When Cisco NAC is used in out-of-band (OOB) mode, SNMP read and write functionality is critically important. The NAC Manager uses the SNMP write community to change the VLAN that individual switch ports are connected to. For example, after a user passes NAC authentication and posture assessment, the end computer is moved from the authentication VLAN to the access VLAN. If something stops this SNMP write packet from getting from the NAC Manager to the switch, then NAC functionality would be broken.
There is one IOS configuration command that could cause sporadic outages. This command is “configuration mode exclusive”. This command allows only one session to be in “configuration terminal” mode at a time. This is a great feature for making sure that two users are not making conflicting changes at the same time. It is a horrible feature to enable with NAC. The problem exists where a user is logged into an access switch in “configuration terminal” mode. If the user is in this mode and the NAC Manager sends an SNMP set command, the SNMP set command will fail. The indication will be that the computers, connected to access switches, are not successfully moved from the authentication VLAN to the access VLAN after successful NAC authentication and posture assessment. The logs on the NAC Manager in /perfigo/control/tomcat/logs/nac_manager.log should show information related to failed communication with the end switch.
Troubleshooting this problem is frustrating because the problem is only seen sporadically. If there are no sessions in “configuration terminal” mode, then the NAC Manager will work correctly. It is only when a “configuration terminal” mode session exists that the NAC Manager SNMP set command fails.