Specifications
11-29
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 11 Monitoring and Troubleshooting Agent Sessions
Online Users list
–
Removing a user from the Out-of-Band Online Users list causes the VLAN of the port to be
changed from the Access VLAN to the Authentication VLAN. You can additionally configure
the Port profile to bounce the port (for a Real-IP gateway). See Out-of-Band Users, page 11-31
and Out-of-Band Users, page 3-68 for details.
Both Online Users lists are based on the IP address of users. Note that:
• For Layer 2 deployments the User MAC address field is valid
• For Layer 3 deployments the User MAC address field is not valid (for example, 00:00:00:00:00:00)
Only the Certified Devices List is based on client MAC addresses, and therefore the Certified Devices
List never applies to users in Layer 3 deployments.
For Out-of-Band deployments, OOB user entries always appear first in the In-Band Online Users list,
then in the Out-of-Band Online Users list. When user traffic is coming from a controlled port of a
managed switch, the user shows up first in the In-Band Online Users list during the authentication
process, then is moved to the Out-of-Band Online Users list after the user is authenticated and moved to
the Access VLAN.
Finally, the Display Settings tab let you choose which user characteristics are displayed on each
respective Online Users page.
Note When a user device is connecting to Cisco NAC Appliance from behind a VPN3000/ASA device, the
MAC address of the first physical adapter that is available to the CAS/CAM is used to identify the user
on the Online Users list. This may not necessarily be the adapter with which the user is connecting to
the network. Users should disable the wireless interface of their machines when connecting to the
network using the wired (Ethernet card) interface.
Interpreting Active Users
Once logged onto the Cisco NAC Appliance network, an active user session persists until one of the
following events occurs:
• The user logs out of the network through the browser logout page or Agent logout.
Once on the network, users can remain logged on after a computer shutdown/restart. A user can log
out of the network using the web logout page or Agent logout.
• The Agent user logs off Windows or shuts down Windows machine.
You can configure the CAM and Agent to log off In-Band users only from the Clean Access system
when the user logs off from the Windows domain (i.e. Start > Shutdown > Log off current user)
or shuts down the machine (Start > Shutdown > Shutdown machine).
• An administrator manually drops the user from the network.
The Monitoring > Online Users > View Online Users page (IB or OOB) can be used to drop users
from the network, without deleting their clients from the Certified Devices List.
• The session times out using the Session Timer.
The Session Timer works the same way for multi-hop L3 (IB) deployments as for L2 (IB or OOB)
deployments and is set in User Management > User Roles> Schedule > Session Timer. It is set
per user role, and logs out any user in the selected role from the network after the configured time
has elapsed. For details, see Configure Session Timer (per User Role), page 8-17.
• The CAS determines that the user is no longer connected using the Heartbeat Timer and the CAM
terminates the session.