I am trying desperately to get this working and I know I am VERY close. The problem is AnyConnect users logon the ASA. They get authenticated through the CAS. They open a web page on the CAS. They get a redirect to the agent download. The agent installs. And thats it. Nothing else happens.
In my lab after the agent installs, then the user gets the NAC Agent GUI pop-up and they have to logon again to get to the network they want to get to.
That does not happen in my case. Here is a drawing of the setup. These users are ultimately trying to get to the Terminal Server Farm.
On the CAS I see them as VPN authorized. But the SSO piece does not seem to be working. I dont see them as In-Band. They are not forced into a role.
This may or not be something. Its from the CAS nac_server.log
I see this when an AnyConnect user logs in:
2009-08-27 15:28:50.636 -0400 WARN com.perfigo.wlan.jmx.admin.VPNUserManager - Failed to forward accounting request.Client Receive Exception: Packet Receive Failed (Receive timed out)
I dunno, but I am going nuts on this