CCA with ASA VPN Support

Unanswered Question
Jun 7th, 2007

Hello -

I have been working on a lab set up that I would like to be able to show to potential customers for NAC Appliance (or CCA). I had no problems when using NAC in L3 OOB as might be deployed in a routed LAN type of setting, but I am having a horrible time getting it to work L3-IB with VPN/SSO even though I am trying my best to go by the documentation:

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml

I find a few very confusing things about this document, and am suspecting that is where my trouble lies:

1) There is no mention of the RADIUS set up on this document other than to say "set it up". So I am wondering...

a) What version of ACS do I need? (3.3 currently).

b) Which RADIUS Service (IOS? IETF?)

c) What is the IP of the RADIUS server in that document? I see two addresses: 172.18.124.101 and 172.18.85.181. To make matters worse, there are discrepancies in the config of the ASA in that document which conflict with the screen shots.

Any help anyone can provide would be great.

Thanks,

Jason Bomar, CCIE #9316

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pcomeaux Sat, 06/09/2007 - 11:59

Hi James -

Thanks for configuring NAC Appliance. We definitely want for you to be successful.

Let's see if I can help.

1a - 3.3 should work

1b - CAM will be added as IETF radius type for user authentication

1b - CAS will be added as IETF radius type for radius accouting

1c - Wherever you see the multiple addresses for ACS, just use the one ACS server address that you have

Let us know how these changes help.

peter

Jason Bomar Mon, 06/11/2007 - 10:33

Just so I understand, because this differs from the document I linked a fair amount ... the ASA (Concentrator) should AAA Auth to the CAM (which will pass it through to the ACS 3.3 as IETF) and should AAA Account to the CAS (which will pass it through to the ACS as IETF which will use it to SSO to the network) ... is that right? So the ASA does not require to point to the ACS directly?

Jason Bomar Mon, 06/11/2007 - 11:42

Still does not seem to be working, here are some snippets to show what I am doing...

ASA (Concentrator - 192.168.70.51)

aaa-server authgroup host 192.168.69.50 (CAM)

authentication-port 1812

aaa-server CAS_Accounting protocol radius

aaa-server CAS_Accounting host 192.168.70.50 (CAS)

authentication-port 1812

accounting-port 1813

tunnel-group vpngroup general-attributes

authentication-server-group authgroup

accounting-server-group CAS_Accounting

RADIUS Auth set up (CAM 192.168.69.50)

Server Name: 192.168.70.21 (ACS 3.3)

Server Port: 1812

NAS-Identifier: 192.168.69.50 (CAM)

RADIUS Type: PAP

RADIUS Acct set up (CAS 192.168.70.50)

VPN Concentrator: 192.168.70.51 (ASA-Inside)

RADIUS Accounting Server: 192.168.70.50 (CAS)

RADIUS Accounting Port: 1813

Accounting Mapping: ASA-Inside to CAS port 1813

Does this sound right? When I try and connect, my VPN does not authenticate. Prior to this, I was configured to have the ASA talk directly to the ACS as a RADIUS authentication server (CAS was always the Accounting Server).

Actions

This Discussion