NAC Server without NAC manager

Similar Messages

• NAC Server and NAC Manager installation

  Hi experts,
  When I've tried adding NAC Server to NAC Manager in CAM web management, it prompts: Failed to add server: Could not connect to 10.130.80.81
  Is there anything I can do for solving this?
  I'm new for NAC Manager and Server installation.
  The version using is 4.8.2
  BTW, I don't know how to generate SSL certificates (not temporarily) for installation, can anyone help also?
  Thanks in advance!
  Regards,
  Daniel

  Hi Daniel,
  this is related to the certificate issue.
  just generate temp certificate in NAM and NAS.
  Export the certificate along with key and store it in different location.
  then in SSL option there is trusted certificate authority
  load NAS certificate in NAM and NAM certificate in NAS. then try to configure or add NAS to NAM.
  it will work.

• Stop managed server without node manager and admin server

  What are the commonly used ways to stop managed Weblogic server without node manager running and without administration server running?
  (I have only one solution: on the managed server startup dump process ID to a file, and then when I want to stop it, send a signal to this process ID and kill JVM. But it seems not very clean way.)
  (The managed server is started when both node manager and admin server are down, and I provide boot.properties of admin server to the managed server to start.)
  UPDATED: And I don't want to start neither admin server, nor node manager even temporarily.
  Edited by: user12163080 on Jun 24, 2010 4:40 AM

  Hai,
  I read the Oracle weblogic wlst script document without Admin server you cannot connect the managed server through the WLST script. see the below lines
  "The start command starts Managed Servers or clusters in a domain using Node Manager.
  To use the start command, WLST must be connected to a running Administration Server.
  To start Managed Servers without requiring a running Administration Server, use the
  nmStart command with WLST connected to Node Manager."
  "You shut down a server to which WLST is connected by entering the shutdown command
  without any arguments.
  When connected to a Managed Server instance, you only use the shutdown command to shut
  down the Managed Server instance to which WLST is connected; you cannot shut down another
  server while connected to a Managed Server instance.
  WLST uses Node Manager to shut down a Managed Server. When shutting down a Managed
  Server, Node Manager must be running.
  In the event of an error, the command returns"
  They are two option if you are using adminserver then we can stop the any Managed server.
  The option is if you are using the nodemanager without admin server we can stop the any Managed server.
  The last final solution to kill the particular Managed server pid.
  Regards,
  S.vinoth babu

• Starting manged server without node manager

  Hi All
  I know that we can start managed servers from admin console but for that we have to have node manager on that machine running.
  But I want to know,if I dont want to use node manager,can i start some how managed servers from admin console.That is if my node manager is not running,can i start the managed servers using admin console.
  Please let me know if it is possible or not.
  Thanks in advance.
  DJ

  Without the node manager running, you cannot start the managed servers from the admin console.
  There are other options you can use to start the managed servers though, which i guess you might be aware of.
  Just in case you don't, it's nicely documented by Atul @ http://onlineappsdba.com/index.php/2008/08/03/oracle-weblogic-server-startupshutdown/
  Hope this helps.
  Thanks,
  Patrick

• Unable to start SOA server through Node Manager

  Hi All,
  I am trying to install AIA 11.1.1.6.0 on the top of SOA Suite 11.1.1.6.0.
  I was able to install successfully the weblogic server, rcu, soa and osb servers. Now, before installing the AIA, the document i am following it says, make sure to start the soa server through the node manager.
  Now i start the admin server, then the node manager, to make sure i have checked that the node manager is up, i logged in to the weblogic console, went to Machines, and i can see that it is up and reachable.
  Now using the WLST commands, first i connected to the node manager using command nmConnect(), then i am trying to start the soa server through node manager using the command start('soa_server1') command.
  I am getting an error while trying to start soa server with nmStart() command, below is the error message...
  "Error starting server soa_server1: weblogic.nodemanager.NMException: Exception while starting server 'soa_server1'"
  I executed the dumpStack() command, and i am getting the output as "No stack trace available"
  If i am able to start the soa server through the node manager, i can go ahead and install the AIA pack but this is not letting me go forward.
  I also tried to start the soa server through the weblogic console., go to servers tab, select the soa_server1 and start, the soa server state is going to "FAILED_NOT_RESTARTABLE".
  I followed some of the blogs like...
  http://neeraj-soa-tips.blogspot.com/2010/06/starting-admin-and-managed-servers.html
  http://www.javamonamour.org/2011/09/nmconnect-nmstart-nmkill.html
  Experts, please give your advice.
  Many Thanks,
  N

