NAC-OOB L2- Authentication Login page dosn't appear!

Similar Messages

• Wlc5760 web authentication custom page

  I have installed custom web pages with our company logo on the autentication pages. 
  everything is fine, users are able to access the pages and autenticate but the logo image is not showing.
  instead of the logo *some text missing * is appearing on the webpage.
  my logo file is .gif having a size of 211KB.

  Downloading a Customized Web Authentication Login Page
  You can compress the page and image files used for displaying a web authentication login page into a.tar file for download to a controller. These files are known as the webauth bundle. The maximum allowed size of the files in their uncompressed state is 1 MB. When the .tar file is downloaded from a local TFTP server, it enters the controller's file system as an untarred file.

• WLC 2504 Guest Wifi login Page

  Hi
  Need some help. I have setup guest access on the controller and this is not working at the moment.
  DHCP server setup on the controller for the Guest users.
  You are able to connect (get ip address from controller) and the browser gets redirected to 1.1.1.1 but then page can not be displayed instead of the login page.
  Need to know how to fix this.
  Regards
  Chris

  George:
  Thank you for the ratiing.
  For this issue, they are getting the web-page and after providing the credentials it is redirecting to the original page.
  If there is no DNS available so how the host will resolve the URL IP in order to open the web-page?
  This is why I suggested to check DNS.
  From the link I posted above I quote:
  ...........The next step in the process is DNS  resolution of the URL in the web browser. When a WLAN client connects to  a WLAN configured for web authentication, the client obtains an IP  address from the DHCP server. The user opens a web browser and enters a  website address. The client then performs the DNS resolution to obtain  the IP address of the website. Now, when the client tries to reach the  website, the WLC intercepts the HTTP Get session of the client and  redirects the user to the web authentication login page.Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On Windows, choose Start > Run, enter CMD in order to open a command window, and do a “nslookup www.cisco.com" and see if the IP address comes back. ........
  If you are using a URL for the virutal interface then lack of DNS will not show you the credentials page at the first place.
  If no URL for virutal interface and you get auth page but after entering the credentials it does not successfully redirect one of the main reasons is DNS problem.
  You can still comment on this if you see it not accurate.
  Regards,
  Amjad

• Getting AADSTS50020 error on microsoft login page when using Azure Active Directory Authentication

  We have implemented Azure Ad single sign on using auto generated code from Visual studio 2013 with organization account authentication and its working fine.
  The problem is when user is logged in in azure management portal with his live account and in other tab he try to open our app, then he directly gets below error on Microsoft login page.
  Additional technical information:
  Correlation ID: 78e13474-6f92-40ec-b463-91e36a6dae84
  Timestamp: 2015-04-14 12:27:20Z
  AADSTS50020:
  User account '[email protected]' from external
  identity provider 'live.com' is not supported for application
  'https://xxxxx.onmicrosoft.com/xxxx'. The account needs to
  be added as an external user in the tenant. Please sign out and sign in
  again with an Azure Active Directory user account.
  It works fine if I log out from management portal. Is there any way to resolve this issue without forcing user to log out from live account(management portal)?

  I assume you created a web application using VS2013 which uses the WS-Federation protocol.
  The behavior that you are seeing is expected Single-sign-on because you are logged in using the live account in the management portal.
  For WS-Federation, there is no current way for a caller to specify they want to force a fresh login, so the behavior is always the equivalent of LoginBehavior.Normal.
  The user will need to either sign-out or use an in-private session in the browse.
  If you switch to openID connect(sample at
  https://github.com/AzureADSamples/WebApp-OpenIDConnect-DotNet) and use the “prompt=login” query paramerter in the sign in request, this will force a fresh login.

• Error on microsoft login page for OpenId authentication using Azure AD

  We have implemented authentication for multi tenant SaaS solution which uses Azure Ad single sign on using OpenIdConnect authentication and its working fine.
  The problem is when user is logged in in azure management portal with his live account and in other tab he try to open our app, then he directly gets below error on Microsoft login page.
  Additional technical information:
  Correlation ID: 78e13474-6f92-40ec-b463-91e36a6dae84
  Timestamp: 2015-04-14 12:27:20Z
  AADSTS50020:
   User account '[email protected]' from external
   identity provider 'live.com' is not supported for application
   'https://xxxxx.onmicrosoft.com/xxxx'. The account needs to
   be added as an external user in the tenant. Please sign out and sign in
   again with an Azure Active Directory user account.
  This works fine if I will pass "prompt=login" query string parameter in sign in request, But in that case single sign on is not working. Is there any way to resolve this issue
  without loosing single sign on experience?

