NAC -CCA Agent Auto URL

mdazhar · ‎08-12-2009

I have CAS with Agent 4.5.1 , when users try to get authenticated he needs CCA Agent to be downloaded and installed on client PC , its not happening automatically ..users opens a browser type the link eg:www.google.com ..first time should be redirected to CAS for CCA agent download page , but its not happening ..but when they type the IP address of CAS eg: https://cas-ip , then it asks to download the CCA Agent , i have complete DNS setup both reverse lookup / forward lookup working also proxy configured still it does n't goes out there..... where with ip address everything works fine ..does any have idea how to move forward

Yudong Wu · ‎08-12-2009

When you try "www.google.com", do you know if the packet will reach CAS? Check your routing to make sure this.

mdazhar · ‎08-13-2009

when typing IP will do the job , have no idea if still could be routing issues L3 , also do i need any route on Proxy server to reach CAS or on DNS server something like this ...have some tested this setup then pl

Yudong Wu · ‎08-13-2009

Which ip will do the job? CAS' IP? If yes, I believe that Agent download can be triggered when the packet to www.google.com will go through the CAS.

If you have service contract with Cisco, I suggest you to open a TAC case.

mdazhar · ‎08-13-2009

Hi,

I already opened TAC # 5 engg changed no solutions , cisco TAC team is completely unaware about their products itself or they not upto the mark for the solution at one time i thought to switch with Juniper

since this solutions already sold , i hope to have valid solutions let s re assess to find the solution

1. when type the IP of CAS agent gets downloaded

2. when type of www.google.com doens 't go

3. DNS both forward & reverse lookup working fine

4. Proxy has been configured in CAM

does any issue needs here missing to fill the GAP.

Yudong Wu · ‎08-13-2009

troubleshooting this will depend on how it was implemented in your network. Such as in-band or out-of-band, layer 2 or 3 mode, and CAS is virtual Gateway or real Gateway.

The general mistakens could be:

1. SVI interface for auth vlan --> auth vlan must be pure layer 2. In a word, you need make sure the packet from client should go to CAS when they try to browser google.com

2. if it is layer 2 mode, management subnet must use IP from trusted subnet but vlan ID from auth vlan

3. if it is layer 3 mode, make sure you have static route configured for user's IP address.

HTH

mdazhar · ‎08-13-2009

Hi

Thanks

its been implemented as L2-OOB-VGW (CAS)

and setup is working fine , when agent manually installed , authentication process takes places successfull and valid policy and posture assements

when i said everything working means it dam working for around 100 PC's

only i need to redirect when they open the www.google.com (first time , where no CCA agent installed ) then it should get the download from CAS , as i said earlier using IP address cas will ask users to download the KIT...

i really appreciate your effort to response let s hope with more tips we can resolve the problem