NAC OOB logoff feature not working

Hi all,
I've deployed NAC in L2 OOB VG mode with ADSSO and I'm trying to use the OOB logoff feature but it's not working. The VLAN change detect feature doesn't work either (I think the two problems might be related).
It will work if each user role is assigned a different auth/access VLAN pair but in my setup, everyone has a common auth vlan and separate role-based access vlans. Because of this, I have to use the IP refresh feature as well (this works fine).
I'm running Windows Vista and version 4.8.0 of the NAC software with version 4.8.1.5 of the agent
I checked the release notes and found that caveat CSCth60233 identifies this bug with the VLAN change detect with the workaround being to refresh the IP address automatically after being logged out. Does anyone know of a workaround for this problem to do this automatically? Is a solution for this problem in the works?
Also would anyone be able to help me with my OOB logoff feature not working? I've configured everything according to the documentation.
I appreciate your responses
~Xavier

Here are my configs if necessary. Tell me if anything else is needed.
User Management > User Roles
List of Roles
Edit Role
Traffic Control
Bandwidth
Schedule
Disable this role
Role Name
Role Description
Role Type
Normal Login Role Quarantine Role
*Max Sessions per User Account             ( Case-Insensitive Session Identifiers             )
(1 – 255; 0 for unlimited)  
Retag Trusted-side Egress Traffic with VLAN (In-Band)
(0 – 4095, or leave it  blank)(*This option has been deprecated, and it will be removed in  upcoming  releases)
*Out-of-Band User Role VLAN
VLAN ID VLAN Name                 (if left blank, it will default to the default access vlan             settings in the Port Profile)
*Bounce Switch Port After Login (OOB)
Enable               Disable               (This option is effective only when port profile is set to use it)
*Refresh IP After Login (OOB)
Enable               Disable               (This option only applies to L2 OOB Virtual Gateway with Role VLAN             as Access VLAN and switch port is NOT bounced after VLAN change)
*After Successful Login Redirect to
previously requested URL
this URL:
(e.g. http://www.cisco.com/)
Redirect Blocked Requests to
default access blocked page
this URL or HTML message:
*Show Logged-on Users
User info
Logout button
Enable Passive Re-assessment                          (To enable Passive Re-assessment for OOB Agent             connections, you must also enable the OOB Logoff option at             Device Management > Clean Access > General Setup > Agent Login.)
Re-assessment Interval
(Minimum of 60 minutes and maximum of 1440 minutes [24 hours])
Grace Timer
(Minimum of 5 minutes and maximum of 30 minutes)
Default action on failure
Continue Allow user to remediate Logoff user immediately
(*only applies to normal login role)
Device Management > Clean Access
Certified Devices
General Setup
Network Scanner
Clean Access Agent
Updates
            Web Login   ·  Agent Login 
User Role
Unauthenticated Role(not common) role_engineer role_developer role_admin role_sales role_guest
Operating System 
ALL WINDOWS_ALL WINDOWS_XP WINDOWS_VISTA_ALL WINDOWS_7_ALL MAC_ALL MAC_OSX LINUX FREEBSD SOLARIS_ALL SOLARIS_86 SOLARIS_SPARC UNIX VMS OS2 PALM
(By default, 'ALL' settings apply to all client operating systems if no OS-specific settings are specified.)
Enable OOB logoff for Windows NAC Agent and Mac OS X Agent        (This global option applies to all OOB CASs and user roles and  enables Agent logout and heartbeat timers for OOB Agent connections. You  must also enable this option for Passive Re-assessment to function with  OOB Agent connections.)
Require use of Agent
(for Windows & Macintosh OSX only)
Agent Download Page Message (or URL):
           Network  Security Notice: This network is protected by a Cisco NAC  Appliance Agent, a component of the Cisco NAC Appliance Suite. The Agent  ensures that your computer meets the requirements for accessing this  network, and helps you keep your computer secure and up-to-date. 
Please use the Agent to log in to the network.
If you  don't have the Agent software yet, download it by clicking the button  below. After downloading the installation file, run it to complete the  installation.
If you have already downloaded and installed the  Agent, please close this window and right-click the Agent icon in the  system tray and choose Login from the menu. Enter your usual network  user name and password in the login window.
Require use of Cisco NAC Web Agent (for Windows only)
          Cisco NAC Web Agent Launch Page Message (or URL):
Network  Security Notice: This network is protected by the Cisco NAC  Web Agent, a component of the Cisco NAC Appliance Suite. The Cisco NAC  Web Agent ensures that your computer meets the requirements for  accessing this network, and helps you keep your computer secure and  up-to-date.
Please launch Cisco NAC Web Agent by clicking the  button below.
Allow restricted network access in case user cannot use   NAC Agent or Cisco NAC Web Agent
          Restricted Access User Role: 
role_engineer role_developer role_admin role_sales role_guest
          Restricted Access Button Text: 
Restricted Network Access Message:
           Restricted  Network Access: If you cannot use a Cisco NAC Appliance  Agent, you can obtain restricted network access temporarily by clicking  the button below.
Show Network Policy to NAC Agent and Cisco NAC Web Agent users (for Windows only)
          Network Policy Link:  
Logoff NAC Agent users from network on their machine logoff or shutdown after   
    secs (for Windows & In-Band setup, for OOB setup when OOB Logoff is enabled)
     (Setting the time to zero secs will logout user immediately. Valid range: 0 - 300 secs.)
Refresh Windows domain group policy after login
(for Windows only)
Automatically close login success screen after    
    secs
     (Setting the time to zero secs will not display the login success screen. Valid range: 0 - 300 secs.)
Automatically close logout success screen after    
    secs
(for Windows only)
     (Setting the time to zero secs will not display the logout success screen. Valid range: 0 - 300 secs.)