  Hello,
  Have you tried the steps suggested by
  Imtiaz Hussain in the
  previous thread you queried ?
  Is the error the same that you were previously encountering ?
  Regards,
  Neelesh.

• Using SqlProvider and Weblogic authenticator in my own login page

  Hi All,
  I want to use SqlProvider of weblogic server for authentication of users. For the said purpose I have made necessary steps in weblogic server console. now i want to use it in my own login page and authenticate user based on sqlProvider and wls.
  Can u suggest me what to do? or where do I move next ?

  Add ADF Security to your application.
  - Add the groups (the ones in your WLS) to 'Enterprise roles' (use the same name).
  - Define your 'Application Roles' (the roles you want to use in your application) and add the corresponding Enterprise roles to it.
  - Set the resource grants
  That should be it.

• Login Page - Change How Users are Authenticated

  Hi all,
  I have done a function in a package:
  function checkPassword( p_username in varchar2, p_password in varchar2 ) return boolean
  is
  db_password number;
  begin
  select password into db_password
  from people
  where username = p_username;
  if db_password = dbms_utility.get_hash_value( p_password, 37, 1000000000 ) then
  return true;
  else
  return false;
  end if;
  end checkPassword;
  Now, I want to use this function to authenticate the user in the application but I don't know how to do it...
  I create a login page by default... what do I have to change?
  Thanks in advance
  Rdgs
  CD

  CD,
  Edit the authentication scheme's Authentication Function attribute to be:
  return your_package_name.checkPassword;
  You might also want that logic to allow for upper/lower case variations of the entered username.
  Scott

• Remote user Authentication in customize login page

  Hi all,
  I would like to make sincere request to all you that I am not able authenticate my users based on tables. I start to learn HTML DB before 20 days and created simple application.
  Requirement:
  1: Created new login page P16 other than inbuilt login page 101.
  2: created table “trx_employee_login” which will keep track of user information
  3: after giving URL to user if user enters usr/passwd then it should take username and password (remote ) and validate in “trx_employee_login” table and if it exist then open some (page 34) page
  in the current application.
  Approach:
  1: written authentication function as
  CREATE OR REPLACE FUNCTION custom_auth (
  p_username IN VARCHAR2,
  p_password IN VARCHAR2
  RETURN BOOLEAN
  IS
  l_password VARCHAR2 (4000);
  l_stored_password VARCHAR2 (4000);
  l_count NUMBER;
  BEGIN
  SELECT COUNT (*)
  INTO l_count
  FROM trx_employee_login
  WHERE user_name LIKE p_username;
  IF l_count > 0
  THEN
  SELECT PASSWORD
  INTO l_stored_password
  FROM trx_employee_login
  WHERE user_name LIKE p_username;
  IF l_password = l_stored_password
  THEN
  RETURN TRUE;
  ELSE
  RETURN FALSE;
  END IF;
  ELSE
  RETURN FALSE;
  END IF;
  END;
  2: created authentication scheme and entered
  return custom_auth;
  in authentication function.
  3: same like I created Set Username cookie :
  begin
  owa_util.mime_header('text/html', FALSE);
  owa_cookie.send(
  name=>'LOGIN_USERNAME_COOKIE',
  value=>lower(:P16_USERNAME));
  exception when others then null;
  end;
  and other process to like 101 page
  but I m not able to get the result showing always message “Invalid Login Credentials”
  Please it will be great help if any one will help me. I m trying from the last 5 days but not able to do. I love to do myself first and if not possible then like to ask others. So please need help. Any other approach will be appreciated.
  Thanks && Regards
  Ravi

