ASA VPN and NAC using Cisco Clean Access

Unanswered Question

I currently have ASA VPN that is cofigured to work with NAC inline mode with Virtual GW and CCA using Single Sign On and Active Directory via a MS IAS server. Everything works fine. We want to have vendors use this solution as well but do not want to give them AD accounts. We would like the Vendor to connect to VPN but since there is no AD account they must authentcate to teh NAC local database but this is not working. We want to move away from users have local ASA VPN accounts to using the VPN through the ASA but using SSO and the NAC. Can this be done without creating Active Directory Accounts for the Vendors?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
carenas123 Fri, 03/20/2009 - 08:05
User Badges:
  • Silver, 250 points or more

You can configure Cisco NAC Appliance to automatically authenticate Clean Access Agent users who are already logged into a Windows domain. AD SSO allows users logging into AD on their Windows systems to automatically go through posture assessment/Clean Access certification without ever having to login through the Agent. Cisco NAC Appliance supports Windows Single Sign-On (SSO) on Windows Vista/XP/2000 client machines and AD on Windows 2000/2003 servers.


http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/411/cas411/s_adsso.html#wp1148380

Thanks for the reply but that is not my issue ...please see above comments. I ahve that solution in place and working fine. My question is can I provide VPN access to a vendor WITHOUT giving them a AD account or giving them a local account on the ASA. I wanted to know if it is possible for them to use VPN and authenticate to the NAC server local database but I was told by a Cisco VPN ENG and NAC ENG it can be done but the vondor would use no authentication to the VPN tunnel group and passed to the NAC inside...security HOLE...which defeats the purpose of the VPN session to our Network. So I will just give the vendors an AD account and have them use SSO as well.


Thanks

Daniel Laden Thu, 04/02/2009 - 17:15
User Badges:
  • Cisco Employee,

VPN SSO requires a Radius Accounting packet to reach the NAC Sserver from the ASA. If you do not want to use AD or local ASA, you will need to set up another authentication server and associated to a group used by the vendors.


-Dan Laden

I have an update. My configuration is the same. I am trying to use the mapping feature on the NAC manager. The vendor will have an AD account and be in the VPNUsers AD group but I am trying to assign different NAC roles depending on the user in that group. I read the docs but I am no MS IAS expert and I have tried a couple attributes but not working. Getting the mapping rules working would really fix all the issues because I can assign more restrictive roles to vendors and create roles for IT...Finance ETC but maintain 1 RADIUS server...with 1 AD group....I can find example using LDAP mapping but nothing of real help for Radius mapping

Actions

This Discussion