Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
850
Views
0
Helpful
2
Replies

NAC ADSSO with NAC Module isn't working for all modules

Dennis Leon
Cisco Employee
Cisco Employee

‎11-27-2009 09:18 AM - edited ‎02-21-2020 03:48 AM

Hello,


We have a NAC OOB-L2-VG Deployment at the Central Site with VLAN Mapping and ADSSO which works just fine.


As part of the project we have implemented NAC Modules on ISR routers for the branch offices; same topology but as the documentation states no VLAN mapping was configured. The problem is that for some users in one branch office the ADSSO isn't working and in another branch office the ADSSO isn't working at all, all the users are getting authenticated with a local user we defined on the servers.


The configuration in both modules is exactly the same; they are using the same user to access the AD (the one used on the ktpass) the data links to the central site are both 1 Mbps and everything is pretty much the same thing.


I have checked the logs on the CAS-Module and it states that Windows SSO is running:

Nov 27, 2009 10:08:23 AM com.perfigo.wlan.jmx.admin.GSSRetrier$RetrierTask run
INFO: GSSR - Windows SSO is running

The interesting thing is that when the user goes thru the NAC process I see these logs:

Nov 27, 2009 8:55:13 AM com.perfigo.wlan.jmx.admin.SWissServer run
FINE: Sent Response to /172.19.5.11!
Nov 27, 2009 8:55:13 AM com.perfigo.wlan.jmx.admin.GSSServer$GSSThread run
INFO: accepted ADSSO socket ...Socket[addr=/172.19.5.11,port=1431,localport=8910]
Nov 27, 2009 8:55:13 AM com.perfigo.wlan.jmx.admin.GSSServer$GSSThread run
INFO: accepting ADSSO socket ...
Nov 27, 2009 8:55:13 AM com.perfigo.wlan.jmx.admin.GSSHandler run
INFO: processing socket ...Socket[addr=/172.19.5.11,port=1431,localport=8910]
Nov 27, 2009 8:55:13 AM com.perfigo.wlan.jmx.admin.GSSHandler run
INFO: TIMEOUT_SET FOR ADSSO SOCKET ... Socket[addr=/172.19.5.11,port=1431,localport=8910]
Nov 27, 2009 8:55:13 AM com.perfigo.wlan.jmx.admin.GSSHandler run
INFO: reading peer's token_length Socket[addr=/172.19.5.11,port=1431,localport=8910]
Nov 27, 2009 8:55:28 AM com.perfigo.wlan.jmx.admin.GSSHandler run
SEVERE: IO Error: Socket[addr=/172.19.5.11,port=1431,localport=8910]:Read timed out
Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.admin.SWissHandler processPacket
FINE: SWissServer: get request from : 1043@/172.19.5.11
Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.admin.SWissHandler processPacket
FINE: SWissServer: Client OS is WINDOWS_PRO_XP
Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.admin.SWissUtil parseClientAddrList
FINE: IP=/172.19.5.11, MAC=00:1E:4F:53:97:7D
Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.Shell writeToClick
FINE: /proc/click/intern_arpq/add_interest-->172.19.5.11
Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.Shell writeToClick
FINE: /proc/click/intern_arpq/remove_interest-->172.19.5.11
Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.admin.SWissUtil getOpProviderListData
FINE: IP=172.19.5.11, VLAN=19, OS=WINDOWS_PRO_XP
Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.admin.SWissUtil getOpProviderListData
FINE: Default Provider=Local DB
Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.admin.SWissUtil getOpProviderListData
FINE: Providers=Local DB;
Nov 27, 2009 8:56:18 AM com.perfigo.wlan.jmx.admin.SWissUtil getOpProviderListData
FINE: Number of providers=1

The IP address 172.19.5.11 is the IP of the PC during the unauthenticated role; what the user is finally seeing is the CCA Agent asking for user and password instead of using the ADSSO.


The version of the Agent is 4.1.10, the NAS and NAM are running 4.1.8 and the only ackword thing is that the Active Directory Servers are running Windows 2000 SP4.


Any assistance would be much appreciated.

Thanks,


DL.

0 Helpful
2 Replies 2

rajasbha
Level 1
Level 1

‎09-27-2010 11:29 PM

Hi,

I too have the same error , Any one knows how to resolve this

Socket[addr=/10.80.0.220,port=1583,localport=8910]
2010-09-28 10:57:38.028 +0530 DEBUG com.perfigo.wlan.jmx.adsso.GSSServer               - accepting ADSSO socket ...
2010-09-28 10:57:38.041 +0530 DEBUG com.perfigo.wlan.jmx.adsso.GSSHandler              - processing socket ... Socket[addr=/10.80.0.220,port=1583,localport=8910]
2010-09-28 10:57:38.041 +0530 DEBUG com.perfigo.wlan.jmx.adsso.GSSHandler              - TIMEOUT_SET FOR ADSSO SOCKET ... Socket[addr=/10.80.0.220,port=1583,localport=8910]
2010-09-28 10:57:38.041 +0530 DEBUG com.perfigo.wlan.jmx.adsso.GSSHandler              - reading peer's token_length from Socket[addr=/10.80.0.220,port=1583,localport=8910]
2010-09-28 10:57:38.670 +0530 ERROR com.perfigo.wlan.jmx.adsso.GSSHandler              - IO Error: Socket[addr=/10.80.0.220,port=1583,localport=8910] null
2010-09-28 10:58:40.215 +0530 INFO  com.perfigo.wlan.jmx.adsso.GSSRetrier              - GSSR - Windows SSO is running
2010-09-28 10:59:26.308 +0530 WARN  org.apache.commons.httpclient.HttpMethodBase       - Going to buffer response body of large or unknown size. Using getResponseBodyAsStream instead is recommended.
2010-09-28 10:59:38.478 +0530 INFO  com.perfigo.wlan.jmx.admin.OOBDelayTask            - OOBDelayTask: remove temp user [00:01:80:53:67:75]/[10.80.0.220]

Thanks in advacne

0 Helpful

Dennis Leon
Cisco Employee
Cisco Employee
In response to rajasbha

‎09-28-2010 08:27 AM

Yes, actually after several months of troubleshooting the problem got solved by upgrading the platform to 4.6.1.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card