problem SSO between VPN and NAC

saad_filali · ‎06-25-2009

Hello

Description of our problem : SSO doesn't work

-on the first connexion from vpn client we insert two time the login and password :one time for the client vpn and the seconde time for CAA (clean Access agent).

-although for the other connexion that succeed, we insert only one time the login and password (for vpn only) and for CAA the connexion is done automatiquely and a some hours later we reinsert two times login and password for vpn and CAA.

The following steps are done to configure Cisco NAC Appliance to work with a VPN concentrator:

Step 1 Add Default Login Page =ok

Step 2 Configure User Roles and Clean Access Requirements for your VPN users =ok

Step 3 Enable L3 Support on the CAS = ok

Step 4 Verify Discovery Host =ok (CAS IP ADDRESS 192.168.2.11)

Step 5 Add VPN Concentrator to Clean Access Server =ok (ASA IP ADDRESS 192.168.2.1)

Step 6 Make CAS the RADIUS Accounting Server for VPN Concentrator =ok

Step 7 Add Accounting Servers to the CAS (accounting server is CAM IP ADDRESS 192.168.20.10)

Step 8 Map VPN Concentrator(s) to Accounting Server(s)=ok

Step 9 Add VPN Concentrator as a Floating Device =ok

Step 10 Configure Single Sign-On (SSO) on the CAS/CAM =ok

the database for vpn authentication is cisco secure acs(192.168.1.30).

Tanks to any anybody to give us a possible solution.

FILALI Saad

Ares Maroc

koeppend · ‎07-03-2009

Hi

I have just gone the the same issues with SSO VPN with my CAS in real-ip mode.

First thing to consider, when your testing, every time you test a user, make sure you go into the CAS or CAM and remove them as a certified device or active user before you perform your next test. I found that while I was testing that it would sometimes cache the user and I was getting successful auth attempts but due to their device being already accepted on a previous connection because the CAS was not made aware that the user had logged out correctly.

1. Make sure you have a fully functional DNS system on the inside network, I didnt realize how important it was to have forward and reverse look ups for your CAS and CAM. Make sure that all CAS and cams are listed in dns with correct domain names.

This in very important if your running your own CA certificates on cas and cam. Make sure that the CAM and CAS can resolve each other via dns. Make sure the CAM and CAS can perform reverse lookups of each other. Also make sure that when the user VPN's into your ASA that they can also perform DNS lookups and reverse lookups. If they cant perform dns look ups, you may need to temporarily allow the untrusted network full access while you resolve the DNS lookup problem on the client computer. One of the issues I had was that the VPN clients couldnt resolve internal DNS names and so the CCA agent would never auto pop-up and start the auto login process because it was trying to resolve the CAM name and also check that the CA certificate I had on the CAS was legitimate as I had used names in my certs and not IP addresses.

2. Make sure your VPN group settings on the IPSEC policy of the ASA has DNS pointing to your internal DNS server.

3. I know you already said you have done this but check to make sure that the VPN group setup on your ASA for your remote access users, has been setup with the radius accounting being directed the INSIDE interface IP address of your CAS, (if you are running your CAS in real-ip, I found that the inside interface was the only interface listening on 1813, do a 'netstat -an' on the cas to check) if your running in VGW mode then you only have 1 ip address to direct it to anyway.

Follow from step 15 in following link

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml

3. Troubleshoot and make sure that the ASA actually sends a radius accounting message to the CAS. I did this by ssh into the CAS and doing a 'tcpdump -i any src and not tcp 22'. I then logged into the VPN client and made sure that once I entered my vpn user and pass, that the ASA authenticates the vpn user and then passes a radius accounting message to the CAS informing the CAS it has allowed a new user. If you dont see this radius accounting message hit the CAS interface go back to my step 3 and resolve.

4. Finally check that you have not mistyped a shared secret somwhere, ie between CAM and ACS, Between ASA and ACS, Between ASA and CAS. I had all my users authenticate though radius on my ACS server, a number of times I got caught out by a simple typo in a shared secret.

Try these things first.

Also someone else here on the forums linked this guide to me that also helped me setup my CAS correctly.

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_vpncon.html

You may find it useful too.

Dale

saad_filali · ‎07-06-2009

thank you very much

saad_filali · ‎07-07-2009

I follow all the steps describe above but it doesn't work. if you have any suggestion.

Thanks a lot.

koeppend · ‎07-08-2009

You say you have added the ASA as a floating devices. Have you also added the ASA to the bypass filters?

See step 7 in following link, step 8 is the floating device setup.

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml

stanley.yachera · ‎07-13-2009

Be sure to enable Interim Accounting Updates on the ASA to the CAS device.

aaa-server MYNAC_Accounting protocol radius

interim-accounting-update