We just started using NAC 4.8 Out-of-band Virtual Gateway and applied NAC to our encrypted 
SSID running on WCS/WLC 6.0 with 1142/1131 LWAPs.  This is our first use off NAC 4.1 and also 
deploying OOB.  We seem to have a problem, especially on mobile devices like the iPhone, where 
each session is requiring the device to re-auth regardless of being on the CDL.  Creating a device 
filter as a workaround works.  I'm having trouble finding the root issue as it seems not all users of 
the same device type have the issue.  For instance, I have an iPhone 4 user who gets locked in a 
safari page titled "Log In" showing the apple.com site, but none of that behavior on another iPhone 
4.  Re-auth and page re-direction seems to happen more for some iPhone 3GS users than others.  
I've seen my macbook re-auth me after waking from sleep last week, but today none of the 
behavior exists.  We have had the OOB port profile option "Change to Access VLAN if the device is 
certified but not in the out-of-band user list" set this whole time but have still had this issue on 
wireless.  None of the disconnect options for port profile are enabled.

Any ideas?  Anyone encounter an issue similar to this experience or know what the root 
cause/solution could be?  I'm making a TAC case, but thought I'd hit this list as well.

Thanks in advance.

-- 
Branden Kirk
Network Administrator, IT Operations
Biola University
(562)944-0351 x5032