NAC VPN single sign on

Unanswered Question
May 8th, 2008
User Badges:

One our client location they implimented NAC appliacne, configured active directory single sign on its working fine, also configured for VPN single sign on when, its configured as per cisco documentation, but when vpn client login they can successfuly login but the thing is Clean access agent doesn't popup aslo i cant see any vpn users in online list,(vpn users authetication through ACS server), if any one send proper step by step configuration for VPN SSO in NAC that would be great thanks


Walter Mavely

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
fouzi Thu, 05/08/2008 - 06:48
User Badges:

-- configuration at the ACS:

Adding users

Adding clients AAA (PIX, CAS, CAM).

-- Configure PIX:

Adding the ACS for authentication.

Adding all that CAS server accounting.

-- configurationCAS:

Setting up the CAS to support the VPN SSO

-- Activation of the SSO and port definition of accounting at the CAS from the web interface MAC

-- Added concentrator (Pix)

-- Adding the ACS as a radius accounting server

-- Adding a mapping between the VPN concentrator and radius accounting server

-- Assign a role to VPN clients.

Anonymous (not verified) Thu, 02/26/2009 - 15:14
User Badges:

Anonymous (not verified) Thu, 02/26/2009 - 15:14
User Badges:

Anonymous (not verified) Thu, 02/26/2009 - 15:14
User Badges:

Anonymous (not verified) Thu, 02/26/2009 - 15:20
User Badges:

Anonymous (not verified) Thu, 02/26/2009 - 15:22
User Badges:

Anonymous (not verified) Fri, 02/27/2009 - 13:02
User Badges:

Did you solve the problem whit the page redirection ?

If so, How did you solve that ?

I have the same problem after the VPN user authenticates. It seem that the NAS doesn`t do a DIscovers and didn`t redirect the portal.

Also I tried installing locally the NAA and it didint work.



Daniel Laden Sun, 03/01/2009 - 00:14
User Badges:
  • Cisco Employee,

What is the VPN user experience. Is it safe to assume that the VPN user can connect to the ASA but cannot access internal resources.

Lets start by confirming the pathway is good. Add 'All Traffic' to the unauthenticated role and confirm you can now access the internet network.

srue Wed, 03/04/2009 - 06:37
User Badges:
  • Blue, 1500 points or more

make sure the vpn traffic is somehow being directed through the cas.

it doesn't sound like it is.

is the cas in virtual gateway IB or layer 3 IB mode? is it more than one hop away from the vpn device?

Dennis Leon Tue, 12/15/2009 - 13:04
User Badges:

I have exactly the same issue....the CCA Agent does not pop-up; I did follow the document properly.

I know the traffic is passing thru the CAS because the only traffic passing from the VPN client to the inside network is what is indicated on the filter for that role on the CAS.

Any advises?

Faisal Sehbai Tue, 12/15/2009 - 19:08
User Badges:
  • Gold, 750 points or more


The agent only popups when it senses the Swiss response from the CAS. That only happens when traffic hits the CAS's untrusted interface, and the CAS checks against its list of known clients and if it doesn't find that client, it will ask the agent to pop up and ask for authentication.

If you're not seeing the pop-up, make sure the traffic is traversing the CAS. Try to browse to the IP address of the CAS itself from the client and see what response you get. Alternatively, try going to an internal resource on https/http ports and see if that gets you the redirection page. With the agent installed, the agent sends out an UDP packet every 5 seconds to the discovery host. The discovery host should be a resource on the trusted side to which clients can only get after crossing through the CAS.




This Discussion