Similar Messages

  • NAC OOB Logoff feature workaround ?

    Hi,
    We have a NAC OOB, Real-Ip Layer2 setup and the new option "Logoff Clean Access Agent users from network on their machine logoff or shutdown" does not apply when using OOB mode (which is annoying). Anybody found a way to make sure that when a users logs off from his PC he's automatically put back to the authentication VLAN ? We thought of maybe put a program in Windows XP logoff script that would disable/enable the NIC card but it seems a bit tricky...
    I'm sure I'm not the only one who's trying to find a solution for this. Hopefully Cisco will support this feature right from the clean access agent in a future release...
    Thanks.
    Dominic

    for now we are waiting for the feature to become available from Cisco in Q2 or Q3 of 2007.
    And yes, we are using SSO in a Windows XP - Windows 2003 environment.
    Dominic

  • NAC port bounce feature not working with 3750 12.2(50)SE1 IOS...

    Guys, would like to know the support for NAC to cisco IOS 12.2(50)SE1 IPBase version (3750).
    We have the port bounce feature in test enviroment on switch 3560 with advance IP services IOS 12.2(46)SE and it was working fine, but now we are facing problem with 3750.
    Any clues...

    Hi Tarik,
    Thanks for your reply,  SNMP settings are perfect since am able to manage the switch from CAM, i can change the port settings as well and yes mac-notification change is added automatically except bouncing the ports between vlans.
    Am not sure but i suspect this could be the problem with IOS as it is IPBase, but in the test environment it was AdvanceIPservices and everything was perfect.

  • Pick color feature not working properly -- how do I reset?

    Pick color feature not working properly -- how do I reset?

    You need to contact Adobe for you billing problem this is a user four not adobe customer support.
    For your Photoshop Problems this user community may be helpful. 
    Supply pertinent information for quicker answers
    The more information you supply about your situation, the better equipped other community members will be to answer. Consider including the following in your question:
    Adobe product and version number
    Operating system and version number
    The full text of any error message(s)
    What you were doing when the problem occurred
    Screenshots of the problem
    Computer hardware, such as CPU; GPU; amount of RAM; etc.

  • I have downloaded a trial version of Dreamweaver CS6 to my MacBook. Why do some features not work?

    I have downloaded a trial version of Dreamweaver CS6 to my MacBook. Why do some features not work? I have OSX 10.6.8. I am using this trial version for a class I am taking on coding webpages using Dreamweaver. there are features I am using in class that will not open up or appear as options when I use the trial version. Are certain features locked out until I buy a copy or download a purchased copy?

    Trial versions have no functional limitations, though your setup/situation might not be supportive of all functionality.  You'll need to identify specific issues to get help with them.  You should be posting in the DW forum instead of here if your issue does not have to do with downloading/installing.