  Hi Narsing,
  I'm assuming that you've followed the required Pre-config steps. If it is not working, I'd suggest to start the Admin and SOA server without node manager first. Then start your node manager and see if it is reachable from the WLS console. Then shut down your SOA server from command prompt and restart your SOA server from WLS console.
  Verify the Listen Address of your Node Manager and start your node manager from command prompt by explicitly specifying the same address and port.
  As WLS console internally uses node manager only to start your server, you would not need to use WLST scripts to do the same and only SOA server needs to be started using node manager.
  Regards,
  Neeraj Sehgal
  Hi Neeraj,
  I made sure that in the weblogic console, in the machines tab, local machine-->configuration--->Node Manager, I have given the correct Listen Address (Narsing-PC) and the listen port 5556.
  I have made sure the property StartScriptEnabled= true.
  I have started the admin server through startWebLogic.cmd command, now i start the node manager by going to the C:\Oracle\Middleware\wlserver_10.3\server\bin and running the command startNodeManager.cmd, then i go to the weblogic console--->servers--->control--->soa_server1--->start , it is going to      FAILED_NOT_RESTARTABLE status.
  If i see the log messages in the nodemanager.log, this is the below message...
  <Jun 28, 2012 11:25:09 PM> <INFO> <soa_domain> <soa_server1> <Server output log file is 'C:\Oracle\Middleware\user_projects\domains\soa_domain\servers\soa_server1\logs\soa_server1.out'>
  <Jun 28, 2012 11:25:11 PM> <INFO> <soa_domain> <soa_server1> <Server failed during startup so will not be restarted>
  <Jun 28, 2012 11:25:11 PM> <WARNING> <Exception while starting server 'soa_server1'>
  java.io.IOException: Server failed to start up. See server output log for more details.
       at weblogic.nodemanager.server.AbstractServerManager.start(AbstractServerManager.java:196)
       at weblogic.nodemanager.server.ServerManager.start(ServerManager.java:23)
       at weblogic.nodemanager.server.Handler.handleStart(Handler.java:609)
       at weblogic.nodemanager.server.Handler.handleCommand(Handler.java:121)
       at weblogic.nodemanager.server.Handler.run(Handler.java:71)
       at java.lang.Thread.run(Thread.java:662)
  The log message in the soa_server1.out file is as below...
  Starting WLS with line:
  C:\Oracle\MIDDLE~1\JDK160~1\bin\java -client -Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,address=8453,server=y,suspend=n -Djava.compiler=NONE -Xms512m -Xmx1024m -XX:PermSize=128m -XX:MaxPermSize=512m -Dweblogic.Name=soa_server1 -Djava.security.policy=C:\Oracle\MIDDLE~1\WLSERV~1.3\server\lib\weblogic.policy -Dweblogic.system.BootIdentityFile=C:\Oracle\Middleware\user_projects\domains\soa_domain\servers\soa_server1\data\nodemanager\boot.properties -Dweblogic.nodemanager.ServiceEnabled=true -Dweblogic.security.SSL.ignoreHostnameVerification=false -Dweblogic.ReverseDNSAllowed=false -Xverify:none -da:org.apache.xmlbeans... -ea -da:com.bea... -da:javelin... -da:weblogic... -ea:com.bea.wli... -ea:com.bea.broker... -ea:com.bea.sbconsole... -Dplatform.home=C:\Oracle\MIDDLE~1\WLSERV~1.3 -Dwls.home=C:\Oracle\MIDDLE~1\WLSERV~1.3\server -Dweblogic.home=C:\Oracle\MIDDLE~1\WLSERV~1.3\server -Dcommon.components.home=C:\Oracle\MIDDLE~1\ORACLE~1 -Djrf.version=11.1.1 -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Jdk14Logger -Ddomain.home=C:\Oracle\MIDDLE~1\USER_P~1\domains\SOA_DO~1 -Djrockit.optfile=C:\Oracle\MIDDLE~1\ORACLE~1\modules\oracle.jrf_11.1.1\jrocket_optfile.txt -Doracle.server.config.dir=C:\Oracle\MIDDLE~1\USER_P~1\domains\SOA_DO~1\config\FMWCON~1\servers\soa_server1 -Doracle.domain.config.dir=C:\Oracle\MIDDLE~1\USER_P~1\domains\SOA_DO~1\config\FMWCON~1 -Digf.arisidbeans.carmlloc=C:\Oracle\MIDDLE~1\USER_P~1\domains\SOA_DO~1\config\FMWCON~1\carml -Digf.arisidstack.home=C:\Oracle\MIDDLE~1\USER_P~1\domains\SOA_DO~1\config\FMWCON~1\arisidprovider -Doracle.security.jps.config=C:\Oracle\MIDDLE~1\USER_P~1\domains\SOA_DO~1\config\fmwconfig\jps-config.xml -Doracle.deployed.app.dir=C:\Oracle\MIDDLE~1\USER_P~1\domains\SOA_DO~1\servers\soa_server1\tmp\_WL_user -Doracle.deployed.app.ext=\- -Dweblogic.alternateTypesDirectory=C:\Oracle\MIDDLE~1\ORACLE~1\modules\oracle.ossoiap_11.1.1,C:\Oracle\MIDDLE~1\ORACLE~1\modules\oracle.oamprovider_11.1.1 -Djava.protocol.handler.pkgs=oracle.mds.net.protocol"|"oracle.fabric.common.classloaderurl.handler"|"oracle.fabric.common.uddiurl.handler"|"oracle.bpm.io.fs.protocol -Dweblogic.jdbc.remoteEnabled=false -Doracle.security.jps.policy.migration.validate.principal=false -da:org.apache.xmlbeans... -Dbpm.enabled=true -Dsoa.archives.dir=C:\Oracle\Middleware\Oracle_SOA1\soa -Dsoa.oracle.home=C:\Oracle\Middleware\Oracle_SOA1 -Dsoa.instance.home=C:\Oracle\MIDDLE~1\USER_P~1\domains\SOA_DO~1 -Dtangosol.coherence.clusteraddress=227.7.7.9 -Dtangosol.coherence.clusterport=9778 -Dtangosol.coherence.log=jdk -Djavax.xml.soap.MessageFactory=oracle.j2ee.ws.saaj.soap.MessageFactoryImpl -Dweblogic.transaction.blocking.commit=true -Dweblogic.transaction.blocking.rollback=true -Djavax.net.ssl.trustStore=C:\Oracle\MIDDLE~1\WLSERV~1.3\server\lib\DemoTrust.jks -Dem.oracle.home=C:\Oracle\Middleware\oracle_common -Djava.awt.headless=true -Dbam.oracle.home=C:\Oracle\Middleware\Oracle_SOA1 -Dums.oracle.home=C:\Oracle\Middleware\Oracle_SOA1 -Dweblogic.management.discover=false -Dweblogic.management.server=http://localhost:7001 -Dwlw.iterativeDev= -Dwlw.testConsole= -Dwlw.logErrorsToConsole= -Dweblogic.ext.dirs=C:\Oracle\MIDDLE~1\patch_wls1036\profiles\default\sysext_manifest_classpath;C:\Oracle\MIDDLE~1\patch_oepe180\profiles\default\sysext_manifest_classpath;C:\Oracle\MIDDLE~1\patch_ocp371\profiles\default\sysext_manifest_classpath;C:\Oracle\MIDDLE~1\patch_adfr1111\profiles\default\sysext_manifest_classpath weblogic.Server
  FATAL ERROR in native method: JDWP No transports initialized, jvmtiError=AGENT_ERROR_TRANSPORT_INIT(197)
  ERROR: transport error 202: bind failed: Address already in use
  ERROR: JDWP Transport dt_socket failed to initialize, TRANSPORT_INIT(510)
  JDWP exit error AGENT_ERROR_TRANSPORT_INIT(197): No transports initialized [../../../src/share/back/debugInit.c:690]
  <Jun 28, 2012 11:25:11 PM> <FINEST> <NodeManager> <Waiting for the process to die: 4808>
  <Jun 28, 2012 11:25:11 PM> <INFO> <NodeManager> <Server failed during startup so will not be restarted>
  <Jun 28, 2012 11:25:11 PM> <FINEST> <NodeManager> <runMonitor returned, setting finished=true and notifying waiters>
  Someone please help, if i am able to start the soa manged server, i can go ahead and install the AIA Foundation pack...
  Many Thanks.

