NAC manager doesn't change auth vlan to access vlan

Hi,
I am trying to install L2 out-of band NAC in my LAN but I have problem for which I don't seem to find any solutions.
The problem is that NAC manager simply doesn't change switchport from authentication to access vlan although user
is authenticated and all CAA requirements have been met.
I connect my laptop to switch and NAM changes vlan to auth. vlan and laptop gets IP address from access vlan (vlan mapping
configured on NAM). Then CCA login pops out and I enter username and password. After that CAA says: "Successfully logged in
to network" but laptop stays in auth. vlan and I can see my user in "out of band" users list (on NAM) but laptop (his MAC address) is not
in the certified devices list. And Manager keeps it in auth. vlan. So when I click OK in CAA, the login window pops out again because I'm still
in authentication vlan.
What could be the problem? I really tried everything and I don't know why manager doesn't put laptop to certified devices list (I repeat, user is in out
of band users list) and CCA says successfully logged in to network, and all requirements are met too.

Faisal,
thank you very much, yes that was the problem. I didn't have managed subnet entry. Now it works fine, but I have another problem. When I added managed
subnet I cannot connect to NAC server from my PC which has IP address from that subnet range. I cannot ping neither connect via https, totally
inaccessible.
What can I do to have that managed subnet entry, and still to be able to connect to server from that subnet (VLAN)?
I tried adding managed subnet entry with auth. vlan (400) and then with access vlan (110) and no-vlan (-1) but the situation is same - clean access
works fine, but I cannot reach server from my PC.

Similar Messages

  • Auth VLAN and Access vlan

    When the interface comes up, the CAM puts the user in the AUTH vlan as expected via the set command (vlan 210)
    03:09:09: SNMP: Packet received via UDP from 172.31.200.200 on Vlan220
    03:09:09: SNMP: Set request, reqid 2144479366, errstat 0, erridx 0
    vmVlan.1 = 210
    that works OK
    Fa0/21, Fa0/22, Fa0/23
    210 VLAN0210 active Fa0/1
    211 VLAN0211 active
    So SNMP RW works OK,
    After the user logs in to the network the user should be put back into vlan 220 (according to the port profile settings) but nothig happens, no set command send, no SNMP traffic at all. The user remains in AUTH vlan and the agent loops
    I have tried all the settings, role based, initial VLAN as well, to no avail.
    Any ideas? What to check for?
    Rafal

    Have you double checked your settings for mapping ports with the VG setup guide?
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_addSrvr.html#wp1089247
    Also make sure your OOB port profile is correct and that it switches from auth to access vlan after authentication
    http://www.exio.com/en/US/docs/security/nac/appliance/configuration_guide/411/cam/m_oob.html#wp1083087

  • Switchport comparision, "trunk native vlan" versus "access vlan"

    I want to understand the logic when I install IP phone with PC attached. Is there any difference between two configurations. for exmaple, consideration to handle QoS.
    switchport access vlan 100
    switchport voice vlan 200
    versus
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 100
    switchport voice vlan 200
    switchport mode trunk
    Thanks in adance,

    The difference is that these applies to two different set of switches.
    The first set of configuration applies to the new series switches, Cisco 3550, 3560, 3750 series.
    The second set applies to the olders series Cisco 2900, Cisco 3500XL etc. In these switches, you need to configure the port as a trunk before the port can take both voice and data vlan.
    In the newer series, the port can take both voice and data vlan and still not run in trunk mode.
    Regards,
    Anup

  • Switchport trunk native vlan & switchport access vlan dual configuration

    I've discovered this dual configuration on a 3500xl switch while troubleshooting an incrementing runts issue. Could the config of this port be related to the issue at hand?
    port configuration:
    interface FastEthernet0/3
    duplex full
    speed 100
    switchport access vlan 203
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 203
    switchport trunk allowed vlan 1,203,204,220,1002-1005
    switchport mode trunk
    spanning-tree portfast

    Hi,
    The 'switchport access vlan' command will have no effect on the configuration you have on this port. The port will operate as a trunk and will dis-regard any config that pertains to an access port.
    Hope that helps ...
    Paresh

