C5E-4CFD-B3BA-D881334F0DF2} LogLevel=0xF
10: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\System32\VaultCredProvider.dll.
11: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({503739D0-4C5E-4CFD-B3BA-D881334F0DF2}): Attempting to load Dir=C:\windows\System32, FileName=VaultCredProvider.dll
12: XTCSSPWA03: 6 10 2013 11:24:54.022 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003A30B0) instantiated for CLSID:{503739D0-4C5E-4CFD-B3BA-D881334F0DF2}
13: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {6F45DC1E-5384-457A-BC13-2CD81B0D28ED} LogLevel=0xF
14: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\authui.dll.
15: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({6F45DC1E-5384-457A-BC13-2CD81B0D28ED}): Attempting to load Dir=C:\windows\system32, FileName=authui.dll
16: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003AF710) instantiated for CLSID:{6F45DC1E-5384-457A-BC13-2CD81B0D28ED}
17: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {8BF9A910-A8FF-457F-999F-A5CA10B4A885} LogLevel=0xF
18: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved SmartcardCredentialProvider.dll.
19: XTCSSPWA03: 6 10 2013 11:24:54.038 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({8BF9A910-A8FF-457F-999F-A5CA10B4A885}): Attempting to load Dir=, FileName=SmartcardCredentialProvider.dll
20: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003B7D70) instantiated for CLSID:{8BF9A910-A8FF-457F-999F-A5CA10B4A885}
21: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {94596C7E-3744-41CE-893E-BBF09122F76A} LogLevel=0xF
22: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved SmartcardCredentialProvider.dll.
23: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({94596C7E-3744-41CE-893E-BBF09122F76A}): Attempting to load Dir=, FileName=SmartcardCredentialProvider.dll
24: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003C03D0) instantiated for CLSID:{94596C7E-3744-41CE-893E-BBF09122F76A}
25: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {AC3AC249-E820-4343-A65B-377AC634DC09} LogLevel=0xF
26: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\System32\BioCredProv.dll.
27: XTCSSPWA03: 6 10 2013 11:24:54.053 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({AC3AC249-E820-4343-A65B-377AC634DC09}): Attempting to load Dir=C:\windows\System32, FileName=BioCredProv.dll
28: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003CABC0) instantiated for CLSID:{AC3AC249-E820-4343-A65B-377AC634DC09}
29: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {B12744B8-5BB7-463A-B85E-BB7627E73002} LogLevel=0xF
30: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CClassFactory(00000000001FFF00) CreateInstance calling CoCreateInstance on MS password cred prov
31: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {6F45DC1E-5384-457A-BC13-2CD81B0D28ED} LogLevel=0xF
32: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\authui.dll.
33: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({6F45DC1E-5384-457A-BC13-2CD81B0D28ED}): Attempting to load Dir=C:\windows\system32, FileName=authui.dll
34: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003D3220) instantiated for CLSID:{6F45DC1E-5384-457A-BC13-2CD81B0D28ED}
35: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003DB880) instantiated for CLSID:{B12744B8-5BB7-463A-B85E-BB7627E73002}
36: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: DllGetClassObject CLSID: {E74E57B0-6C6D-44D5-9CDA-FB2DF5ED7435} LogLevel=0xF
37: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: GetWrappedDllName: retrieved C:\windows\system32\certCredProvider.dll.
