Hi Michael, I have seen this behavior here. I guess you use the same subnets for both secure and non-secure SSIDs. In this case, if a user connects to the secure SSID and roams from one WLC to another WLC and then disconnect, the CAM failed to remove the user from Device Management > Clean Access Servers > Authentication > VPN Auth > Active Clients list because the CAM ignores the accounting-stop message from the 2nd WLC (accounting ID is different with the one sent by the 1st WLC). Then if another user connects to the non-secure SSID and got the same IP address as the previous secure user, the problem happens. Cisco could not fix this issue on CAM or WLC. The workaround is to use different subnets for secure and non-secure SSIDs and that did fixed the issue.
--- Dennis Xu Network Analyst Networking and Security Cluster Computing and Communication Services University of Guelph 5198244120 x 56217 ----- Original Message ----- From: "Michael Simpson" <[email protected]> To: [email protected] Sent: Wednesday, 12 January, 2011 5:30:34 PM Subject: Erroneous NAC Agent Auto Login In our environment we have two SSID's on a Cisco wireless OOB NAC deployment. Our secure SSID uses dot1x and passes the credentials via VPN Auth to allow for NAC Agent auto-logon. On the open SSID users should have to enter their credentials into the NAC agent manually to logon. Lately I've noticed some machines logging into the NAC automatically even though they are on the open SSID. When I look for them in the Certified Devices List they show up with the "Cisco VPN" as the provider as if they were on the secure SSID. They are also associated with a user account that has never been on their machine (this seems quite random). If I kick them off from the Certified Device List their client will again auto logon with the same user account being used. Has anyone seen this behavior or have any idea what could be causing it? Thanks, Michael Simpson Network Engineer Utah Valley University