  • NAC L2 OOB Auth and Access VLAN

    I'm new to Cisco NAC appliance.
    I wanted to deploy L2 OOB VGM for my wired userd.
    I wanted to check whether can I have multple Authentication to Access VLAN mapping.
    For example :
    Authentication VLAN - 111 Map to Trusted VLAN 311
    and
    Authentication VLAN - 112 Map to Trusted VLAN 312
    Therefore, on the port profile of the switch, I can allocated which are the ports that should be using Authentication VLAN 111 and VLAN 112.
    Why I wanted to do this, because I need the users to obtain IP addresses that are associated with the trusted segment, so that I do not have to bounch the switch port or utilise DHCP release/renew from the CCA or web client.

    Role-based access VLAN mapping for Windows single sign-on (SSO) users can be achieved with this procedure:
    Choose Management > Auth Servers and select Auth Type to Active Directory SSO.
    Select Default Role for the role that you want Windows SSO users to be in after they are logged in. For example, in this case it should be vencorp.
    Choose User Management > User Roles, select the role (vencorp) and click Edit.
    Define the Out of Band User Role VLAN to 5 (or any VLAN that you want the users of this role to be).
    Save the role.
    Choose Switch Management > Profiles > Port > List and click Edit for the control profile.
    Change the Access VLAN to User Role VLAN and click Update.
    Login through the PC with SSO. You are now logged in the domain and have role-based VLAN mapping

  • Changing adobe ID - Adobe Cloud Manager doesn't work

    Hi guys!
    I have on my mac Adobe Creative Cloud Manager with all the app installed in English. All work.
    I changed my ID with new subscription of all the CC product, but the Manager doesn't recognize what i have installed, so when i try to update, install or uninstall the apps, i can't.
    I already try with CC cleaner, but doesn't work...
    I already also delete the OOBE folder...
    Anyone can help me?

    Please refer : http://helpx.adobe.com/creative-suite/kb/troubleshoot-update-issues-cs5-cs5.html#main_Trou bleshoot_Adobe_Application_Manager_problems_or_failures

  • NAC OOB VGW Auth/Access VLAN

    Hi,
    Does anyone know if when you're setting up this topology and configuring VLAN mapping, if you need unique Auth VLANs for every Access VLAN?  Or can you use one Auth VLAN and map it to multiple Access VLANs.  I assume you need unique Auth VLANs.
    Thanks

    Aaron,
    You can have one auth going to different access vlans based on conditions. Look at User-Role VLANs closely to accomplish that.
    HTH,
    Faisal

  • Configuring NAC MANAGER HA - link failure detection

    Hello,
    I'm configuring HA in NAC Manager and want to enable "eth0 link failure detection based failover". Is this possible in version 4.1.2.1 ?
    Where can i configure this in NAC Manager?
    See my configurations for the Primary HA on pic attached.
    kind regards,
    Daniel Stefani

    Hi Daniel,
    It doesn't look like that's an option in the 4.1.2 line.  You can configure this in 4.1.3 line, however - see the configuration guide here: http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_ha.html#wp1040221
    HTH,
    Lauren

  • Adobe Application Manager Doesn't list any 2014 versions of programs. How do I update to those versions?

    My Adobe application manager doesn't list the 2014 versions of the core programs. I need them to grade the work of my students, as my school runs these versions and I can't open the work on my computer.

    Thank you,  for your help
    I got it while waiting for the answer. The "Application Manager" is not how these get installed (how would I know that). I installed the "Adobe Creative Cloud" application and got the new versions.
    It's was confusing because the Application manager installed on Nov 4. Very recently right! (but just prior to updating my operating system to Yosemite, OK Duh). And of course Yosemite has changed the look and functionality of everything, including this, so anything I was doing that should be intuitive was less so.

