Clean Access HTTP redirect wrong after IP address change

Unanswered Question
Aug 13th, 2009

Hi,


Wondered if anyone had seen this:


We have a Clean Access server running in VGW mode for VPN traffic, after a redesign the IP address has changed (the trusted and untrusted are the same).


Unfortunately when a user logs in it still uses the old IP address in the HTTP redirect, this has been confirmed by looking at the HTML source.


Apart from that it looks fine, new SSL certificate etc.


Any ideas apopreciated, thanks.


Jim.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anonymous (not verified) Wed, 08/19/2009 - 09:39

For all deployments, if planning to configure the Clean Access Server in Virtual Gateway mode (IB or OOB), do not connect the untrusted interface (eth1) of the standalone CAS or HA-Primary CAS until after you have added the CAS to the CAM from the web admin console. For Virtual Gateway HA-CAS pairs, also do not connect the eth1 interface of the HA-Secondary CAS until after HA configuration is fully complete. Keeping the eth1 interface connected while performing initial installation and configuration of the CAS for Virtual Gateway mode can result in network connectivity issues.


When setting up a CAS in Virtual Gateway mode, you specify the same IP address for the trusted (eth0) and untrusted (eth1) network interfaces during the initial installation of the CAS via CLI. At this point in the installation, the CAS does not recognize that it is a Virtual Gateway. It will attempt to connect to the network using both interfaces, causing collisions and possible port disabling by the switch. Disconnecting the untrusted interface until after adding the CAS to the CAM in Virtual Gateway mode prevents these connectivity issues. Once the CAS has been added to the CAM in Virtual Gateway mode, you can reconnect the untrusted interface.

Administrators must use the procedure mentioned in the below URL for correct configuration of a Virtual Gateway Central Deployment:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/418/cas/s_instal.html#wp1045874

jad.sadek Wed, 08/26/2009 - 11:02

You have to regenerate the certificate of the CAS and make sure the "Full domain name or IP" field is the new ip address of the CAS or the DNS resolvable hostname.

Actions

This Discussion