  • Versamail Auto-sync feature not working with AOL mail w/Treo 700p (Verizon)

    I'm having a problem with the Auto-sync feature not working with my 700p (verizon) with my aol mail.  It had worked perfect since May 2007.  Just started having problems End of April 2008.  Sounded like I needed another incoming mail server from aol other than:  imap.aol.com, aol told me they also use pop.aol.com, that isn't working either.  I get an error message that says "last auto-sync attempt failed."....Anyone else having this issue?  I'm trying to decide whether to get rid of my aol mail of 14 yrs and use other address to continue using versamail 3.5  or keep aol and use Verizon Wireless sync.  I do not like how wireless sync sends mail to outbox and then syncs vs sending right away.   Please help...
    Post relates to: Treo 700p (Verizon)

    I am having the EXACT same problem: Palm 700p, Versamail, AOL, Verizon. 
    It started about 1 month ago.  The GET still works, but AUTO-SYNC does not...After spending hours on the phone with Palm tech support, and reaching someone who said AOL had changed something in their servers.  They suggested TRYING Chatteremail, another Palm product.  I have tried it for 20+ days out of the 30 days you get for free.  It works pretty well, but NOT every e-mail that goes to my AOL acct is making it to my phone.  The thing that's great about Chatter is that can be "live" all of time.  Not auto-syncing every 15 minutes.
    It's very frustrating....The same way the Versamail just stopping auto-syncing is very frustrating.  With Versamail, sometimes I did not even get the error message.  If Chatteremail worked consistently, I would bite the bullet, and pay for it, but to pay for it, and have it not pull down all the e-mails, all the time is not good.
    I spoke to Palm Tech Support in N. America today, and they say the way AOL uses IMAP servers is in a non-traditional way, and it's very hard to deal with.  They suggest ditching AOL, and using something reliable for syncing purposes like GMAIL.  It's just hard to cut the cord.  The man I was on the phone with knew of my problem, and he solved it by getting rid of AOL.  It's just tough, since so many people have the e-mail address for me. 
    On http://mobile.aol.com/aolproducts/mobile-email/mai​l-client
    there seems to be some indication when you click on Smart Phones on left, that Coming Soon is Palm, but I don't know if that's going to be downloadable for 700p, or Palms moving forward.  Or how far away that is.
    I tried wireless sync and hated it.
    This is really a pain in the butt.
    *** Who did you speak to at AOL? 
    *** How did you reach them?  e-mail?  phone #?
    I also did a search and found another program called "Snappermail", which I might try, and see if it's any better than Chatteremail.
    http://www.handango.com/SoftwareCatalog.jsp?jid=24​BX5EEAD31DXE6AB588D59X31E95BD5&osId=904&siteId=1&N​...
    If you find anything out, please let me know here, ok?  This is very bad for me. 
    Post relates to: Treo 700p (Verizon)

  • AppStore featured not working

    AppStore featured not working....

    update to the latest ios if u dont hav ios 6. im sure it will work

  • Just updated to Iphoto 9.1.3 but the slideshow feature not working

    Just updated to Iphoto 9.1.3 but the slideshow feature not working at all. Screen goes white but any features selected, nothing is produced .The themes preview windows are blank too. is there something missing?

    Sounds like it.
    To re-install iPhoto
    1. Put the iPhoto.app in the trash (Drag it from your Applications Folder to the trash)
    2a: On 10.5:  Go to HD/Library/Receipts and remove any pkg file there with iPhoto in the name.
    2b: On 10.6: Those receipts may be found as follows:  In the Finder use the Go menu and select Go To Folder. In the resulting window type
    /var/db/receipts/
    A Finder Window will open at that location and you can remove the iPhoto pkg files.
    3. Re-install.
    If you purchased an iLife Disk, then iPhoto is on it.
    If iPhoto was installed on your Mac when you go it then it’s on the System Restore disks that came with your Mac. Insert the first one and opt to ‘Install Bundled Applications Only.
    If you purchased it on the App Store you can find it in your Purchases List.