  Thanks Scott very Much,
  I changed but still I am not getting showing invalid credetial.
  Any how I got some hope by you. Can you have look on this please again.I am very new in HTML so after six days trying I am bit tensed.Here is what I am doing
  1: Created new login page Page 16.
  2: In page rendering process I created a “Before Header process named Get cookie Name ” just like inbuilt login Page :
  declare
  v varchar2(255) := null;
  c owa_cookie.cookie;
  begin
  c := owa_cookie.get('LOGIN_USERNAME_COOKIE');
  :P16_USERNAME := c.vals(1);
  exception when others then null;
  end;
  Incase of :P101_USERNAMR I change it as :P101_USERNAMR .
  3: In page rendering I created “Clear Cache for all Items on Pages (PageID,PageID,PageID)”
  process for page 16.
  4: In Page processing I created a process named “Set Username Cookie” type After computation and Validation.
  5: In page processing I ceated process Login just like page 101 and changed as
  wwv_flow_custom_auth_std.login(
  P_UNAME => v('P16_USERNAME'),
  P_PASSWORD => :P16_PASSWORD,
  P_SESSION_ID => v('APP_SESSION'),
  P_FLOW_PAGE => :APP_ID||':1'
  6: created one branch “On submit after processing to go to page 1 my welcome page”
  7: Created Authorisation scheme function returning Boolean:
  DECLARE
  l_count NUMBER;
  BEGIN
  SELECT COUNT (*)
  INTO l_count
  FROM trx_employee_login
  WHERE user_name = :p16_username AND PASSWORD = :p16_password;
  IF l_count > 0
  THEN
  RETURN TRUE;
  ELSE
  :p16_username := NULL;
  :p16_password := NULL;
  RETURN FALSE;
  END IF;
  END;
  8: I modified the function and make it UPPER case comparison as :
  CREATE OR REPLACE FUNCTION custom_auth (
  p_username IN VARCHAR2,
  p_password IN VARCHAR2
  RETURN BOOLEAN
  IS
  l_password VARCHAR2 (4000);
  l_stored_password VARCHAR2 (4000);
  l_count NUMBER;
  BEGIN
  -- First, check to see if the user is in the user table
  SELECT COUNT (*)
  INTO l_count
  FROM trx_employee_login
  WHERE UPPER (user_name) = UPPER (p_username);
  IF l_count > 0
  THEN
  -- First, we fetch the stored hashed password & expire date
  SELECT PASSWORD
  INTO l_stored_password
  FROM trx_employee_login
  WHERE UPPER (user_name) = UPPER (p_username);
  -- Finally, we compare them to see if they are the same and return
  -- either TRUE or FALSE
  IF l_password = l_stored_password
  THEN
  RETURN TRUE;
  ELSE
  RETURN FALSE;
  END IF;
  ELSE
  RETURN FALSE;
  END IF;
  END;
  In case of point 5 I mentioned how should I call my custom_auth function.
  I m not getting if I am changing it as
  custom_auth_ (
  P_UNAME => v('P16_USERNAME'),
  P_PASSWORD => :P16_PASSWORD,
  P_SESSION_ID => v('APP_SESSION'),
  P_FLOW_PAGE => :APP_ID||':1'
  then showing error and if
  custom_auth_ (
  P_UNAME => v('P16_USERNAME'),
  P_PASSWORD => :P16_PASSWORD
  then wroung number of argument showing .
  That’s what I am doing. I know I am doing some blunder but not getting where.
  Can u please take a look and tell me what changes I should made to work this code.
  Thanks && Regards.

• Don't see Windows NT option in authentication tab on the CMC login page

  I installed BusinessObjects Enterprise XI 3.1 and installation was successful. We are using Widows NT athentication.  I mapped the Window NT Users. Window NT Users group was populated under u2018users and groupu2019. Everything looks fine.The problem is that I am not able to see Windows NT option in authentication tab on the CMC login page. (I can see only Enterprise, LDAP and Windows AD). I can  see Windows NT option in authentication tab on the infoview login page without problem.
  I tried to reconfig the web.xml file ( I replaced 'secEnterprise' with 'secWindowsNT' but it still doesnu2019t work).
  web.xml in E:\Program Files\Business Objects\BusinessObjects Enterprise 12.0\warfiles\WebApps\CmcApp\WEB-INF is as followed now
  <!-- You can specify the default Authentication types here -->
      <!-- secEnterprise, secLDAP, secWinAD, secSAPR3 -->
      <context-param>
          <param-name>authentication.default</param-name>
          <param-value>secWindowsNT</param-value>  
      </context-param>
      <!-- Choose whether to let the user change the authentication type -->
      <!-- If it isn't shown the default authentication type from above will be used -->
      <context-param>
          <param-name>authentication.visible</param-name>
          <param-value>true</param-value>
  Any idea? Thanks

  Sherri, on page 457 of the admin guide it says:
  "The CMC and other Java-based applications do not support NT
  authentication."
  I think it's because only windows based app supports windows NT authentication but not java based ones.
  I thinkt he CMC is a java based application.

