OOB Wirless NAC Problem

Similar Messages

• NAC OOB VIRTUAL GW PROBLEM

  Hi,
  I am trying to setup a NAC OOB Virtual GW Scenario (attached is the visio schematic of the setup):
  Switch: 3550 (ios 12.2(46) adv ip serv)
  NAC 4130 appliances: v4.1.6 (also tried v4.5)
  Switch Configuration of the trunks to the CAS):
  - int f0/23 (connected to CAS e0) -> dot1q trunk with native vlan 999 and allowed vlans 199 (mgt vlan of cas) and 10 (hosts access vlan)
  - int f0/21 (connected ro CAS e1) -> dot1q trunk with native vlan 998 and allowed vlans 100 (hosts authentication vlan)
  - SVIs on switch: 199, 10, 200 (CAM mgt vlan), 99 (dns, dhcp)
  The problem I am facing is that the host once connected to a managed port is able to acquire an ip from the access vlan from the dhcp server but is not redirected to the login page. I tried to follow some hints provided in previous posts but none of them worked for me. I configured the following:
  - Login Page
  - Configured IP based traffic control on the unautheticated role to permit all traffic (also host based to permit https://192.168.199.1 -> cas' ip with trusted dns my dns server 192.168.99.1)
  - Managed subnet with unused ip in access vlan (192.168.10.253) and vlan id that of the auth vlan (100)
  - vlan mapping between untrusted vlan 100 and trusted vlan 10
  - tried to access a resolvable website by my dns from the host (as per the suggestion from a previous post for someone who was facing the same prob)
  - also tried to access the cas' login page from the host with vain, eventhough it is accessible from trusted subnets
  Note: I followed the configuration guide of both v4.1.6 and v4.5 and with both versions I was facing the same problem.
  I would be very thankful for any hints to help me solve this issue.
  Questions: When the host is connected to a managed host (assigned to the managed vlan 100) and it is assigned an ip from the a access vlan 10. Shouldn't I be able to access the managed subnet case I configured ip traffic control policy to permit all traffic from untrusted to trusted? also shouldn't I be able to resolve website's ip with "nslookup x.com" since dns traffic is by default configured and also trusted dns server 192.168.99.1 is configured?
  Thanks in advance for any help.

  It arised to be that the 3550/3560/3750 are not supported for Central Deployment. The problem is solved.
  Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment
  For Cisco Clean Access (NAC Appliance) in In-Band Central Deployment mode, when a Cisco Catalyst 3560/3750 series switch is used as a Layer 3 switch and if both ports of the Clean Access Server (CAS) are connected to the same 3560/3750 switch, the minimum switch IOS code required is Cisco IOS release 12.2(25)SEE.
  Because caveat CSCdu27506 is not fixed on the Catalyst 3550 series switch, when the Catalyst 3550 is used as a Layer 3 switch, it cannot be used in NAC Appliance In-Band Central Deployment.
  For further details, refer to switch IOS caveat CSCdu27506:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCdu27506
  See also Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB).
  Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB)
  Table 6 describes Cisco Catalyst switch model support for the Virtual Gateway VLAN Mapping feature of the Clean Access Server for either in-band (IB) or out-of-band deployments (OOB). This table is intended to clarify CAS network deployment options when connecting the CAS in Virtual Gateway (bridge) mode to the switches listed.
  Table 6 Switch Support for CAS Virtual Gateway In-Band/OOB VLAN Mapping Feature
  Cisco Catalyst Switch Model Virtual Gateway
  Central Deployment
  (both interfaces into same switch) Edge Deployment
  (each interface into different switch)
  6000/6500 Yes Yes
  4000/4500 Yes Yes
  3750/3560 (L3 switch) Yes with 12.2(25) SEE and higher 1
  Yes
  3550 (L3 switch) No 1
  Yes
  3750/3560 (L2 switch) Yes Yes
  3550 (L2 switch) Yes Yes
  2950/2960 Yes Yes
  2900XL No 2
  Yes
  3500XL Yes Yes
  28xx NME Yes with 12.2(25) SEE and higher 1
  Yes
  1 Due to switch caveat CSCdu27506. See Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment for details.
  2 2900 XL does not support removing VLAN 1 from switch trunks.