38: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: LoadLib({E74E57B0-6C6D-44D5-9CDA-FB2DF5ED7435}): Attempting to load Dir=C:\windows\system32, FileName=certCredProvider.dll
39: XTCSSPWA03: 6 10 2013 11:24:54.069 -0100: %NAMCP-7-DEBUG_MSG: %[tid=2680]: CredProvider(00000000003E3EE0) instantiated for CLSID:{E74E57B0-6C6D-44D5-9CDA-FB2DF5ED7435}
3963: XTCSSPWA03: 6 10 2013 11:24:59.247 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: SysLib:DBG: .\src\os\win\osAsync_win.c:233: => SL_STATUS_NO_CONNECTION
3964: XTCSSPWA03: 6 10 2013 11:24:59.247 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: SysLib:DBG: .\src\ipc\win\ipcPipeBase_win.c:102: => SL_STATUS_NO_CONNECTION
3965: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: SysLib:DBG: .\src\ipc\win\ipcPipeBase_win.c:194: => SL_STATUS_NO_CONNECTION
3966: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: SysLib:DBG: .\src\ipc\ipcFuncs.c:105: => SL_STATUS_NO_CONNECTION
3967: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=2460]: CAUGHT: NoConnectionException
3968: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: CoreLib:TRACE: context=acnam, thread join, ThreadImpl.cpp:58, m00585050, err=0(OS_OK), thread_id=2460
3969: XTCSSPWA03: 6 10 2013 11:24:59.262 -0100: %NAM-7-DEBUG_MSG: %[tid=1436]: CoreLib:TRACE: context=acnam, thread join, ThreadImpl.cpp:58, m00585838, err=0(OS_OK), thread_id=3692
89: XTCSSPWA03: 6 10 2013 11:25:06.367 -0100: %NAMSSO-7-DEBUG_MSG: %[tid=1228]: ServiceControlHandlerEx:WTS_SESSION_LOGOFF, Session ID: 1
If we do not change VLAN from machine to user, it works just fine.
Have anybody seen this problem? Have anybody fixed it?
Thanx, MartinHi,
unfortunately not.
I have gone through extensive troubleshooting from Microsoft and Cisco sides twice and the result is:
1) AnyConnect performs EAPol logoff when it detects RDP session termination. So it goes from user to machine authentication
2) Windows 7 performs RDP session termination when IP address changes due to the change of VLAN (from machine VLAN to user VLAN)
Cisco claims that AnyConnect behavior is correct and Microsoft claims that they do not want to change this behavior (reset of RDP session).
I can imagine that Cisco can detect whether RDP session was terminated due to the IP address change or not and do not revert back to machine authentication in such a case.
In fact there was nobody at Cisco that was willing to listen to me or accept this like something that needs a fix. The only thing you can do is to enable "Extend connection beyond logoff". AnyConnect does not send EAPol logoff if it detects RDP session termination and you can establish another RDP session which does not fail and you stay connected with RDP.
Martin -
is it possible to do L3 NAC OOB with VGW.
The documentation does not say that it is not possible, but i see some technical difficulties.
In VGW deployment, the Auth IP = Access IP and only the vlan id changes. But on the other end of an L3 link I cannot see vlan id's and there for cannot distinguish between Auth and Access.
So is it correct that OOB L3 VGW is not possible?It is my understanding that the IP address of the client must change when it moves from auth to access.
It is still OOB because traffic only goes through the CAS during authentication/remediation. Because there are no VLAN mappings it is not VGW.
Typically the CAS is at a core location, and you use policy routing or ACLs to separate auth traffic from access (though i prefer VRF) to "pipe" auth traffic back to the CAS.
Once auth is successful, the CAM switches the port to the access vlan. -
Hi,
Does anyone know if when you're setting up this topology and configuring VLAN mapping, if you need unique Auth VLANs for every Access VLAN? Or can you use one Auth VLAN and map it to multiple Access VLANs. I assume you need unique Auth VLANs.
ThanksAaron,
You can have one auth going to different access vlans based on conditions. Look at User-Role VLANs closely to accomplish that.
HTH,
Faisal -
NAC manager doesn't change auth vlan to access vlan
Hi,
I am trying to install L2 out-of band NAC in my LAN but I have problem for which I don't seem to find any solutions.
The problem is that NAC manager simply doesn't change switchport from authentication to access vlan although user
is authenticated and all CAA requirements have been met.
I connect my laptop to switch and NAM changes vlan to auth. vlan and laptop gets IP address from access vlan (vlan mapping
configured on NAM). Then CCA login pops out and I enter username and password. After that CAA says: "Successfully logged in
to network" but laptop stays in auth. vlan and I can see my user in "out of band" users list (on NAM) but laptop (his MAC address) is not
in the certified devices list. And Manager keeps it in auth. vlan. So when I click OK in CAA, the login window pops out again because I'm still
in authentication vlan.
