NAC OOB VG mode IPPhone resetting

Similar Messages

• NAC OOB and 6500 in Virtual Switch Mode

  Is there any issue or special care to implement NAC OOB in Central Deploy, VGW, using AD SSO for wired clients where the Core Switch is a pair of 6500 in Virtual Switch Mode?
  The customer uses Radius IAS for authentication. How does it fit with the AD SSO?

  Hi Bruce,
  I am afraid there are some arguments missing in your db command.
  To manually add the OID of  Cat4507R+E to CAM's database here is the  procedure to do this.
  [root@cca-3140-cam ~]# psql -h localhost -U postgres controlsmartdb -c "INSERT INTO supported_switch VALUES ('1.3.6.1.4.1.9.1.1286', '4', 'Cisco Catalyst 4507 R+E')" INSERT 0 1
  psql: warning: extra command-line argument "INSERT" ignored
  psql: warning: extra command-line argument "0" ignored
  psql: warning: extra command-line argument "1" ignored
  INSERT 0 1
  Then to make sure it is there:
  [root@cca-3140-cam ~]# psql -h localhost -U postgres controlsmartdb -c "SELECT * FROM supported_switch" | grep 1286
  The output should be:
  1.3.6.1.4.1.9.1.1286      |     4 | Cisco Catalyst 4507 R+E
  Restart perfigo service on NAC Manager and try to manage the switch  using the model used by the above command.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• NAC OOB VIRTUAL GW PROBLEM

  Hi,
  I am trying to setup a NAC OOB Virtual GW Scenario (attached is the visio schematic of the setup):
  Switch: 3550 (ios 12.2(46) adv ip serv)
  NAC 4130 appliances: v4.1.6 (also tried v4.5)
  Switch Configuration of the trunks to the CAS):
  - int f0/23 (connected to CAS e0) -> dot1q trunk with native vlan 999 and allowed vlans 199 (mgt vlan of cas) and 10 (hosts access vlan)
  - int f0/21 (connected ro CAS e1) -> dot1q trunk with native vlan 998 and allowed vlans 100 (hosts authentication vlan)
  - SVIs on switch: 199, 10, 200 (CAM mgt vlan), 99 (dns, dhcp)
  The problem I am facing is that the host once connected to a managed port is able to acquire an ip from the access vlan from the dhcp server but is not redirected to the login page. I tried to follow some hints provided in previous posts but none of them worked for me. I configured the following:
  - Login Page
  - Configured IP based traffic control on the unautheticated role to permit all traffic (also host based to permit https://192.168.199.1 -> cas' ip with trusted dns my dns server 192.168.99.1)
  - Managed subnet with unused ip in access vlan (192.168.10.253) and vlan id that of the auth vlan (100)
  - vlan mapping between untrusted vlan 100 and trusted vlan 10
  - tried to access a resolvable website by my dns from the host (as per the suggestion from a previous post for someone who was facing the same prob)
  - also tried to access the cas' login page from the host with vain, eventhough it is accessible from trusted subnets
  Note: I followed the configuration guide of both v4.1.6 and v4.5 and with both versions I was facing the same problem.
  I would be very thankful for any hints to help me solve this issue.
  Questions: When the host is connected to a managed host (assigned to the managed vlan 100) and it is assigned an ip from the a access vlan 10. Shouldn't I be able to access the managed subnet case I configured ip traffic control policy to permit all traffic from untrusted to trusted? also shouldn't I be able to resolve website's ip with "nslookup x.com" since dns traffic is by default configured and also trusted dns server 192.168.99.1 is configured?
  Thanks in advance for any help.