  • NAC OOB-Logoff

    Hi
    How is the host communicating wiht the NAC server ?
    In OOB L2 VG, the agent is using swiss protocol (L2 8905 towards  default-gateway or L3 8906 towards discovery host), but the nac server  does not have an IP in the access-vlan, it only has a management adress  i another vlan...
    And the discovery host is commonly the CAM, so the agent wont reach the server on the trusted side.
    Cisco sais that acl, pbr or vrf is the answer - but in and L2 oob  non of these solutions would not work, because the nac server only has a  management adress and no L3 conectivity to access vlan.
    If discovery host should be used - how is multible nac servers then supportet ??
    Can the cam tell the agent anything or forward the swiss packets ??
    Am i missing something ??
    Regards Henrik

    Hi
    How is the host communicating wiht the NAC server ?
    In OOB L2 VG, the agent is using swiss protocol (L2 8905 towards  default-gateway or L3 8906 towards discovery host), but the nac server  does not have an IP in the access-vlan, it only has a management adress  i another vlan...
    And the discovery host is commonly the CAM, so the agent wont reach the server on the trusted side.
    Cisco sais that acl, pbr or vrf is the answer - but in and L2 oob  non of these solutions would not work, because the nac server only has a  management adress and no L3 conectivity to access vlan.
    If discovery host should be used - how is multible nac servers then supportet ??
    Can the cam tell the agent anything or forward the swiss packets ??
    Am i missing something ??
    Regards Henrik

  • InDesign auto-size frame feature not working in real time in InCopy why?

    We have just recently migrated from InCopy CS4 to CS6 to take advantage of the new features like the auto resize frame option, however it now seems that this feature is not working in real-time.
    Basically the steps are needed to be complete before it auto-resizes the frame in InCopy, we use both layout and assignment based workflows:
    1. From an ID document ('doc1'), exported a 'layer' to IC, certain frames are set to auto-size in height using the text frame options. So that editorial can review and make changes to text and the frame should resize according to the specifications set. IC stories are saved to a folder located in a content folder inside the top issue working folder.
    2. Editorial opens the IC software, then opens the ID 'doc1'. Check’s out correct .icml file and makes edits to frame with auto resize.
    3. Frame does not resize according to text frame set options and InCopy file does not respond in same fashion as InDesign.
    4. Change only occurs when InCopy file is closed and updated in InDesign, which is frustrating as this feature would save huge amounts of time serving editorial requests.
    Has anybody experienced this type of workflow problem? If anyone can provide mw with some pointers as to what can I do to get this to update in real time perhaps run a script? Update file in InCopy and refresh I will very much appreciate their assistance. I have run out of ideas.
    Thanks!

    We've had all sorts of problems with this feature as it should've worked straight out of the box but after some testing we have found that its something to do with the way you open the actual file in InCopy. Which is far from ideal and should have been UAT by Adobe before release.
    This will not work consistently work if you open the designed .indd or .icma file in InCopy using the file open command within the application.
    If you need this to work, the InCopy user has to open the .indd or .icma file by dragging and droping from OS windows explorer into InCopy, we use Windows 7 acrros all the teams. Check out .icml files add text changes to the set auto resized frames, this process will expand/collapse the frames to fit the content but as you have to use the drag and drop method to open the .indd and .icma file, 2 users cannot access the same time doc at the same time (a serious flaw in the programming architecture!) which stops people working in parallel. Save changes, check in .icml content and close .indd or .icma.
    However the flaw comes in if you then open the .indd and .icma file in InCopy using the file open command within the application, before an InDesign user opens and saves the file (updates the design). The corrections added in the previous stage above, will not show the frames expanded/collapsed to take in the added text and instead show over matter???? The only way around this is to ask an InDesign user to open, update and save the design that way the InCopy user will see the same result no matter what file open method they use.
    Another suggestion is to design the page to have some of the auto resize frames anchored within main body of text and that way the frames will expland/collapse when checking out and editing the content. However, this does cause issues with InDesign crashing etc. so we have tried to stop this method within the working group.
    Have you experienced other more serious issues with InDesign crashing consistently when re-importing .icml files? See other forums here:
    http://forums.adobe.com/thread/671820?start=80&tstart=0
    http://forums.adobe.com/message/5045608#5045608
    As far as we can see this is a major flaw in how the application(s) work, we have an enterprise agreement with Adobe and purchase a large volume of Adobe products globally but so far the technical support team are unable to find a solution to this and I'm not hopeful of any resolution soon even with the new release of Adobe CC.