• How to prevent login page in same browser when user is already authenticated

  Hello,
  I am using Jdev 11.1.1.6 with ADF security implemented in my application.
  I have Login.jspx that redirects the user to Home.jspx on successful authentication. User can either enter Login or Home Page URL.
  Please consider following scenarios:
  a) User is not authenticated in current browser session
    a.1) if user enters Home page URL then Login page is displayed and redirected to Home page on authentication
    a.2) if user enters Login page URL then Login page is displayed and redirected to Home page on authentication
  b) User is already authenticated in current browser session, a new tab is opened and
    b.1) if user enters Home page URL then it directly shows Home page (already authenticated)
    b.2) if user enters Login page URL then Login page is displayed -- this is the issue, it should either directly take user to Home page or invalidate the existing session and let user proceed with new.
  How do I achieve this? Any help is highly appreciated.
  Thanks,
  Jai

  Thanks Frank and everyone for your help.
  I am able to achieve what Frank suggested using phase listener. We don't have a custom phase listener but I created one and instead of configuring at global level, just defined the ControllerClass in the pageDef of my login page.  
  Code from afterPhase is:
      public void afterPhase(PagePhaseEvent pagePhaseEvent) {
          if (pagePhaseEvent.getPhaseId() == Lifecycle.INIT_CONTEXT_ID) {
              FacesContext fctx = FacesContext.getCurrentInstance();
              String viewRootId = fctx.getViewRoot().getViewId();
              if ("/pages/login.jspx".equalsIgnoreCase(viewRootId) &&
                  ADFContext.getCurrent().getSecurityContext().isAuthenticated()) {
                  try {
                      String homeViewId = "pages/home.jspx";
                      ControllerContext controllerCtx = null;
                      controllerCtx = ControllerContext.getInstance();
                      String activityURL =
                          controllerCtx.getGlobalViewActivityURL(homeViewId);
                      fctx.getExternalContext().redirect(activityURL);
                  } catch (IOException ioe) {
                      _logger.logException(ioe);
  My only concern here is that I am hardcoding the login and home page url. Is there a better way to implement this?
  Thanks,
  Jai

• Form Based Authentication without login page

  Hi,
  i need to use form based authentication in a web page, but without a dedicated login page. So basicly every page will contain a login form in the upper right corner, so the user can login anytime in his browsing session directly from the page he's reading.
  I am aware of that the form based authentication config needs a login and a error page.
  I need some hints on how this could be implemented so that i dont need them directly. Im quite sure this is possible, if any of you has ideas please share them with me.
  dukes are waiting ...

  sorry - double posted : http://forum.java.sun.com/thread.jspa?threadID=584579&tstart=0

• Big authentication problem: not being redirected to the login page

  Hello, everybody!
  I've just noticed a big problem in the web application I'm developing. In this
  application I'm using the FORM authentication method as you can see below in the
  web.xml file:
    <security-constraint>
       <web-resource-collection>
              <web-resource-name>permitido</web-resource-name>
              <url-pattern>/*</url-pattern>
         </web-resource-collection>
         <user-data-constraint>
              <transport-guarantee>NONE</transport-guarantee>
         </user-data-constraint>
    </security-constraint>
    <security-constraint>
         <web-resource-collection>
              <web-resource-name>restrito</web-resource-name>
              <url-pattern>/confirmacaoreserva.jsp</url-pattern>
              <url-pattern>/confirmacaoreserva.faces</url-pattern>
              <url-pattern>/reservaconfirmada.jsp</url-pattern>
              <url-pattern>/reservaconfirmada.faces</url-pattern>
         </web-resource-collection>
         <auth-constraint>
              <role-name>ADMINISTRADOR</role-name>
              <role-name>USUARIO</role-name>
         </auth-constraint>
         <user-data-constraint>
              <transport-guarantee>NONE</transport-guarantee>
         </user-data-constraint>
    </security-constraint>
    <login-config>
         <auth-method>FORM</auth-method>
         <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
              <form-error-page>/errologin.jsp</form-error-page>
         </form-login-config>
    </login-config>
    <security-role>
         <role-name>ADMINISTRADOR</role-name>
    </security-role>
    <security-role>
         <role-name>USUARIO</role-name>
    </security-role>If I type in the browser's address field any of the protected pages,
  confirmacaoreserva.faces or reservaconfirmada.faces, the web container redirects
  me to the login page as expected, as I was'n authenticated yet. Until till
  this point everything is working without problem. But I noticed, to my surprise,
  that when I click on a link in a web page like this:
  <h:commandLink value="#{msg.reservar}" action="#{materiais.reservarMaterial}">
      <f:setPropertyActionListener target="#{materiais.codigoMaterial}" value="#{material.codigo}" />
  </h:commandLink>
  // in the backing bean
  public String reservarMaterial()
      // some processing...
      return "confirmacaoReserva";
  // in faces-config.xml
  <navigation-rule>
      <navigation-case>
          <from-outcome>confirmacaoReserva</from-outcome>
          <to-view-id>/confirmacaoreserva.jsp</to-view-id>
      </navigation-case>
  </navigation-rule>it completely by-passes the web container authentication and redirects me to the
  protected page (+confirmacaoreserva+) without asking me first to authenticate in
  the login page. Of course this is unacceptable.
  So, how can I solve this? How do I fix this problem?
  Thank you.
  Marcos