  It arised to be that the 3550/3560/3750 are not supported for Central Deployment. The problem is solved.
  Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment
  For Cisco Clean Access (NAC Appliance) in In-Band Central Deployment mode, when a Cisco Catalyst 3560/3750 series switch is used as a Layer 3 switch and if both ports of the Clean Access Server (CAS) are connected to the same 3560/3750 switch, the minimum switch IOS code required is Cisco IOS release 12.2(25)SEE.
  Because caveat CSCdu27506 is not fixed on the Catalyst 3550 series switch, when the Catalyst 3550 is used as a Layer 3 switch, it cannot be used in NAC Appliance In-Band Central Deployment.
  For further details, refer to switch IOS caveat CSCdu27506:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCdu27506
  See also Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB).
  Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB)
  Table 6 describes Cisco Catalyst switch model support for the Virtual Gateway VLAN Mapping feature of the Clean Access Server for either in-band (IB) or out-of-band deployments (OOB). This table is intended to clarify CAS network deployment options when connecting the CAS in Virtual Gateway (bridge) mode to the switches listed.
  Table 6 Switch Support for CAS Virtual Gateway In-Band/OOB VLAN Mapping Feature
  Cisco Catalyst Switch Model Virtual Gateway
  Central Deployment
  (both interfaces into same switch) Edge Deployment
  (each interface into different switch)
  6000/6500 Yes Yes
  4000/4500 Yes Yes
  3750/3560 (L3 switch) Yes with 12.2(25) SEE and higher 1
  Yes
  3550 (L3 switch) No 1
  Yes
  3750/3560 (L2 switch) Yes Yes
  3550 (L2 switch) Yes Yes
  2950/2960 Yes Yes
  2900XL No 2
  Yes
  3500XL Yes Yes
  28xx NME Yes with 12.2(25) SEE and higher 1
  Yes
  1 Due to switch caveat CSCdu27506. See Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment for details.
  2 2900 XL does not support removing VLAN 1 from switch trunks.

• NAC - OOB - Virtual IP - users lost connecti

  Hi.
  So my problem is the follow:
  I have i my customer a NAC OOB - Virtual Ip Gateway.
  So, we have a many port profiles. Each Port profile witch its own authentication vlan and access vlan, for example:
  TI -  auth vlan 585 -  access vlan 85
  ENGINEERING - auth vlan 586 - access vlan 86
  And works very very fine.
  BUT
  There is a common location called PLATFORM (auth vlan 587, access vlan 87) where, to put port profile on each User interface on the switch after 20 minutes or less, the machines that are on this profile (VLANs 587, 87) lose network connectivity, without bounce.
  I checked and, some machines for no reason, are changed to vlan authentication without snmp Linkdown and even get stuck in with User certifield device list.
  Other machines remain in vlan access, but lose all connectivity to the network without ping gateway and any other device.
  Another vlan (for ex: vlan 1) that is not controlled by NAC continues to communicate normally.
  I tried to see any logs on the switch but could not see anything abnormal (yet).
  Other locations with others port profiles work normally.
  The uplinks on this switches and interfaces users dont have any CRC or errors.
  Could anyone help me? This is causing problems in my account.

  Hi,
  I understand then that the clients are not connecting through local or SSO mode, is that correct?
  I would suggest 3 things so far:
  1. Check the logs on the switches where the CAS's are connected, I had a similar problem where CAS would stop responding and the switches would complain about vlan mismatch or mac flapping, if you notice errors on the switches verify that you have:
  * Vlan mapping enabled correctly
  * Different native VLAN on the switch interface for trusted and untrusted CAS ethx.
  * The correct vlans configured on each port: for untrusted just the authentication (layer 2) vlans, for trusted interface the access vlan (20) and the management vlan.
  2. Enable the management vlan tag on the trusted interface of the CAS and use your CAS management vlan.
  3. On the CAM go to the Clean access server section, manage one of your CAS's, the first window will show the services currently running on the CAS, verify if the SSO service is running, if it's not running, verify the configuration. If it's not allowing you to enable it, verify the time settings on your devices, the AD user and all the other settings needed for this to work.
  Hope this helps,
  Regards,

• NAC OOB logoff feature not working

  Hi all,
  I've deployed NAC in L2 OOB VG mode with ADSSO and I'm trying to use the OOB logoff feature but it's not working. The VLAN change detect feature doesn't work either (I think the two problems might be related).
  It will work if each user role is assigned a different auth/access VLAN pair but in my setup, everyone has a common auth vlan and separate role-based access vlans. Because of this, I have to use the IP refresh feature as well (this works fine).
  I'm running Windows Vista and version 4.8.0 of the NAC software with version 4.8.1.5 of the agent
  I checked the release notes and found that caveat CSCth60233 identifies this bug with the VLAN change detect with the workaround being to refresh the IP address automatically after being logged out. Does anyone know of a workaround for this problem to do this automatically? Is a solution for this problem in the works?
  Also would anyone be able to help me with my OOB logoff feature not working? I've configured everything according to the documentation.
  I appreciate your responses
  ~Xavier