• NAC OOB L3 remote problem

  Hi All,
  I have remote site with above design. "login" is gray out in CAA. I run tcpdump on NAS, and I saw packets are hitting eth1 on NAS. In NAM, I got this error message "Unable to process out-of-band login request from [00:00:00:00:00:00 ## 10.111.18.3] Administrator. Cause: MAC address of 10.111.18.3 not found.".
  any idea would be very appreciated. if you need more information, please let me know. it's kind of urgent.
  thanks
  Alex

  Hi Faisal,
  I am pretty sure SNMP is right. switch has been added to NAM successfully. so there is no SNMP issue. I have this problem for the users in remote location only. users in local location can login without any problem.
  any suggestion would be appreciated.
  I am using 500 Express switch in remote site. is it causing the problem?
  thanks again.
  Alex

• NAC Problem

  Hi !!!
  My implementation is VG-OOB-L2
  I have this:
  VLAN Auth = 136, don´t have any subnet associate
  VLAN Access = 140, subnet is 10.0.140.0/24
  Another VLANs when user role works = 128,144 asnd the subnet´s (10.0.128.0/24 and 10.0.144.0/24)
  When I connect my pc, my port change to vlan 136, I receive the login of NAC Agent, I successfully login but my VLAN not changed to VLAN 128, and my ip address not chaged too. The snmp configuration is ok because in the first step when I connect into the port the vlan is changed.
  My doubt about my config is:
  In interface eth1(untrusted) CAS I have the VLAN 136
  In interface eth0 (trusted) CAS I have the VLAN 140, my doubt, I need put the VLAN 128 and the 144?
  In managed subnet I have only the 10.0.140.0/24 subnet wich correspond to vlan 140, I need put the 128 and 144 subnets?
  VLAN Mapping is 136-140.
  Why is not working?
  Tks.

  Faisal,
  I solved the first problem, it was a dumb misconfiguration. What is happening now is that I have more than one user role, but only one auth VLAN. In the user role I have 3 VLANs with 3 different subnets, the problem is: when a client authenticates it dosn't renew the its IP address, it continues to use the same IP that it got when it was in the auth VLAN. I need the client do change its address to the correct subnet associate with the VLAN.
  We're using a OOB VGW L2 setup, in the access switch I can see that the port's VLAN is changed from the auth vlan to the user role VLAN, but the client keeps the same IP address from the auth VLAN.
  Regards,

• NAC problem with Samsung Galaxy Grand (Android)...!!!

  I tried accessing wifi though my Android mobile in my college, which is NAC installed. The mac address of my device was successfully added to the portal, but I'm not able to connect my device to the respective wifi network.
  Can anyone suggest what's the problem.

  It is probably issue with your NAC config.
  If issue with all android devicea then look into this:
  https://supportforums.cisco.com/message/3889346#3889346
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Cisco NAC problem

  Hi Friends,
  I am facing problems in our NAC implementation. AV popup is not whowing. Also the rules could not be downloaded. A screenshot is provided.
  Please suggest
  regards,
  Rajiv

  Rajiv,
  No screen shot attached to the post. If you haven't reviewed the posture assessment chalktalk/PDF already, that is also a very good place to start and check your setup against!
  Link for VODs: http://bit.ly/chalktalks Look at number 5
  HTH,
  Faisal

• NAC Problem with Samsung Galaxy Tab

  I have campus running cisco clean access. My problem is this. When my wireless tablet w/ android connects to the network and tries to access the internet it takes me to the login page. Now I can put normal guest information in and then gain access to the interent for 5 secs, then no more access. When I check the summary logs on the CAS it shows my device being added to the certified list as well as mac address list. I then check device management and confirm that my device is there under the guest role.
  I am not using any NAC agent.
  If I want to reconnect I have to remove the device from device management and then i can restart the process with the same results as above. If I add an exemption to allow this device, then it can access the entire network/internet.
  My questions are these. Am I missing something obvious? Are android devices not supported? Where would I go to further trouble shoot this?
  Thanks for any help.

