NAC In-Band Virtual Gateway VPN SSO problem

Answered Question
Jan 26th, 2010
User Badges:

Hi,


I have implemented a NAC solution for Remote Users. The CAS appliance in configured in-band invirtual gateway mode.


I have followed all the steps listed in http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml


Remote users can log in succeffuly using cisco vpn software and they can ping the NAS but not the DNS (the ASA offer the IP@ but not the DNS i dont know why).


When I access the NAS, I can download the NAC Agent but VPN SSO is not performed and the Agent asks me to log in using LOCAL DB.


Any help please,


Regards,

Correct Answer by Faisal Sehbai about 7 years 1 month ago

Lamine,


For VPN SSO to work, you have to send the accounting packet to the CAS. The CAS can in turn send that to the ACS if you require accounting also be done on the ACS, but for SSO to work, the accounting has to hit the CAS.


HTH,

Faisal

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Faisal Sehbai Wed, 01/27/2010 - 09:02
User Badges:
  • Gold, 750 points or more

Hi,


Post your network diagram and sh runn from your ASA. You can hide the passwords and keys in there.


Thanks,

Faisal

b_lamine81 Wed, 01/27/2010 - 22:50
User Badges:

Hi,


Thanks for your reply,


I've adde the ASA to the ACS, should I add the CAM,CAS too?? if yes, how remote users get their IP@ after vpn sso is performed???


regards,

Attachment: 
Faisal Sehbai Sat, 02/06/2010 - 21:50
User Badges:
  • Gold, 750 points or more

Hello,


You don't identify the IP addresses of the devices in the picture so I'm going here based on certain assumptions. If these are wrong, then obviously so would be my diagnosis. Is 10.10.40.10 your ACS server? If so, you only have that defined in the ASA and are not sending the accounting packets to your CAS, which is where you have to send your accounting packets from the ASA to get the VPN SSO working.


If this isn't your ACS, please identify what the device's IP addresses are in the diagram.


HTH,

Faisal

b_lamine81 Sat, 02/06/2010 - 23:17
User Badges:

Hello,


Thank you for your reply,


yes, the IP@ of the ACS Server is 10.10.40.10.


And I think that the ASA is configured to send accounting packets to the ACS. see bellow:


aaa-server ACS_ACCOUNTING protocol radius
aaa-server ACS_ACCOUNTING host 10.10.40.10
key nac
radius-common-pw nac

!

...

!
tunnel-group REMOTE_USER type ipsec-ra
tunnel-group REMOTE_USER general-attributes
address-pool REMOTE_POOL
authentication-server-group AAA_SRV
accounting-server-group ACS_ACCOUNTING

!

!

!

...


is there any thing messing??


Regards,

Lamine

Correct Answer
Faisal Sehbai Sun, 02/07/2010 - 12:56
User Badges:
  • Gold, 750 points or more

Lamine,


For VPN SSO to work, you have to send the accounting packet to the CAS. The CAS can in turn send that to the ACS if you require accounting also be done on the ACS, but for SSO to work, the accounting has to hit the CAS.


HTH,

Faisal

b_lamine81 Mon, 02/08/2010 - 02:47
User Badges:

Hi,


I know it, but how to do it!!! should I change th IP@ of the Accounting SRV in the ASA config ???


Regards,

Lamine

Actions

This Discussion

Related Content