What could be the problem? I really tried everything and I don't know why manager doesn't put laptop to certified devices list (I repeat, user is in out
of band users list) and CCA says successfully logged in to network, and all requirements are met too.Faisal,
thank you very much, yes that was the problem. I didn't have managed subnet entry. Now it works fine, but I have another problem. When I added managed
subnet I cannot connect to NAC server from my PC which has IP address from that subnet range. I cannot ping neither connect via https, totally
inaccessible.
What can I do to have that managed subnet entry, and still to be able to connect to server from that subnet (VLAN)?
I tried adding managed subnet entry with auth. vlan (400) and then with access vlan (110) and no-vlan (-1) but the situation is same - clean access
works fine, but I cannot reach server from my PC. -
NAC Server Fallback Feature and OOB Deployment
Hi,
I would like to know how the Nac Server fallback feature works in an OOB deployment.
The documentation says that there three option (ignore, allow all, block all).
Whe you have the allow all option enable, does the NAC put the user in an access vlan or the user just access to the network through the authentication VLAN?Hi,
Assuming the CAM has failed, the CAS would allow all traffic from the AUTH VLAN to the ACCESS VLAN. Since the CAM has failed, the switchports which are not in the AUTH VLAN would behave per the rules/ACLs on the VLAN they're in and won't get flipped over.
HTH,
Faisal -
NAC, OOB wireless and Active directory
Hello.
Here we need to set up Network Access with OOB wireless and authentication via Active Directory. I have followed this guide but still can't get it work.
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml
In my scenario:
CAM NAC: 192.168.7.100
CAS NAC: 192.168.9.9
WLC 5508: 192.169.9.2
AD and DHCP servers: 192.168.7.2 and 192.168.8.2
APs and clients range: 192.168.9.0/23
when i Check "Radius Server Overwrite interface" and select NAT state: SNMP NAC on the following images....
I try to navegate and I get the Login default page that I already configured asking me for credentials, I type them but it get stucks there. I have already configured everything showed on the guide posted above. Do I need to do something else that is not explicitly explained in the guide?
Thanks in advance.Sarayanan
I just tried without "Radius Server Overwrite interface" checked and got the same results. WLAN is mapped with interface managment
AP group is the default one.
Here are the CAM logs
On the NPS windows server 2008 cant see any log about this connection. Please give me some advices.
Thanks in advance. -
WLC2112 with Guest / Web-Auth and vlan
Hi
I'm trying to configure my WLC with guest SSID and vlan 10.
The security is only set to Web-auth, and it is all working if the guest network is set to nativ vlan (1) But it seems that the http(s)://1.1.1.1/login.html is not reacheble from the guest SSID/VLAN??
Please help.
Management IP Address 192.168.14.252
Software Version 6.0.182.0
Emergency Image Version
I have tried with ver. 5.2 also -I think that 1.1.1.1 is only reachable from a wireless client during webauth. They should not be able to reach that address once they have passed through the web auth page.
Don't know if that helps, or not. -
Hi everyone,
"i have a friend" ( :-) )to which i want to deploy the NAC OOB L3.
Why this one? Because he has a central location and a few branches (a few more actually) and these branches are at 2 L3 hops prom the center. More specific, there is a L3 switch as a gateway to the branch LAN users and after that, a router that connects to the center (GRE/IPSec).
The question is, and i did not manage to find or to realise by myself: it is mandatory to use a DHCP server for allocating ip-s to clients? (for all of their states: unauthenticated, authenticated, permited etc).
If not how it should be done?
Second: if is mandatory, should it work only with a centraly deployed DHCP server, or i can use the L3 switch in every branch as a dhcp server?
Thank you for your patiance.DHCP is required for L3 OOB real-ip gateway since the system will need to get a new address when it is switch to the authorization VLAN and then again after the posture process when it is switched back to its "normal" VLAN.
As for the DHCP server, you can use either a central server, have a local switch provide the addresses or a combination of both.
In our install, the local switch is the DHCP server for the auth VLAN and a local server is used for the access VLAN.
Mike -
I am trying to get NAC integration with WLC working for wireless users in OOB and can't get it to work. I followed directions step by step from the Configuration Example on the Cisco web site. Without enabling NAC on the WLC I am able to associate and work fine. With NAC enabled, association works but the client stays on Quarantive VLAN and never gets switched. I can see the client as Discovered client on the CAM only when I turn off 802.1x for layer 2 security on the WLAN but still it does not get switched to Access VLAN nor do I get a web login screen. The DHCP for wireless clients is provided by the WLC itself so that traffic does not pass through the CAS. Am I doing anything wrong?
Faisal
I haven't tried to browse to the CAS IP. I will try that when I am there next time. The laptop did have a NAC agent with a discovery host of the CAM IP as it was used as a wired client before. Looking at the routing table, I would think routing should not be an issue as the Guest subnet correctly points to the untrusted interface with no GW and that should take VLAN 201 pathw hich is the quarantine VLAN ID for WLC Guest WLAN. Just FYI the 172.16.8.0 subnet which is the guest subnet is not being routed internally for security reasons and is jus a L2 VLAN on the core switch
10.8.21.11/32 - 0 0
10.8.21.1/32 - 1 0
10.8.21.0/24 - 2 0
0.0.0.0/0 10.8.21.1 1 0
10.8.17.0/24 - 2 8
10.8.15.0/24 - 2 8
172.16.8.0/24 - 2 8
10.8.21.10/32 - 0 2
10.8.17.169/32 10.8.21.1 1 0
10.8.17.152/32 10.8.21.1 1 0
10.8.17.182/32 10.8.21.1 1 0
10.8.17.128/32 10.8.21.1 1 0
10.8.17.119/32 10.8.21.1 1 0
10.8.17.137/32 10.8.21.1 1 0
10.8.17.188/32 10.8.21.1 1 0
10.8.17.200/32 10.8.21.1 1 0
10.8.17.165/32 10.8.21.1 1 0
10.8.17.124/32 10.8.21.1 1 0
10.8.17.113/32 10.8.21.1 1 0
10.8.17.197/32 10.8.21.1 1 0
10.8.17.206/32 10.8.21.1 1 0
Thanks
Shaffeel -
Hello friends, anybody can help me ?
i have 1 CAS OOB, 3560 and 1 CAM. I have configured vlans, dhcp, etc. when the client are in the auth vlan, he own an ip from the trusted vlan with the vlan mapping configuration, buuuuuuuutttt dns doesn'w work. client web browser doesn't redirect. i can access the login page only writing the cas ip address in hte browser.
i am lost, thanks.Make sure the ip address of the CAS is mapped to its name in the DNS server so that redirection takes place.
-
NAC L3 OOB Virtual Gateway/Real-IP Gateway
In a Central Deployment (NAC server at Central Site) for Remote Office (WAN) users it´s possible to work with L3 OOB
Virtual Gateway? or it´s only possible to work with L3 OOB Real-IP gateway?
If it´s possible both modes (Real-IP o Virtual) which are the advantages/disadvantages of each one?
I didn't found a response for this in the documentation.
Thanks in advance.Hi, Paul
>>I then disconnect the PC and patch it into the Switch 2. I then authenticate but instead of the port being moved to the correct VLAN it is left in the authentication VLAN and the Web Login cycles and asks me to log in again. Looking at the Online Users display it says I'm online on Switch 1 on the port I have disconnected from. This is INCORRECT!
Have a look at the Switch Management ->Port Profiles and below "Options: Device Connected to Port" (the second one) "Change to .... if the device is certified" there should be Access VLAN option -make it active. -
I am deploying a NAC 4.7.2 in-house to stage for a customer deployment, the deployment method I used is L2 OOB VG, I configured the switch, managed subnets, and vlan mapping. However, two problems arose:
1. Arp replies from the trusted to the untrusted are not being bridged between the access vlan and authentication vlan
2. dns replies are also not being forwarded from the trusted (access vlan) to the untrusted (authentication vlan)
what's strange is that DHCP is working fine.