  Here are my configs if necessary. Tell me if anything else is needed.
  User Management > User Roles
  List of Roles
  Edit Role
  Traffic Control
  Bandwidth
  Schedule
  Disable this role
  Role Name
  Role Description
  Role Type
  Normal Login Role Quarantine Role
  *Max Sessions per User Account             ( Case-Insensitive Session Identifiers             )
  (1 – 255; 0 for unlimited)  
  Retag Trusted-side Egress Traffic with VLAN (In-Band)
  (0 – 4095, or leave it  blank)(*This option has been deprecated, and it will be removed in  upcoming  releases)
  *Out-of-Band User Role VLAN
  VLAN ID VLAN Name                 (if left blank, it will default to the default access vlan             settings in the Port Profile)
  *Bounce Switch Port After Login (OOB)
  Enable               Disable               (This option is effective only when port profile is set to use it)
  *Refresh IP After Login (OOB)
  Enable               Disable               (This option only applies to L2 OOB Virtual Gateway with Role VLAN             as Access VLAN and switch port is NOT bounced after VLAN change)
  *After Successful Login Redirect to
  previously requested URL
  this URL:
  (e.g. http://www.cisco.com/)
  Redirect Blocked Requests to
  default access blocked page
  this URL or HTML message:
  *Show Logged-on Users
  User info
  Logout button
  Enable Passive Re-assessment                          (To enable Passive Re-assessment for OOB Agent             connections, you must also enable the OOB Logoff option at             Device Management > Clean Access > General Setup > Agent Login.)
  Re-assessment Interval
  (Minimum of 60 minutes and maximum of 1440 minutes [24 hours])
  Grace Timer
  (Minimum of 5 minutes and maximum of 30 minutes)
  Default action on failure
  Continue Allow user to remediate Logoff user immediately
  (*only applies to normal login role)
  Device Management > Clean Access
  Certified Devices
  General Setup
  Network Scanner
  Clean Access Agent
  Updates
              Web Login   ·  Agent Login 
  User Role
  Unauthenticated Role(not common) role_engineer role_developer role_admin role_sales role_guest
  Operating System 
  ALL WINDOWS_ALL WINDOWS_XP WINDOWS_VISTA_ALL WINDOWS_7_ALL MAC_ALL MAC_OSX LINUX FREEBSD SOLARIS_ALL SOLARIS_86 SOLARIS_SPARC UNIX VMS OS2 PALM
  (By default, 'ALL' settings apply to all client operating systems if no OS-specific settings are specified.)
  Enable OOB logoff for Windows NAC Agent and Mac OS X Agent        (This global option applies to all OOB CASs and user roles and  enables Agent logout and heartbeat timers for OOB Agent connections. You  must also enable this option for Passive Re-assessment to function with  OOB Agent connections.)
  Require use of Agent
  (for Windows & Macintosh OSX only)
  Agent Download Page Message (or URL):
             Network  Security Notice: This network is protected by a Cisco NAC  Appliance Agent, a component of the Cisco NAC Appliance Suite. The Agent  ensures that your computer meets the requirements for accessing this  network, and helps you keep your computer secure and up-to-date. 
  Please use the Agent to log in to the network.
  If you  don't have the Agent software yet, download it by clicking the button  below. After downloading the installation file, run it to complete the  installation.
  If you have already downloaded and installed the  Agent, please close this window and right-click the Agent icon in the  system tray and choose Login from the menu. Enter your usual network  user name and password in the login window.
  Require use of Cisco NAC Web Agent (for Windows only)
            Cisco NAC Web Agent Launch Page Message (or URL):
  Network  Security Notice: This network is protected by the Cisco NAC  Web Agent, a component of the Cisco NAC Appliance Suite. The Cisco NAC  Web Agent ensures that your computer meets the requirements for  accessing this network, and helps you keep your computer secure and  up-to-date.
  Please launch Cisco NAC Web Agent by clicking the  button below.
  Allow restricted network access in case user cannot use   NAC Agent or Cisco NAC Web Agent
            Restricted Access User Role: 
  role_engineer role_developer role_admin role_sales role_guest
            Restricted Access Button Text: 
  Restricted Network Access Message:
             Restricted  Network Access: If you cannot use a Cisco NAC Appliance  Agent, you can obtain restricted network access temporarily by clicking  the button below.
  Show Network Policy to NAC Agent and Cisco NAC Web Agent users (for Windows only)
            Network Policy Link:  
  Logoff NAC Agent users from network on their machine logoff or shutdown after   
      secs (for Windows & In-Band setup, for OOB setup when OOB Logoff is enabled)
       (Setting the time to zero secs will logout user immediately. Valid range: 0 - 300 secs.)
  Refresh Windows domain group policy after login
  (for Windows only)
  Automatically close login success screen after    
      secs
       (Setting the time to zero secs will not display the login success screen. Valid range: 0 - 300 secs.)
  Automatically close logout success screen after    
      secs
  (for Windows only)
       (Setting the time to zero secs will not display the logout success screen. Valid range: 0 - 300 secs.)

• NAC OOB Logoff feature workaround ?

  Hi,
  We have a NAC OOB, Real-Ip Layer2 setup and the new option "Logoff Clean Access Agent users from network on their machine logoff or shutdown" does not apply when using OOB mode (which is annoying). Anybody found a way to make sure that when a users logs off from his PC he's automatically put back to the authentication VLAN ? We thought of maybe put a program in Windows XP logoff script that would disable/enable the NIC card but it seems a bit tricky...
  I'm sure I'm not the only one who's trying to find a solution for this. Hopefully Cisco will support this feature right from the clean access agent in a future release...
  Thanks.
  Dominic

  for now we are waiting for the feature to become available from Cisco in Q2 or Q3 of 2007.
  And yes, we are using SSO in a Windows XP - Windows 2003 environment.
  Dominic

• NAC OOB Configuration

  Hi!
  I'm implementing an NAC oob solution. tTe CAS and CAM are in the Data-center on an remote network, and i need to control the vlan's that my users access on my remote sites.
  How do i make them authenticate on the remote CAS? (the Cas is on an remote network)
  TKX
  Miguel

  Hi,
  Well, it looks like you are starting now, so I would advise to get in touch with the OOB concept and guidelines:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_oob.html.
  You have L2/L3 mode.
  You have OOB/InB mode.
  You have Real-Ip/Virtual gateway mode.
  You have 2 main VLANs for the clients: authentication (untrusted) and access (trusted) vlans.
  The goal is to make the client fall into the auth vlan prior to login, and the traffic flow through the CAS so that the CAS can permit/deny the client from passing traffic.
  You have also, nice chalk-talks where you can see VODs explaining the steps for configuring several features/deployments:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Firefox on hp laptop always open with option of safe mode or reset how can i get it to open without option.desktop doesn't do this. Doug

  I set up firefox on laptop first and it always requires that i choose to open in safe mode or reset toolbar, how can i change this without reinstalling firefox. My desktop does not require that i do all that it opens with everything in place. I don't know what i did different when i downloaded it on desktop.
  Doug

  Make sure that you do not have the Shift key pressed when you click to desktop shortcut to start Firefox.<br />
  Also check the Properties via the right-click context menu that the -safe-mode switch isn't appended to the target (command) line.
  *http://support.mozilla.com/kb/Firefox+is+stuck+in+Safe+Mode

• How to I get my phone out of recovery mode without resetting it to factory

  My phone is stuck in recovery mode. I'm just wondering if there is a way to get it out of recovery mode without resetting it to factory settings. I don't have any recent back-up available. There are alot of photos on my phone I would prefer not to lose by ressetting it back to factory.

  You don't. Once it's in recovery mode, anything that was on the phone is already gone.

• Urgent-NAC OOB VG Deplyment

  hi all,
           Iam in the middle of design of NAC OOB Virtual Gateway.
  I have the following doubts regading the placement of NAC Server to my existing Network
  I have two Core ( redundancy -HSRP ) running VTP & 25 Edge Switches ( VTP Client )
  According to CISCO , we can place NAC Server either in the Core or distribution Switches only , not on the edge switches, in OOB Virtual Gateway deployment.
  But currently my existing core switches is not having copper connectivity, customer don't want to invest on core switches.
  so I have to forcefully move the NAC server to one of the EDge Switches with both interfaces ( trusted & untrusted ) connected to same Edge switch, but CISCO is not recommending to do so in NAC OOB VG Deployment.
  I need to know why we cannot place NAC server at one of the Edge Switches. ( NAC OOB VG Deployment ) , what are the issues behind that ?
  One more thing is that , as my Network is running VTP , what are the things to be consider during the design of NAC OOB VG Deplyment.
  Iam attaching the Network Diagram, Please go through that.
  Expecting your valuable suggestions.
  Regards
  Dileep

  Dileep,
  You can put them on the edges, but you have to make sure you extend all the VLANs necessary to that edge. It's just bad design, but I don't see why it won't work.
  Unfortunately you don't have enough details in the map you provided to get a more detailed answer :-)
  HTH,
  Faisal

• NAC OOB

  dear all,
  I have this outline in my lab:
  I use L3 OOB VG,
  quarantine VLAn 100(172.16.100.0/24), Access VLAN 10(172.16.10.0/24).
  The untrusted interface IP 172.16.100.1
  The trusted interface IP 172.16.10.3
  Router's interface for Access VLAN 172.16.10.1
  and the CAM ip 192.168.1.1/24
  When I connect a PC to a switch, the switch changes the port to VLAN 100 and the PC obtains an IP address 172.16.10.5 which is what I expected.
  The problem is that the PC can not get the login page.
  Could anyone help please? thanks.