  • CUPC 8.0.3 busy status doesn't change to offline on OS (windows) shutdown

    Hi,
    We found the following problem with CUPC8.0.3.
    When you set the status to 'busy' or 'do not disturb' and you shut down or restart windows (without closing the CUPC program manually) the status doesn't change to offline (from the perspective of other CUPC users or the CUPS end user information page)
    If the status is availabe it is going to offline when windows is shut down or restarted
    Does anyone know if this is a defect...?
    Thanks
    rgs
    Luk

    Hi Luc,
    Yes I managed to reproduce it in my lab as well. As soon as you login (after a shutdown) the user is shown busy again.
    This is working as expected and it is a known behaviour. It is tracked by the following defect
    CSCsl11256
    The thing is that a fix would require a lot of changes in CUPC architecture and there is no known date where this issue will be tackled.
    This does not happen when the user is already in available status because the busy and 'do not disturb' require special handling
    I hope this clarifies things a bit.
    Regards,
    Christos

  • ISDN doesn't change to state up - only after reboot

    Hi,
    i've a router 2801 with the card VIC2-2BRI, i've this problem:
    when i plug-in in ISDN cable on the BRI interface the interface BRI doesn't change the state to up, it seems that the cable is not connected.
    I need to reboot my router with the ISDN cable plugged in, and when the router starts, the BRI interface is active.
    anybody know how to solve this problem?
    This is my ISDN bri configuration:
    network-clock-participate wic 3
    interface BRI0/3/0
    no ip address
    isdn switch-type basic-net3
    isdn point-to-point-setup
    isdn incoming-voice voice
    isdn bind-l3 ccm-manager service mgcp
    isdn sending-complete
    voice-port 0/3/0
    output attenuation 10
    echo-cancel coverage 32
    no vad
    compand-type a-law
    cptone IT
    it use MGCP protocol to comunicate with my callmanager.
    thanks in advance,
    Claudio.

    Try:
    http://www.cisco.com/warp/public/793/access_dial/ddr_dialer_profile.html
    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/800/800swcfg/provisio.htm

  • VM Manager doesn't recognize virtual machine

    Hi there.
    I've created 2 virtual machines (Red Hat with EBS-12i), a vision and a fresh install and I have the VM manager installed in another machine. It all worked fine untill the day that I had to move the machines to another place and I was forced to change the IP of the machines.
    After I made the IP changes I lost the access to the vision virtual machine, the VM manager sees the fresh VM but doesn't sees the vision.
    Do you know if there is a tool that can probe the VM server to search for the virtual machines or the configuration file where there is the location of the VM?
    Thanks and regards,
    Ricardo Vilhena

    vilhena wrote:
    Do you know if there is a tool that can probe the VM server to search for the virtual machines or the configuration file where there is the location of the VM?VM Manager can do that itself. On the Resources tab of VM Manager, select "Virtual Machine Image" and then import --> From Server Pool. It will find all the running VMs that exist in /OVS/running_pool/ that are not already being managed by VM Manager.

  • Media Manager doesn't work anymore

    When I'm capturing and logging footage, Media Manager is part of my work flow. I capture the entire tape, then use the DV Start/Stop detect function to make subclips. Then I use Media Manager to create smaller versions of the subclips. I I log and archive the newly created compressed clips, and use them for edits.
    But now with FCP 5.0.2, Media Manager doesn't work like it used to. The end result of outputting the subclips is one large clip. If I output half of them at a clip (1,3,5,7,9,etc.) and then go back and do the rest (2,4,6,8,10,...) it works. But what a pain. I've tried every variation of settings. Nothing make a difference.
    What gives?
    Also, the subclips all now have the first frame of the next clip stuck on the end. That's not Media Manager, it happens before. But it is not cool.
    Anyone having similar problems, and any solutions?
    -Daniel Cohen

    Tom,
    Here is the process:
    Capture the entire DV tape as one long clip.
    Use DV Start/Stop detection to create markers. (This results in that extra last frame from the beginning of the next clip.)
    Make subclips from the markers.
    Select subclips and go to Media Manager
    Use Media Manager to Recompress
    -Recompress media using OfflineRT NTSC (Photo JPEG)
    -Delete unused media from selected clips.
    -No handles (I want the clip as it was on the tape)
    -Base media file names on clip names
    -Select a media destination
    And off it goes.
    Instead of creating individual clips (at the slected location) it makes one long clip, like the source just smaller because it is now compressed.
    In earlier version of FCP this worked. Something has changed in version 5.
    I can trick the Media Manager by selecting every other subclip, outputting, and then going back and selecting the rest. But that is twice the work. And I still have those darn extra frames at the end of the clips.
    Any ideas. (I have already done the Quicktime repair listed in many other threads.)
    -Daniel Cohen

