cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1839
Views
10
Helpful
15
Replies

NAC-OOB L2- Authentication Login page dosn't appear!

ayman emara
Level 1
Level 1

Hi All,

We have 2 NAC managers and 2 NAC servers. We have a failover solution. Our deployment is OOB Layer 2 Central Virtual Gateway. We have successfully added NAS into NAM and we did the required configuration in NAM like configuring VLAN mapping (from the untrusted vlan 913 to the trusted vlan 910), adding managed subnet, switch profile, port profile, adding switches (cisco 3560) to NAM, configuring user roles, local users and also user login page.
Then we have tested it by connecting PC to the controlled port on the switch.
The configuration of the controlled port was on VLAN 910 and after connecting the PC, it's converted to VLAN 913 then we successfully got an IP from the dhcp which is configured on the switch but the authentication login page didn't appear! and also, when we disconnect the PC from that port, the configuration isn't converted from vlan 913 to vlan 910 so we have to change it manually everytime to do our tests.

What should we do to let the login page appear and also automatically let NAM change the port configuration after disconnecting the PC?

Thanks in advance.

1 Accepted Solution

Accepted Solutions

AD SSO is supported with all Windows 2003, but with 2008, only single server is supported and those also have to be 32 bit. 64 bit servers aren't supported yet.

HTH,

Faisal

View solution in original post

15 Replies 15

Faisal Sehbai
Level 7
Level 7

Some things to check for:

- Make sure that managed subnets are configured correctly (Untrusted VLAN, an IP address instead of subnet)

- Make sure there are no L3 SVIs for the untrusted VLANs

- How are you trying to get to the authentication page? If just browsing to any website, make sure DNS is working, other wise try with an IP address in the browser

- Try browsing to the IP address of the CAS

HTH,

Faisal

Hi Faisal,

thanks alot for your reply, i tried to browse the IP address of the CAS and i could access it successfully. I browsed a web site using IP address, the authentication page had appeared and when i login with the local username and password, the following message appears :

Network Error:
Clean Access Server could not establish a secure connection to Clean Access Manager at CAI35554424ZNM1.
This could be due to one or more of the following reasons: 1) Clean Access Manager certificate has expired 2) Clean Access Manager certificate cannot be trusted or 3) Clean Access Manager cannot be reached.
Please report this to your network administrator.

Also, when i connect the PC to the controlled port (which is in the untrusted VLAN 913), i could get ip from the DHCP but this vlan isn't mapped to the trusted vlan (910) and still in vlan 913 on the switch. please find the attached the vlan mapping, port profile and managed subnet configuration.

Thanks again for your cooperation!

Are your certificates for the CAM and the CAS issued to IP addresses or DNS names? If DNS names, are those names resolvable by your DNS server that your clients use? Can the CAM and CAS resolve each others name?

Faisal

hi faisal,

thanks for your help as we managed to issue anew certificate with the ip address of NAM instead of NAS and it worked and the agent is downloaded and worked fine.

but we have another issue faced us in the implementation is the integration with Active directory on windows 2008 (we have read that it supports ony specific versions of 2003) ? so if you have any update on that please do .

Thanks in advance

Ayman Yehia

AD SSO is supported with all Windows 2003, but with 2008, only single server is supported and those also have to be 32 bit. 64 bit servers aren't supported yet.

HTH,

Faisal

hi faysal,

we have tried to make SSO with Single Active Directory on windows Server 2003 R2 SP2 and did the required configuration on both NAC and AD and we did the KTPass.exe command and it succeeded to make the user is set to be Des-only encryption.

but when we update the windows authentication - Active Directory SSO in the NAC we get the following error :

Error : Could not start the SSO service. Please check the configuration.

can you help us in this error.

Thanks,

Ayman Yehia

Ayman,

What's the exact version of ktpass you used?

Faisal

KTPass version is 5.2.3790.0

Okay, Can you post the ktpass command run that you did?

Also CAS logs showing the error message?

Thanks,

Faisal

hi faisal,

the KTPass command is :

C:\Program Files\Support Tools>ktpass.exe -princ test/cai35554424zdc1.domain.com@DOMAIN.COM -mapuser test -pass test123 -out c:\test.keytab -ptype KRB5_NT_PRINCIPAL +Desonly

and the logs are attached

Thanks for help

hi faisal,

the KTPass command is as following:

C:\Program Files\Support Tools>ktpass.exe -princ test/cai35554424zdc1.domain.com@DOMAIN.COM -mapuser test -pass test123 -out c:\mai.keytab -ptype KRB5_NT_PRINCIPAL +Desonly

and the attached log file.

Thanks

Hello,

Wrong log files. I'm looking for the CAS logs where the SSO service is started. To get those, log on to your CAS by going to https:///admin and clicking on support logs.

Faisal

hi faisal,

i do not know if the logs for the CAS will help you now as we have done High Availability for the CAM and the CAS but i submitted it to you.

so we can go on troubleshooting this issue after the following one.

we have now another problem.

we have made HA for two CAM and two CAS the failover for both CAMs and both CASs works fine and stable

the active CAM see the active CAS but if i rebooted the Active CAS  , the CAM can't see the new active CAS

and the same case happens if i made the other CAM active.

i have attached a picture for our scenario.

Thanks ,

Ayman Yehia

hi faisal,

we have reached the solution for the HA- problem just now

but still the Integration with AD is not solved yet.

thanks for your help,

Ayman Yehia

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: