CAS SSO not working for VPN Group

Unanswered Question
Apr 22nd, 2010
User Badges:


I am trying to get SSO working for a CAS/CAM in a inband virtual gateway for VPN users coming in off a ASA5520. There are two VPN groups each with its own group policy and tunnel group. One group uses a Windows IAS Radius Server and the other a token based RADIUS RSA device.

Users use the AnyConnect client to connect to the ASA where they are dumped into a vlan. SSO works for the group that uses the Winodws radius server. On the CAS the Cisco VPN Auth server has the Unauthenticated Group as the default group, and then I use mapping rules (Framed_IP_Address) to get the different vpn groups into the right roles. This works for the one group, but since SSO is not working on the second group the CAS never gets the chance to assign them into the correct role.

The only thing I got is this from the ASA:

AAA Marking RADIUS server billybob in aaa-server group cas_accounting as ACTIVE

AAA Marking RADIUS server billybob in aaa-server group cas_accounting as FAILED

I am so close but cant call this done yet....

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pener1963 Thu, 04/22/2010 - 13:20
User Badges:

Can you say reboot the CAS and SSO started working for both groups???  .... I will wait a day or so before claiming victory ...

pener1963 Thu, 04/22/2010 - 13:47
User Badges:

Sorry, I spoke too soon. After the reboot which i thought fixed everything, I only tried the VPN group that hadnt worked before. When it did funtion, I assumed the other group would work because it always had. But dont you know it.... not to be. It seems as thought the CAS only wants to be the accounting server to one group.

Back to the drawing board....

Faisal Sehbai Thu, 04/22/2010 - 15:20
User Badges:
  • Gold, 750 points or more


So for the group for which it fails, do you get an accounting packet on the CAS? Can you do a capture on the CAS port to see whether you get one?


pener1963 Fri, 04/23/2010 - 05:02
User Badges:

Hey Faisel,

Thanks for the question.

This is the stange thing. For days Group A (Windows Radius Server) was working and Group B (RSA Radius Server)  would not work. Then for some reason I had to reboot the CAS and BOOM...Group B started working and Group A STOPPED working.

So on the ASA I now get these:

AAA Marking RADIUS server cas2-hvn-3515 in aaa-server group cas_accounting2 as ACTIVE

AAA Marking RADIUS server cas2-hvn-3515 in aaa-server group cas_accounting2 as FAILED

Where cas_accounting2 is the AAA server group for Group A

On the ASA I can see that the FW sends a packet to the cas:

"send pkt cas2-hvn-3515/1813"

but the FW never gets an answer back from the CAS for Group A whereas with Group B I can see the response from the CAS.

"rad_vrfy() : response message verified"

What can I look for in the CAS logs to see where the problem is. I will try and setup a packet capture on the CAS and debug it too.

pener1963 Fri, 04/23/2010 - 11:03
User Badges:

OK I know what I did wrong:

On the CAS I had two VPN concentrators declared because I thought I needed two for the two groups each with thier own shared secret. I didnt realize that the communication is between the ASA and the CAS only. I thought the conversation involved the Radius server as well, and if I have two Radius servers I needed two VPN concentrators in the CAS. So the accounting request and the account reponse is between the CAS and the ASA only.

All you need is one VPN concentrator declared on the CAS and in the ASA use the same AAA server for accounting for both VPN tunnel groups and you are good.

Thanks to Nate! CAS Master...

Faisal Sehbai Mon, 04/26/2010 - 18:53
User Badges:
  • Gold, 750 points or more


Good to hear. Yeah, we have two buddha statues outside Nate's cube which bow to him all day long. One's labelled CAM, the other CAS.



This Discussion