ADSSO not starting due to ADSSO

Answered Question
Nov 9th, 2009

We have a core switch with FWSM. All the users Default gateway is FWSM.

There is an access switch where the user is connected. The mode of

deployment for NAC is L2 OOB VGW. The switch is added to the Nac. ADSSO is configured on the nac and the service is started. As soon as i restart the PC, it is not able to contact DC while all the ports are opened to DC. No agent Popup appears. It does not show any keys in Kerbtray.


The sequence is


Since the client username and pass has been cached local so it is able to

logon.


The client gets an ip address from the DHCP and it is in authentication

vlan which is 110.Now there is no agent coming up unless i do the below



when i do arp -a in cmd it shows me invalid mac address of the Default GW. Now if i add a static mac address on the client PC, Popup immediately

occurs. OR if a do a ping from the FWSM which is the Default GW

then the pop up immediately occurs.


I capture the packet through ethereal and noticed that the client is

sending arp request but it is not receiving any reply. The capture is also attached. Note that 192.168.3.1 is the gateway and 192.168.3.3 is the client.


FWSM version is 3.1(4) working in FO.


What do you suggest ?



Correct Answer by Faisal Sehbai about 7 years 3 months ago

Talha,


I suspect there's something wrong with the config, but would be very tricky to get resolved with the to-and-fro in the forums.


If you're not able to resolve your default gateway's arp, either the mappings aren't working, or you might have the "Enable subnet-based VLAN retag" option on. If both of these things are set and it still doesn't work, I would like to look at the setup live, so please open a TAC case and lets have a TAC engineer peer over your settings.


HTH,

Faisal

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Faisal Sehbai Mon, 11/09/2009 - 07:23

Talha,


Do you have the VLAN mapping configured from VLAN 110 to whatever your access VLAN is?


For testing, can you allow all IP in your unauthenticated roles to your DCs and then see if you can access anything after logging in to the machine?


Thanks,

Faisal

talha_490 Mon, 11/09/2009 - 14:47

Dear Faisal,


Thanks for your reply. First of all vlan mapping is configured. Vlan 110 is mapped to vlan 14. and all the ports are opened to DC.


As i said, if i add a static arp entry, i can not logon through local database not not through ADSSO. if you will see the support logs in the previous e-mail it shows me invalid arp as 00-00-00-00-00-00 for Def GW.

Correct Answer
Faisal Sehbai Mon, 11/09/2009 - 16:29

Talha,


I suspect there's something wrong with the config, but would be very tricky to get resolved with the to-and-fro in the forums.


If you're not able to resolve your default gateway's arp, either the mappings aren't working, or you might have the "Enable subnet-based VLAN retag" option on. If both of these things are set and it still doesn't work, I would like to look at the setup live, so please open a TAC case and lets have a TAC engineer peer over your settings.


HTH,

Faisal

talha_490 Mon, 11/16/2009 - 00:21

Thanks Fasehbai,


i had Enable subnet-based VLAN retag option on.


Regards


Talha

grant.maynard Mon, 11/23/2009 - 10:17

I agree with fasehbai, you're trying to do too much in one go. Leave the AD SSO issue aside for now, troubleshoot the CAS VGW. Check the settings for /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;} Managed Subnets and /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;} VLAN Mapping.

Actions

This Discussion