Problem With VPN SSO - NAC Inband VGW

Unanswered Question
Mar 3rd, 2010

I have a problem with VPN SSO in  NAC Inband VGW. All is configured but:

- CAA request username and  password after VPN connection.

- Users dont appear in "Active Clients".

# ASA  Configuration

Authentication/Authorization: ACS

Accounting:  CAS

# CAS  Configuration

VPN Concentrator: ASA

Accounting Server: ACS

Mapping:  ASA <> ACS

In addition to CAA request username and password, it is opening all the time after the first login.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Faisal Sehbai Thu, 03/04/2010 - 10:33

Eduardo,

Sorry I couldn't get to these before. I'll look at the data and post here later.

Thanks,

Faisal

ecamposvr Tue, 03/16/2010 - 18:16

I have an update for this case:

- CAA request username and password after VPN connection.

(Solved) VPN SSO is being done.

-  Users dont appear in "Active Clients".

(Solved) VPN Users appear in "Active Clients". I changed ASA's IP address in CAS > VPN Auth > VPN Concentrator.

The only problem now  is that the CCA is open from time to time. This interval of time varies  according to I change the "Agent VPN Detection Delay" in VPN Auth.

Have some idea of what can be?

maxim_gorbatov Wed, 03/17/2010 - 23:26

Hi, Eduardo!

I had a same problem with CAA.

I fixed it by setting SwiftTimeout in registry(HKEY_CURRENT_USER\Software\Cisco\Clean Access Agent\). This solution only work in NAC version <=4.5

In 4.7 you need edit NACAgentCFG.xml file.

I hope it helps you.

ecamposvr Thu, 03/18/2010 - 08:12

SwiftTimeout or SwissTimeout? Tell me  how should I put there?

I realized that when the VPN  user authenticates (SSO), NAC add he to certified devices but "User MAC" is the physical adapter and not VPN adapter.

maxim_gorbatov Fri, 03/19/2010 - 00:37

Of course it' swisstimeout! I'm sorry!

Which NAC version do you have?

If you have 4.5.1 please read page C-3 from "Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide Release 4.5(1)".

I think MAC address is OK!

I think that CCA sends all MACs from computer, but puts in Certified Devices List only first one.

ecamposvr Fri, 03/19/2010 - 13:55

No problem.... I have NAC 4.7.2.

I tried to add swisstimeout in CCA xml, but did not work.

ecamposvr Thu, 04/08/2010 - 15:09

Solved! As requested by  the TAC Engineers, was removed the VPN Pool on "Managed Networks."

Actions

This Discussion

Related Content