NAC-OOB L2- Authentication Login page dosn't appear!

Answered Question
Dec 8th, 2009

Hi All,


We have 2 NAC managers and 2 NAC servers. We have a failover solution. Our deployment is OOB Layer 2 Central Virtual Gateway. We have successfully added NAS into NAM and we did the required configuration in NAM like configuring VLAN mapping (from the untrusted vlan 913 to the trusted vlan 910), adding managed subnet, switch profile, port profile, adding switches (cisco 3560) to NAM, configuring user roles, local users and also user login page.
Then we have tested it by connecting PC to the controlled port on the switch.
The configuration of the controlled port was on VLAN 910 and after connecting the PC, it's converted to VLAN 913 then we successfully got an IP from the dhcp which is configured on the switch but the authentication login page didn't appear! and also, when we disconnect the PC from that port, the configuration isn't converted from vlan 913 to vlan 910 so we have to change it manually everytime to do our tests.


What should we do to let the login page appear and also automatically let NAM change the port configuration after disconnecting the PC?


Thanks in advance.

Correct Answer by Faisal Sehbai about 7 years 2 months ago

AD SSO is supported with all Windows 2003, but with 2008, only single server is supported and those also have to be 32 bit. 64 bit servers aren't supported yet.


HTH,

Faisal

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Faisal Sehbai Tue, 12/08/2009 - 15:03

Some things to check for:


- Make sure that managed subnets are configured correctly (Untrusted VLAN, an IP address instead of subnet)

- Make sure there are no L3 SVIs for the untrusted VLANs

- How are you trying to get to the authentication page? If just browsing to any website, make sure DNS is working, other wise try with an IP address in the browser

- Try browsing to the IP address of the CAS


HTH,

Faisal

ayman emara Thu, 12/10/2009 - 01:53

Hi Faisal,


thanks alot for your reply, i tried to browse the IP address of the CAS and i could access it successfully. I browsed a web site using IP address, the authentication page had appeared and when i login with the local username and password, the following message appears :


Network Error:
Clean Access Server could not establish a secure connection to Clean Access Manager at CAI35554424ZNM1.
This could be due to one or more of the following reasons: 1) Clean Access Manager certificate has expired 2) Clean Access Manager certificate cannot be trusted or 3) Clean Access Manager cannot be reached.
Please report this to your network administrator.


Also, when i connect the PC to the controlled port (which is in the untrusted VLAN 913), i could get ip from the DHCP but this vlan isn't mapped to the trusted vlan (910) and still in vlan 913 on the switch. please find the attached the vlan mapping, port profile and managed subnet configuration.


Thanks again for your cooperation!

Faisal Sehbai Thu, 12/10/2009 - 07:25

Are your certificates for the CAM and the CAS issued to IP addresses or DNS names? If DNS names, are those names resolvable by your DNS server that your clients use? Can the CAM and CAS resolve each others name?


Faisal

ayman emara Sat, 12/12/2009 - 08:50

hi faisal,


thanks for your help as we managed to issue anew certificate with the ip address of NAM instead of NAS and it worked and the agent is downloaded and worked fine.

but we have another issue faced us in the implementation is the integration with Active directory on windows 2008 (we have read that it supports ony specific versions of 2003) ? so if you have any update on that please do .


Thanks in advance


Ayman Yehia

Correct Answer
Faisal Sehbai Sat, 12/12/2009 - 09:56

AD SSO is supported with all Windows 2003, but with 2008, only single server is supported and those also have to be 32 bit. 64 bit servers aren't supported yet.


HTH,

Faisal

ayman emara Sun, 12/13/2009 - 06:39

hi faysal,


we have tried to make SSO with Single Active Directory on windows Server 2003 R2 SP2 and did the required configuration on both NAC and AD and we did the KTPass.exe command and it succeeded to make the user is set to be Des-only encryption.

but when we update the windows authentication - Active Directory SSO in the NAC we get the following error :


Error : Could not start the SSO service. Please check the configuration.


can you help us in this error.



Thanks,


Ayman Yehia

Faisal Sehbai Sun, 12/13/2009 - 09:05

Okay, Can you post the ktpass command run that you did?


Also CAS logs showing the error message?


Thanks,

Faisal

ayman emara Sun, 12/13/2009 - 23:46

hi faisal,


the KTPass command is :

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:Arial; mso-bidi-theme-font:minor-bidi;}

C:\Program Files\Support Tools>ktpass.exe -princ [email protected] -mapuser test -pass test123 -out c:\test.keytab -ptype KRB5_NT_PRINCIPAL +Desonly


and the logs are attached


Thanks for help

ayman emara Sun, 12/13/2009 - 23:54

hi faisal,


the KTPass command is as following:


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:Arial; mso-bidi-theme-font:minor-bidi;}

C:\Program Files\Support Tools>ktpass.exe -princ [email protected] -mapuser test -pass test123 -out c:\mai.keytab -ptype KRB5_NT_PRINCIPAL +Desonly


and the attached log file.


Thanks


Attachment: 
Faisal Sehbai Mon, 12/14/2009 - 08:44

Hello,


Wrong log files. I'm looking for the CAS logs where the SSO service is started. To get those, log on to your CAS by going to https:///admin and clicking on support logs.


Faisal

ayman emara Tue, 12/15/2009 - 00:06

hi faisal,


i do not know if the logs for the CAS will help you now as we have done High Availability for the CAM and the CAS but i submitted it to you.


so we can go on troubleshooting this issue after the following one.


we have now another problem.


we have made HA for two CAM and two CAS the failover for both CAMs and both CASs works fine and stable

the active CAM see the active CAS but if i rebooted the Active CAS  , the CAM can't see the new active CAS

and the same case happens if i made the other CAM active.


i have attached a picture for our scenario.


Thanks ,


Ayman Yehia

Attachment: 
ayman emara Tue, 12/15/2009 - 03:37

hi faisal,


we have reached the solution for the HA- problem just now


but still the Integration with AD is not solved yet.



thanks for your help,


Ayman Yehia

Actions

This Discussion