NAC -CCA Agent Auto URL

Unanswered Question
Aug 12th, 2009

I have CAS with Agent 4.5.1 , when users try to get authenticated he needs CCA Agent to be downloaded and installed on client PC , its not happening automatically ..users opens a browser type the link ..first time should be redirected to CAS for CCA agent download page , but its not happening ..but when they type the IP address of CAS eg: https://cas-ip , then it asks to download the CCA Agent , i have complete DNS setup both reverse lookup / forward lookup working also proxy configured still it does n't goes out there..... where with ip address everything works fine ..does any have idea how to move forward

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mdazhar Thu, 08/13/2009 - 00:45

when typing IP will do the job , have no idea if still could be routing issues L3 , also do i need any route on Proxy server to reach CAS or on DNS server something like this ...have some tested this setup then pl

Yudong Wu Thu, 08/13/2009 - 06:58

Which ip will do the job? CAS' IP? If yes, I believe that Agent download can be triggered when the packet to will go through the CAS.

If you have service contract with Cisco, I suggest you to open a TAC case.

mdazhar Thu, 08/13/2009 - 07:26


I already opened TAC # 5 engg changed no solutions , cisco TAC team is completely unaware about their products itself or they not upto the mark for the solution at one time i thought to switch with Juniper

since this solutions already sold , i hope to have valid solutions let s re assess to find the solution

1. when type the IP of CAS agent gets downloaded

2. when type of doens 't go

3. DNS both forward & reverse lookup working fine

4. Proxy has been configured in CAM

does any issue needs here missing to fill the GAP.

Yudong Wu Thu, 08/13/2009 - 09:46

troubleshooting this will depend on how it was implemented in your network. Such as in-band or out-of-band, layer 2 or 3 mode, and CAS is virtual Gateway or real Gateway.

The general mistakens could be:

1. SVI interface for auth vlan --> auth vlan must be pure layer 2. In a word, you need make sure the packet from client should go to CAS when they try to browser

2. if it is layer 2 mode, management subnet must use IP from trusted subnet but vlan ID from auth vlan

3. if it is layer 3 mode, make sure you have static route configured for user's IP address.


mdazhar Thu, 08/13/2009 - 10:43



its been implemented as L2-OOB-VGW (CAS)

and setup is working fine , when agent manually installed , authentication process takes places successfull and valid policy and posture assements

when i said everything working means it dam working for around 100 PC's

only i need to redirect when they open the (first time , where no CCA agent installed ) then it should get the download from CAS , as i said earlier using IP address cas will ask users to download the KIT...

i really appreciate your effort to response let s hope with more tips we can resolve the problem


This Discussion