  Marcos_AntonioPS wrote:
  BalusC wrote:
  Which appserver implementation/version are you using?JBoss 4.2.3.GAOK.
  Which JSF implementation/version are you using?The default JSF implementation that comes with JBoss 4.2.3.GAWhich one? Read the manifest file of the JSF implementation JAR.
  Does it work if you redirect instead of forward in the navigation case (just add <redirect />) ?I haven't tested yetAnd?

• Web Authentication - Web login page not displayed

  Cisco 4402 WLC running version 5.2.193.0
  Access Points: AIR-LAP1142N
  I have configured an SSID for WebAuthentication. When a wireless client logs into the WLAN the PC will associate to the AP but will then stop at the WEBAUTH_REQD stage.
  Internet Explorer will show the attmept to redirect to the virtual port at 1.1.1.1 but will not bring up the login page.
  IE shows : https://1.1.1.1/login.html?redirect=www.google.co.ukhttp://www.google.co.uk/
  The network is a flat network so this SSID is using the management interface.
  DHCP is being provided by the controller for this WLAN.
  I know the classic design should be for this to be implemented on a separate VLAN but my customer has not VLANed his network yet and this is planned at a later stage. I have implemented this on a flat network before and it has worked.
  Any suggestions would be much appreciated.

  I faced exactly the same problem as you have described above. The following is what fixed it for me, i am sure u try it to might fix it for u as well.
  In my scenario i found that my WLC controller had cipher-option sslv2 disabled. I enabled it and that resolved the issue for me.
  This is what needs to be done in order to do it :-
  It's best to enable it on the WLC and this is done from the CLI. It requires a reboot.
  ssh to the WLC
  enter the following command:-
  WLC>config network secureweb cipher-option sslv2 enable
  and then reboot.
  Once the WLC reboots u can check the status by issuing the following command:-
  WLC>show network summary
  The output should look similar to the following
  RF-Network Name............................. GTCR-CH-RF-GA
  Web Mode.................................... Enable
  Secure Web Mode............................. Enable
  Secure Web Mode Cipher-Option High.......... Disable
  Secure Web Mode Cipher-Option SSLv2......... Enable
  As u can see the Secure Web Mode Cipher-Option SSLv2 is now enabled.
  This should work.
  Hope this helps and all the best.

• NAC appliance local authentication not working

  Hi,
  i am trying a test scenario for NAC. it is oob virtual gateway
  I get the login page when i try to access the web but when i try to authenticate to the local db i don;t receive an error message and i remain on the authentication screen.
  I listened with tcpdump on both interfaces. on the untrusted side i see traffic but on the trusted side no diffrence in traffic appears(but maybe this is normal)
  can someone please help with the detailed steps the authentication follows
  not just host->nas->nam(localdb)
  or some ideas
  Thank you!

  I doubt this will help, but here goes. I seem to remember a similar issue here, and I went into my browser's proxy settings and turned them off. Then I could authenticate, but not browse the web. So after authenticating I turned them back on and it was fine. There is a tab on the NAC Device Management > Clean Access Servers > >Advanced> Proxy where you can tell clean access about a proxy server, but I don't know if that's relevant.
  I assume you have verified that your local user ID works by testing the auth server with it and that it has a profile that allows you to go someplace.