  Hello,
  You specified that you are OOB VG mode, if this is correct, then only VLAN ID number is translated from your untrusted auth VLAN (100) to your trusted, production VLAN (10) so the IP address obtained from your untrusted VLAN will not have to be renewed or changed when bounced to the VLAN 10 or prod VLAN. Also, make sure when in the Auth VLAN (100), that your default GW points to the IP address of the CAS, so it sees traffic go through, then the agent will trigger and ask for authentication...
  Dominic

• After having upgraded my iPhone 4S to iOS 7.0.2, I can not turn on Wi-Fi or Bluetooth. After trying various tricks I found via online forums such as software reset, enable Airplane mode, and resetting the network settings, I have now also completed reset

  After having upgraded my iPhone 4S to iOS 7.0.2, I can not turn on Wi-Fi or Bluetooth. After trying various tricks I found via online forums such as software reset, enable Airplane mode, and resetting the network settings, I have now also completed reset of the phone WITHOUT success. Is there something more to it? If not learn hardly be any more iPhone for me. Really disappointed. Grateful for help!

  If you have tried all of the steps in this support document http://support.apple.com/kb/TS1559 and have completed all of the user troubleshooting, restart, reset, restore from backup, restore as new, then make an appointment with the Apple store to have the hardware checked.

• When I use Firefox without menu bar I can see bookmarks. How ever when I activate menu bar the bookmark is missing from toolbar. I tried opening in safe mode and resetting toolbar but it didn't fix the issue. I am using version 7.0

  When I use Firefox without menu bar I can see bookmarks. How ever when I activate menu bar the bookmark is missing from toolbar. I tried opening in safe mode and resetting toolbar but it didn't fix the issue. I am using version 7.0

  Do you mean the Bookmarks Menu button on the Navigation Toolbar?
  You only see that button if the menu bar is hidden.

• I have no navigation bar and firefox will not open in safe mode to reset to default config. Reinstalling doesn't work. Any help please.

  I have no navigation bar ever since I closed it to gain more space on the screen. It won't re-open. Firefox will not open in safe mode, but opens immediately in normal mode with the new improper config, so I cannot reset to default config. I erased Firefox and re-installed and it still opens with the same faulty config. Why does Firefox not give me the safe mode dialog box, why can I not re-open the nav bar, and how can I do these two things, please? Firefox is currently unusable for me without a nav bar and without access to the default settings in safe mode. I cannot research the extensions I'm running since I have no nav bar to go to Tools, Add-ons, Extensions.
  == This happened ==
  Every time Firefox opened
  == I closed the navigation bar to gain more space on the screen and I couldn't re-open it. ==
  == User Agent ==
  Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB6.4; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

  Hit the '''Alt''' key to show the Menu bar, then open View > Toolbars and select Menu bar and Navigation bar, so they have a check-mark.

• Ipod nano stuck in disk mode and reset mode

  My ipod which I haven't used for long came into my sight and i triedto use it and the battery was out. OK, so I charged it through my computer Windows XP with the usb. Of course my itunes program detected my nano. And it kept telling me to upgrade my nano so I clicked OK. after 2or 3 mins it was completed and it said to wait until nano reboots itself. But it won't... so i pulled it out.
  Ok when i turned it on the gray screen with the apple logo in the middle appeared. It won't move anymore so I resetted it by pushing the center and the menu button and endless circulation began. 4secs later it blacked out and right after, the gray screen appeared again and again..until the battery wasout ..So I came here and knew about the center and play button so I tryed it worked so I was able to see my ipod on my itunes ,which did not appear before,and now it keeps on telling me to restore it because it was damaged. so I did. and now it came back as new. I wrote my new apod name ...etc. and after that I pulled it out. now it's stuck in disk mode and I can't move on,,,
  I'm sorry the article is long but please help me!

  Thank you, it worked just fine. I guess Apple has replaced operating instructions for these forums! Again, thanks for the help.