• Unable to add server to the manager nac version 4.7

  hi all,
  I cannot add my nac server 3310 to nac mgr 3310 version 4.7. Its showing ssl error. Both the time in server and manager are synchronized.we can reach server from manager and vice versa.
  I am attaching the screen shots of the event log
  can some one help me on sorting out this issue.
  regards dileep

  Pranavam,
  Add the CAS cert to the CAM store, and the CAM cert to the CAS store and try again
  HTH,
  Faisal

• Doubt adding NAC Server to Manager

  Hi all.
  I have a pair of managers in HA mode and a pair of servers in HA mode. The solution is working in OOB Virtual Gateway.
  When i add the server in the manager, which IP address must i use, the service IP address or the physical Ip address.
  I'm running 4.8.2
  Thank you!!
  David

  Beware when downloading the OOB Server Failover license to use the Primary MANAGER MAC address in the license generation. Otherwise it will not work.
  Additionally make sure that time is synchronous between the CAM and CAS and that the CAM's certificate is trusted by the CAS and vice versa.

• Difference between NAC profiler/collector and NAC server

  Hi,
  could anyone tell me the difference between NAC collector and NAC server?
  Thank you very much.
  Best regards.
  Giuseppe

  Sorry edunn, but your description of the NAC Collector is not particularly helpful. If I may:
  The NAC Profiler/collector is OEM'd from Great Bay Software. It performs automatic whitelisting of agentless devices, like IP phones and PBXs, printers, etc. In a NAC deployment without the profiler you'd have to go in to the NAC Server and manually enter the MAC addresses and/or IP addresses of devices that should bypass authentication and/or posture assessment. In a small environment that's not a big deal, but with multiple offices and/or subnets (with lots of phones or printers) this can be a hassle. Its also a big risk: If I know you're whitelisting by mac/IP I'll just go to a printer, print out its config page, set my NIC to have the same settings, and boom - I've just bypassed your $$ NAC solution, thankyouverymuch.
  The nice thing about the NAC profiler is that its -not- static: every time a switchport goes up/down, or a new MAC address is detected, an SNMP trap gets sent to the profiler. You can also forward (via ip-helper) all DHCP requests to the profiler (it doesn't respond or issue an IP address, of course, but it does look at what options you requested.) It will look at the MAC vendor address, IP address, DHCP options, network traffic (via Netflow), SPAN port traffic, has an open port (eg. 9100 or 515 for printing) or a combination of the above, and dynamically whitelist agentless devices based on confidence level.
  Its sort of like a reverse Turing test: if a device says its 'dumb' (no agent) AND acts the way its supposed to, it gets whitelisted. But if the Profiler starts seeing a supposed printer surf the Internet (or start receiving traffic on a port it should, or whatever), then it dynamically removes it from the whitelist, and now it will need to authenticate and pass posture.
  You can define different profile groups and what parameters are required for each, and set which groups get whitelisted.
  So basically the NAC Server is the gatekeeper, the NAC Manager is the global policy manager, and the NAC Profiler is the automatic whitelister.

• Cisco NAC server hang issue

  Hi All Cisco NAC Experts,  I am currently experiencing a Cisco NAC NAC3315-SVR hang issue.
  The issue was already happened for few time on the same server and the symptom when NAC server hung includes no response to ICMP ping, no response to SSH request, no response for access request to CAS management page via https, HA pair was detected down from its HA neighbor and triggered failover to secondary CAS.
  The CAS server was recovered after manually power cycle the hardware. 
  After went through the attachment CAS logs, I found all the services and logging service were stopped when the issue happening but unfortunately there is no any suspicious activity was logged down before or during the issue happening.
  I have also tried to search on Cisco Bug Toolkit but no similar case was found, I believe it was not caused by software bug due to the software version 4.8.1 is running in my company for years and only one CAS server having the issue.
  That will be great if any one can help me out for the same.
  Thanks,
  Eric

  Hi Bro
  This could be a problem with the certificate in that Cisco NAC appliance itself. My suggestion is to redo the certificate generation between the CAS CAM and CA Server. If this still doesn’t work, it could also be due to overload/broadcast storm on the LAN portion. This can be verified via Wireshark.
  If all else fail, then a hardware swap would seem like the next best thing.

• Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?

  Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?
  -My customer does not want to push NAC Agent installation on BYOD type of computers (non-managed by the company computers).
  -The requirement is to check for posture only company owned wired, wireless, and VPN connected Windows computers. The rest of the endpoints should be considered as posture incompliant, and limited access to the network should be allowed.
  -No certificates are used.
  -I’ve configured the required posture check, and it all works fine if a PC has NAC Agent manually installed (without ISE Client Provisioning). However, when I use a PC without NAC Agent, it is redirected to Client Provisioning Portal and is stuck there as Client Provisioning is deliberately not configured in ISE.
  -If I remove Posture Remediation Authorization Profile that does URL redirect, the posture does not work.
  -For now I'm testing it on wired endpoints.
  Is there a way to configure ISE to fulfill the listed above requirements?
  Any ideas would be appreciated.
  Thanks,
  Val Rodionov

  Everyone who finds reads this article,
  I'm answering my own quesiton "Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?"
  The answer is Yes.
  After doing research and configuration testing I came up with a solution, and it works fine for wired and VPN connections. I expect it to work on wireless endpoints as well.
  ISE configuration:
  Posture General Settings - Default Posture Status = NonCompliant
  Client Provisioning Policy - no rules defined
  Posture Policy - configured per requirements
  Client Provisioning (under Administration > Settings) - Enable Provisioning = Enable (it was disabled in my first test)
  Authorization Policies configured as regular posture policies
  The result:
  After successful dot1x authentication posture redirect happens. If the PC does not have NAC Agent preinstalled, the browser is redirected to Client Provisioning Portal and a default ISE message is displayed (ISE is not able to apply and access policy... wait one minute and try to connect again...). At the same time, the endpoint is assigned NonCompliant posture status and proper authorization policy is applied. This is what I wanted to achieve.
  If NAC Agent was preinstalled on the PC, after successful dot1x authentication the NAC Agent pops up and performs posture check. If posture is successful, posture compliant authorization policy is applied. If posture check fails, NonCompliant posture status is assigned and posture non-compliant authorization policy is applied. Which is the expected and needed result.
  The only part that is not perfect it the message displayed to the end-user when posture is about to fail. I did not find a place to change the text of that message. I might need to open TAC case, so this file can be manually found and edited from CLI (root access).
  Best,
  Val Rodionov

• What happens when NAC Server License Exceeds ?

  Hi all,
  Got a simple question for which I could not find the explanations ?
  I know that licensing is run by the endpoints which are in Online User (posture assessed) list.
  Lets say I purchased a NAC server with 100 License. What happens if a client connects to the network as the 101th user ? Is there a flexible licensing option as in other security products of Cisco ?
  Also anyone has any info about the roadmap of licensing for Cisco NAC products ? Such as central management of licenses, license pools or etc. ?
  Thanks in advance.
  Any comments appreciated.
  Dumlu

  Thanks a lot.
  You said "BPEL developer should make sure unique value is supplied for correlation..",but I am confused,
  "BPEL developer" means business process developer(process caller) or bpel engine developer(process runtime enviroment developer) ?
  This afternoon,I installed oracle PM and did some tests. The bpel server creates two process instances which have the same correlation data.

• NAC Server still in "Fallback: Allow All" state

  Hi Guys,
  i have a strange behaviour under my NAC Server.
  Today I saw that my NAC Server is in Fallback: Allow All state and the CAM is in Manager: DEAD but
  in the CAM web administration i can access that CAS.
  The CAS can ping the CAM too.
  there are two things that were changed in the last month.
  The CAM was moved to other city and they are using a 2MB link connection between them.
  The IP Address of the CAM was changed.
  I've checked my link connection between them because my CAM is in a different city  of the CAS but my link is in 50% load.
  Does anyone know any possibilitie to solve this?