  Are you running inband or out of band. I am thinking you are running inband since you mentioned the filter but i just wanted to make sure. Also what version of clean access are you currently running.
  You mentioned that you are able to access the internet for 5 seconds, what does that mean and how did you verify this?
  thanks,
  Tarik

• Wirless mouse problems

  Hello all
  my wireless mouse will not scroll down, up is np problem. Can you help
  Randy

  Hi Randy
  This refers to the Mighty Mouse but might, also, to yours:
  http://docs.info.apple.com/article.html?artnum=302417
  Steve

• WRT160n V3 wirless connectivity problems?

  Recently i have been having problems connecting to my wireless connections. I have one pc that uses a wireless N card (internal, laptop) and i have one that uses G. Both laptops have been having connection issues, and its intermittent. I have several other devices that connect fine. When i unplug the router or about 3 seconds and plug it back in, it reboots fine and im able to connect fine. I have also updated to the latest firmware but no changes. Any ideas on what is causing this?
  Regards,
  Howard

  As I have mentioned, there might be other devices or network that interferes with your network. Try Channel 1, 6 or 11. If the issue persists after trying each channel, try to reset it to default and start the settings from scratch.

• Wirless conection problem

  I chaned the password on my wirless router so i need to re enter the new password on my iphone 3gs so i can conect to it.
  Anyone got any ideas how?
  Thanks
  Paul

  Settings>Wi-Fi>press on blue arrow next to your wifi name>Forget this network (at top).  Then rejoin your wifi and enter the new password.

• NAC problem. Cant add server.

  Hi all!
  I cant add a nac server to CAM. Error: Failed to add server: Conflicting Clean Access Server with IP address <10.52.244.146> must first be removed.
  I add server with ip: 10.52.244.194. I checked all the settings. This address is not use in the settings of server whit IP - 10.52.244.146.
  In the logs I dont see useful information.
  Why do I have this error on the CAM???

  Jennifer. In CSCtd27095 says: The repair updates only the CAS file locally. The fix/repair should update the CAM's database with the CAS's new SSKey. I reconfigure perfigo service with right SSkey on my CAS (10.52.244.194). Does not help. I cant reconfigure perfigo on my CAM, because 10 servers in work.
  P.S.
  When i delete CAS with IP 10.52.244.146, then i can add CAS (10.52.244.194). But when i just change CAS IP - 10.52.244.194 on, for example, 10.52.244.154 anyway i see this error.
  What create a conflict of these servers?

• Wirless connection problem

  hello. we have 3 computers in the house. none is able to connect to the wireless connection of the printer. The printer is an officejet 4500
  http://gyazo.com/d556e5c68818293e142290e414d8746c
  here are my router settings. Thanks to all help.

  Download and run this utility:http://h10025.www1.hp.com/ewfrf/wc/softwareDownloadIndex?cc=us&lc=en&jumpid=ex_r4155/hho/ipg/ccdoc/p...
  What does it say?
  Say thanks by clicking "Kudos" "thumbs up" in the post that helped you.
  I am employed by HP

• NAC/Wireless Design

  Hi!
  Looking for some input on some design options for NAC with a wireless deployment since OOB and IB are now both options.
  In a campus environment of up to 300 wireless users, in-band seems good so that we can have one SSID, but restrict a user login to a role and apply restrictions on the appliance, but I'm concerned about the common issue of the appliance becoming a bottleneck.
  My other thought too would be have multiple SSIDs (VLANs) and have multiple appliances handle certain VLANs, but this is pricey.
  In wireless OOB, it appears you can only have one "access" VLAN to maps users to (I guess b/c that is all the WLC supports?), so that does not work for us as we need to have employees and guests (among others, separated).
  Please correct me on any misunderstandings.
  All insight appreciated. Thanks for the input!