• NAC OOB VIRTUAL GW PROBLEM

  Hi,
  I am trying to setup a NAC OOB Virtual GW Scenario (attached is the visio schematic of the setup):
  Switch: 3550 (ios 12.2(46) adv ip serv)
  NAC 4130 appliances: v4.1.6 (also tried v4.5)
  Switch Configuration of the trunks to the CAS):
  - int f0/23 (connected to CAS e0) -> dot1q trunk with native vlan 999 and allowed vlans 199 (mgt vlan of cas) and 10 (hosts access vlan)
  - int f0/21 (connected ro CAS e1) -> dot1q trunk with native vlan 998 and allowed vlans 100 (hosts authentication vlan)
  - SVIs on switch: 199, 10, 200 (CAM mgt vlan), 99 (dns, dhcp)
  The problem I am facing is that the host once connected to a managed port is able to acquire an ip from the access vlan from the dhcp server but is not redirected to the login page. I tried to follow some hints provided in previous posts but none of them worked for me. I configured the following:
  - Login Page
  - Configured IP based traffic control on the unautheticated role to permit all traffic (also host based to permit https://192.168.199.1 -> cas' ip with trusted dns my dns server 192.168.99.1)
  - Managed subnet with unused ip in access vlan (192.168.10.253) and vlan id that of the auth vlan (100)
  - vlan mapping between untrusted vlan 100 and trusted vlan 10
  - tried to access a resolvable website by my dns from the host (as per the suggestion from a previous post for someone who was facing the same prob)
  - also tried to access the cas' login page from the host with vain, eventhough it is accessible from trusted subnets
  Note: I followed the configuration guide of both v4.1.6 and v4.5 and with both versions I was facing the same problem.
  I would be very thankful for any hints to help me solve this issue.
  Questions: When the host is connected to a managed host (assigned to the managed vlan 100) and it is assigned an ip from the a access vlan 10. Shouldn't I be able to access the managed subnet case I configured ip traffic control policy to permit all traffic from untrusted to trusted? also shouldn't I be able to resolve website's ip with "nslookup x.com" since dns traffic is by default configured and also trusted dns server 192.168.99.1 is configured?
  Thanks in advance for any help.

  It arised to be that the 3550/3560/3750 are not supported for Central Deployment. The problem is solved.
  Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment
  For Cisco Clean Access (NAC Appliance) in In-Band Central Deployment mode, when a Cisco Catalyst 3560/3750 series switch is used as a Layer 3 switch and if both ports of the Clean Access Server (CAS) are connected to the same 3560/3750 switch, the minimum switch IOS code required is Cisco IOS release 12.2(25)SEE.
  Because caveat CSCdu27506 is not fixed on the Catalyst 3550 series switch, when the Catalyst 3550 is used as a Layer 3 switch, it cannot be used in NAC Appliance In-Band Central Deployment.
  For further details, refer to switch IOS caveat CSCdu27506:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCdu27506
  See also Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB).
  Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB)
  Table 6 describes Cisco Catalyst switch model support for the Virtual Gateway VLAN Mapping feature of the Clean Access Server for either in-band (IB) or out-of-band deployments (OOB). This table is intended to clarify CAS network deployment options when connecting the CAS in Virtual Gateway (bridge) mode to the switches listed.
  Table 6 Switch Support for CAS Virtual Gateway In-Band/OOB VLAN Mapping Feature
  Cisco Catalyst Switch Model Virtual Gateway
  Central Deployment
  (both interfaces into same switch) Edge Deployment
  (each interface into different switch)
  6000/6500 Yes Yes
  4000/4500 Yes Yes
  3750/3560 (L3 switch) Yes with 12.2(25) SEE and higher 1
  Yes
  3550 (L3 switch) No 1
  Yes
  3750/3560 (L2 switch) Yes Yes
  3550 (L2 switch) Yes Yes
  2950/2960 Yes Yes
  2900XL No 2
  Yes
  3500XL Yes Yes
  28xx NME Yes with 12.2(25) SEE and higher 1
  Yes
  1 Due to switch caveat CSCdu27506. See Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment for details.
  2 2900 XL does not support removing VLAN 1 from switch trunks.