  • Am told firefox is already running , but task manager doesn't show it

    am told firefox is already running , but task manager doesn't show it. I installed Firefox 3.6.10 on a new computer (win 7 home premium), deleted the profile given and copied my old profile in its place (win vista premium). I get the above message and am told to close the existing process, or restart the system. Can't close and restarting doesn't help. Please solve this for me, i so don't want to use Internet Explorer

    g'day people... a dude called "moopenguin32" showed me the way... alleluia
    1. Copy your Firefox shortcut (what you click on to open Firefox) to the Desktop.
    2. Right-click on it and click on Properties.
    3. Go to the end of the text in the "Target" field. The end will say: firefox.exe"
    4. Enter a space followed by: -profilemanager
    5. The end result will look something like this: "C:\Program Files\Mozilla Firefox\firefox.exe" -profilemanager
    6. Click OK to save the settings.
    7. Double-click on the shortcut you just changed.
    8. Delete the profile listed. It shouldn't matter that you're deleting it because you're trying to restore a profile anyways. You should have the profile you're trying to restore saved elsewhere.
    9. Close the profile manager.
    10. Start Firefox using your regular shortcut. Firefox should open properly. Close Firefox.
    11. Now to restore your profile, open the profile folder you have backed up and copy the contents of it rather than the actual folder.
    12. Go to your existing Firefox profile and open it.
    13. Delete the contents of the existing Firefox profile.
    14. Paste the contents of the Firefox profile that you're trying to restore (the one you copied in step 11).
    15. Open Firefox and everything should be there (including your extensions).

  • Integrating Cisco ACS and Cisco NAC Manager - Downloadable ACL

    Hi There
    I have Cisco NAC setup in my environment. These are all working fine. The users will get themselves authenticated via Cisco NAC Manager. The Cisco NAC Manager talks to the Cisco ACS for the user database portion. These are all working fine. I would like to enable Downloadable ACL. I have tried using the CISCO-AV-PAIR method and creating a downloadable ACL entry in Shared Components, but nothing works. It's either I'm doing it wrongly or this setup of mine doesn't support downloadable ACL? Please kindly advice.
    Regards,
    Ram
    +6-012-2918870

    Hi,
    That is not possible.
    You cannot push ACLs into the NAC manager.
    If you are doing Radius authentication from NAC manager, what you can do is to create Roles on the NAC manager, and on those roles you define traffic policies.
    Using Radius attributes you can then map users to Roles.
    Please take a look into this:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_auth.html#wp1158789.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Maybe you are looking for

  • Error when starting DPS App Builder - Application not found

    WTF folks. This morning I open my document (CS5) and it says I have to update my folio tools (needless to say i hate it to be forced to do an update before I can start working). Well, I do an update, both tools (Folio Builder and Producer Tools). Now

  • Zen touch: upload yes, but downlo

    hi, i want to buy a zen touch 20gb device. i've read something about it on the net, but there's one question left: . can i transfer files from my player back to my pc? 2. can i transfer audio files only or are all filetypes possible? thanks cyte

  • SQL OR DIRECTORY STORAGE? - OPINIONS NEEDED!

    Designing an app with many pages that will be viewed by thousands. Of the two ways to go, creating html dynamically using CF and SQL Server when user requests page -or- having the html pages 'preloaded' onto the drive in various directories to displa

  • Addition on fly in adobe form

    Hi, I have a requirement where user inputs value in column A and Column B  field.Column C should have  column A + Column B value . I don't need any interaction back to SAP .User's will print the form and save it .Should I still click ENABLED option?

  • APEX preferences API

    I've used APEX preferences API call to set/get the user preferences with the following call. But, when I exported the application to a different production system, the user preferences are not available. is it possible to export these user preference