  Your understanding is correct.
  For 300 wireless users, you may want to go inband and do enforcement at the NAC server level.
  For OOB, you need to make different SSID for different roles.
  e.g. Guest, Employees and Contractor
  You can look at the configuration example too for OOB Wireless NAC 4.5 here:
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml

• Unstable speed on WRT54G

  Hello!
  I've been using my WRT54G v.2 for about 4 years now. I had a problem with it 3 years ago when I could not connect to internet via wireless.
  I reset the box, and it was up and running again.
  But for the last few weeks I have had the same problem again and it dosen't help to reset the WRT54G.
  The speed should be 54Mbs, but a few minutes after I reset it's down to 1Mbs most of the time and I can't connect to internet.
  Signal stenght is excellent.
  My network: 1 PC connected to the WRT54G w/cable (this PC works ok)
  2 laptops connected w/wirless (having problems)
  1 PC connected w/wireless (having problem)
  I have tried to connect all computers to the WRT54G w/cable and they work ok. Also when I connect directly to the modem (supplier is Bluecom).
  Wireless Network Mode : Mixed
  Wireless Network Name (SSID) : Hmmmm, it is not linksys ;-)
  Wireless Channel : 11
  Wireless SSID Broadcast is Enable
  Security Mode : WEP
  I set this after chating w/linksys a few weeks ago:
  Beacon Interval : 50
  Fragmentation Threshold : 2306
  RTS Threshold : 2306
  Mac Address Clone is enable
  It did not help!
  And Firmware Version is v4.21.1, Nov. 6, 2006
  I did the upgrade just after I started having problems.
  Anyone that can help me???

  After a firmware upgrade, you must reset the router to factory defaults, then setup the router again from scratch.  If you saved a router configuration file, DO NOT use it.
  Poor wireless connections are often caused by radio interference from other 2.4 GHz devices. This includes wireless phones, wireless baby monitors, Bluetooth (including Bluetooth game controllers), microwave ovens, wireless mice and keyboards, and your neighbor's wireless network. Even some 5+ GHz phones also use the 2.4 Ghz band. Unplug these devices, and see if that corrects your problem.
  In your router, try a different channel. There are 11 channels in the 2.4 GHz band. Usually channel 1, 6, or 11 works best. Check out your neighbors, and see what channel they are using. Because the channels overlap one another, try to stay at least +5 or -5 channels from your strongest neighbors. For example, if you have a strong neighbor on channel 9, try any channel 1 through 4.
  Hope this helps.

• Dropping Wi-Fi Connection

  I have an HP Envy Phoenix 810-160 which I purchased in April of 2014, it came with Windows 8.1 loaded.  It has a Broadcom BCM4352HMP 801.11 ac 2x2 Wi-Fi Adapter.  It keeps dropping connection. The driver I have installed is 6.30.223.170 from 9/6/2013, I've tried updating the driver and it says my driver is current. When I go to list available networks my network is listed with full signal strength.  It won't connect and says it can't connect.   I have to enable/disable the device in device manager and reboot, then I get anywhere from two minutes to an hour or so of functionality before it drops out again. 
  I have been going through HP forums and Widows forums all day looking for a solution.  I have followed all the troubleshooting steps I've found on the HP and Windows forums, though none have been specific to this model PC and Wireless Adapter.   The only step I haven't tried is replacing the adapter.  8 month old computer I don't want to buy a new card for the computer.  Especially since it's been connected to the internet since I received the computer, it was only this A.M. Dec 26, 2014 that the connection started to falter.
  I have tried to update the driver, uninstall and reinstall the adapter, turned off the blue-tooth adapter, currently if I enable/disable the device a couple times and reboot, I get a period of time where I remain connected, but eventually it drops the connection again.
  When I turn the computer on the small white wireless indicator on the front of the computer comes on almost instantly.  I see my home network with full signal strength and two laptops and my Iphone right next to the computer connect to the same network with full signal strength.
  This question was solved.
  View Solution.

  There has been drop outs previously say when the router went down, etc..  Those were the first things I checked.
  The only changes made were in regards to trouble shooting since this A.M. I've had to re-enter the password several times, but that's it.  Nothing changed between the time it worked and the time it started dropping out.
  Running the trouble shooters from windows kept showing a "Wirless Adapter Problem" which wasn't really specified and I was able to reset it and get back on line for a while before it dropped out again.  Sort of like a heat problem, but shutting the computer off for a while didn't make it better.
  It says my connection speed is 1.44 Mhz, not sure how to check 2.4 or 5GHz?
  Good new with the driver so far, it hasn't dropped out yet.