I have tried to add an arp entry for the default gateway (client gets mac address of untrusted interface as the default gateway) which nac redirects and provided the login process and remaps my port to the access vlan but then I have to manually remove the arp entry for the switch to discover the real mac-address of the default gateway once the client is in the access vlan.
is there anything else besides managed subnets, and vlan mapping for L2 OOB VG to work. from my understanding , DHCP, DNS, and arp should be bridged normally between the trusted <--> untrusted interfaces with no additional configurations.Hanny,
Sorry I couldn't look at your diagram in detail before. So there's something wrong here.
You claim in the PDF that VLAN 5 and 6 are untrusted, mapping to 15 and 16, for which you have the SVIs defined.
You also claim that FA0/17 is the untrusted interface and FA0/13 is the trusted interface, yet your interface definitions are the inverse of your network diagram. Is it just as simple as you plugging in the interfaces wrong? Or the error is in the diagram? Or the interface definitions in the PDF?
Please clarify. If you can also, please post the Network tab from your CAS, the Advanced tab from your CAS showing the managed subnets and the VLAN Mapping tab from your CAS. Also please post your sanitized show running-config from your switch and verify where each of the interfaces are plugged in?
Thanks,
Faisal -
NAC L3 OOB - Online Users not correct
I'm testing a NAC 4.1.3 L3 OOB Real IP configuration and have come across an anomaly. Can someone help please.
I have configured two switches to be managed by NAC and have configured a role for Web Authentication and set all ports to be controlled.
When I connect a PC to switch 1 and authenticate all works well and the View Online Users displays the PC/role/Switch Port correctly.
I then disconnect the PC and patch it into the Switch 2. I then authenticate but instead of the port being moved to the correct VLAN it is left in the authentication VLAN and the Web Login cycles and asks me to log in again. Looking at the Online Users display it says I'm online on Switch 1 on the port I have disconnected from. This is INCORRECT!
Looking at switch 1, it has moved the port I was connected to the VLAN it should be after authentication. This should have been done to the port I'm now on at the Switch 2!
MAc notifications are used and Linkup/downs are enabled on the switches. They are not stacked. When disconnecting from the switches it correctly removes me from the online users. After authentication on the new switch it puts me back on the original switch where I was!!!!!!
This is most infuriating, it means the product is useless if I have users moving from one desk to another ending up on a different switch where they will no longer be able to work as they cannot get past authentication.
All help is gratefully received.
Thanks,
Paul KyteHi, Paul
>>I then disconnect the PC and patch it into the Switch 2. I then authenticate but instead of the port being moved to the correct VLAN it is left in the authentication VLAN and the Web Login cycles and asks me to log in again. Looking at the Online Users display it says I'm online on Switch 1 on the port I have disconnected from. This is INCORRECT!
Have a look at the Switch Management ->Port Profiles and below "Options: Device Connected to Port" (the second one) "Change to .... if the device is certified" there should be Access VLAN option -make it active.
Maybe you are looking for
-
How the sales returns will effect after rebate settlement in sap
Dear SD Experts, I have a query that the Rebate settlement is done (Material Rebate) after that the sales returns has taken place and again in the credit memo the system is showing the rebate accruals. Can any one please suggest me how the actual pos
-
Recording with guitar to computer through USB X-Fi
I am having a problem trying to record with my guitar through my USB X-Fi 5.. I am using a program called Audacity to capture the recording. I have my guitar hooked up to a Line 6 POD 2.0 effects device that has a left/right output. Then I plugged th
-
Powerpoint 2004 on Mac OS X problems since Security Update 11.2.3
I have a Mac OS X v. 10.3.9 Since the last Security Update 11.2.3 for Office 2004 , I started to have problems only with Powerpoint 2004. I can't open .ppt or pps documents that were working before neither I can't save new projects. I get Error Signa
-
How to make a color bar expand to screen size?
I'm building a website in adobe muse. I have a few color bars that I would like to reach the edge of the viewers screen (left and right) so that you can't see the edges of the bar. All of my content is centered, so it'd be ideal to accomplish this wi
-
I have Mac OS X 10.5.8. How can I upgrade to Snow Leopard?
I can't find any information here. Any info would be greatly appreciated. Thanks