  Hi,
  Are you using ip based certs or domain name? Also make sure when you do an nslookup that the CAS is able to resolve the ip address of the CAM. Also check your firewall and make sure that you are allowing all ip traffic between the CAS and the CAM.
  Also check yoru certs on the CAM and make sure that they havent expired. Are you using a standalone CAM and CAS setup are are they in failover configuration?
  Thanks,
  Tarik

• Question concerning NAC server

  Does the NAC server have the ability to provide bandwidth usage limiting on a per user or per device basis.  The feature list I have seen doesn't seem to list this option.
  Thank you

  It can do that yes.
  On the clean access server configuration page (through the manager), go to "filter" , "Roles", "bandwidth"
  You can set bandwidth restriction per role (so a kind of group of users). You can also chose to share the limitation between all the clients currently connected in that group, or to give that limitation to each client.
  Example if you restrict to 100Kb/s the user role "marketing", then you can either have the whole marketing department limited to 100kb/s regardless of the number of marketing users connected or say that each marketing employee is restricted to 100kb/s.
  I hope this answers.
  Nicolas

• Cisco NAC Server

  Hello! Help me please!
  Im perform installation Cisco NAC Server 3315 ver. 4.8(2) but after that I cann't connect to Server by https - HTTP 403 Forbidden. And I can connect to NAC Server by ssh.
  What could be the reason?

  While rebooting , i am getting this:
  Starting nc_drivers:  /dev/nfastpci0
  [  OK  ]
  Starting nc_hardserver:  waiting for nCipher server to become operational ...
  waiting for nCipher server to become operational ...
  waiting for nCipher server to become operational ...
  waiting for nCipher server to become operational ...
  waiting for nCipher server to become operational ...
  nCipher server did not start; see /opt/nfast/log/hardserver.log
  [FAILED]
  Starting sshd:WARNING: initlog is deprecated and will be removed in a future release
  key_load_private_pem: RSA_blinding_on failed
  Could not load host key: /root/.perfigo/sec/tomcat.key
  Disabling protocol version 2. Could not load host key
  sshd: no hostkeys available -- exiting.
  [FAILED]
  Starting xinetd: [  OK  ]
  Starting console mouse services: [  OK  ]
  Starting nessusd: Loading the Nessus plugins...
  All plugins loaded                                  
  [  OK  ]
  Starting crond: [  OK  ]
  Starting anacron: [  OK  ]
  Starting atd: [  OK  ]
  Starting jexec:  Starting jexec services[  OK  ]
  Starting Ncipher services
  -- Running startup script 45drivers
  -- Running startup script 46exard
  -- Running startup script 50hardserver
  waiting for nCipher server to become operational ...
  waiting for nCipher server to become operational ...
  waiting for nCipher server to become operational ...
  waiting for nCipher server to become operational ...
  waiting for nCipher server to become operational ...
  nCipher server did not start; see /opt/nfast/log/hardserver.log
  Starting perfigo:  click: starting router thread pid 2092 (f7b7d340)
  Failed execute command : CONNECTFORCE, Error : Connection refused
  BaseAgent process reconnecting...
  Failed execute command : ACTIVE, Error : Connection refused
  BaseAgent executes [ACTIVE] ...
  Link Detect Manager only operates when HA is enabled.
  NFastApp_Connect failed: ServerNotRunning
  And then in the hardserver log I am getting nCipher card not in operational mode. Please change the settings on the card.
  How to resolve the issue.
  Thanks
  Shalvi Yadav

• NAC server is not available on the network

  I am doing a rollout of ISE 1.1.1. I am using NAC agent 4.9.0.47 for posture checking win7 x86 machines. Occassionly users are getting 'NAC server is not availble.... try disconecting and connecting to the network to start a new connection' When I  try to reproduce the issue it is not happening. It happens randomly here and there. What are the possible reasons fro this issue. Since ISE is not getting posture result, and the machine remain in in posture check 'unknown' stage. I am in half way of rollout and it is stoping me to further rollout. IIf anybody knows, please advise.........

  Hi,
  I had the same issue and upgrading to 1.1.2 made the issue quiet down a bit. I have a few reported issues but havent seen any in the past 2 weeks. Also which supplicant is the client running and do they see these on the laptops or machines that have both wired and wireless connections?
  The reason I ask is that the native windows supplicant tends to connect to both networks (wired and wireless), this can can cause some problems with the NAC agent if the link for the wired or "the lower metric route" flaps.
  the bug cisco provided me is related to "CSCuc70607".
  Hope this helps,
  Tarik Admani
  *Please rate helpful posts*