  • RealPlayer download feature not working in Firefox (but works in IE)

    Realplayer download feature (cursor over a youtube video, "download this video" pops up) has recently quit working for me (I've been using it for months). I've searched knowledge bases and forums extensively and tried all the suggestions., such as rolling back from Flash Player 11.5 to 10.3 (no luck), disabling/enabling RealPlayer Download plugin in Firefox (no luck), etc. The one suggestion I'd like to try but can't is going into RealPlayer preferences and enabling/disabling the "Download and Record" function. I can't because all I have in my preferences is "Recording" and the options have nothing to do with downloading. None of the RealNetworks/RealPlayer support sites are helpful at all...
    However, the download feature works just fine in Internet Explorer

    Realplayer download does not work in Firefox. Someone suggested ant.com as an add-on. That works.
    For youtube I use YTD downloader (a youtube product). It is more reliable for youtube videos.

  • URGENT HELP: Notebook SoundBlaster Audigy2 ZS -- some features not work on window vi

    Hello?I've SoundBlaster audigy2 zs that work fine for karaoke, recording on window xp. I've another pc that have window vista. I download this soundcard dri've for window vista from creative.com . However, some features of soundcard are not work as same on window vista. For example:- Can't launch EAX console- Creative surround mixer do not have all option to select especially Microphone?EAX console and Surround Mixer are 2 tools I used the most for recording music, sound ( karaoke)However this function work on XP but not on Vista. Any help will greatly appreciateIf there is any better brain soundcard to meet what I need (karaoke recording), please let me know?Thanks in advanceTienNu2006

    I have almost the same problem,
    I'm going crazy on this, I have a long story of self built computers too...
    Audigy 2 ZS "correctly" installed, but drivers details on "mixer", "midi" and all the codecs details are "installed but not working correctly".
    I'm going to format and reinstall everything to see if it's due to previous drivers for an "onboard" sound card
    O.S.: windows XP SP2
    Proc.: P4 3,40 GHz
    GBytes RAM DDR2
    Sapphire X300 pro
    ASUS P5LD2 mobo

  • Search feature not working most of the time

    My  search feature on my iPhone 4 rarely works anymore. After swiping screen from left to right or pressing HOME button nothing happens when I start typing. If I press the search button it will take a long time before responding.

    Sharing between Leopard and Snowleopard does not work reliably. For this reason, we do not recommend mixing Operating Systems.
    Hope this helps,
    Syd

  • Search feature not working in apple mail

    The search feature is not working in Apple Mail Yosemite. I enter keywords and get no results. Is there a fix for this?

    Hi!
    I have the same Problem... Did u try to delete the "Envelope Index"? ( got to Library/Mail/V2/... delete all files Envelope ... Close Mail before! and then restart Mail.)
    I tried that but nothing happen... How tu use Mail without search feature!!
    MacBook Pro late 2009, Mac OS Yosemite (10.10)

  • Search Feature Not Working in Mail 10.7.4

    Hi, the search feature is not working properly in Mail since upgrading to 10.7. If I use Spotlight from the desktop, that search will find the particular mail message I'm looking for, but searching directly within mail produces horrible results. I know I can just use spotlight, but sometimes I just want to search within mail. Any suggestions?

    Erase and rebuild index:
    Open Terminal and type$ sudo mdutil -E /
    you'll notice it indexing...

Maybe you are looking for

  • EFI Update and Exposé

    Just wanted to know if anyone is having an issue with Exposé remembering the "Hide and Show" key that is set for Dashboard. Ever since the firmware update that fixed the dreaded RAW scenario it keeps forgetting they key that I select after I restart

  • No XML output for a report Oracle 11.5.10.2 RDBMS 10.2.0.5.0

    I created a very simple rdf and ran it without problems. I then generated an .xml file and loaded this into into the template builder using xml publisher. I created the rtf and using xml Publisher administrator created a template and data definition

  • Bootcamp option gone, and not showing up in Finder either?

    So I can see more people had this problem... been zapping through a few guides, but haven't been able to spot the actual solution. I'm running Yosemite 10.10.1.... Here's the disk information. How do I proceed now? Allans-MBP:~ amelsen$ diskutil list

  • Start oracle on solaris 10

    please; i cant start the oracle service on solaris 10 what can i start service? thanks alot

  • 2 small questions about charts

    Hi All, is it possible to : 1. rotate 45 degree the X Axis in flash 2D line chart ? i tried modify the XML as in column chart but with no success. <strong>i was ale to rotate it by migrating the svg chart into flash chart </strong>:) 2. is it possibl