We have a Cisco Clean Access Standard Manager running version 4.9.1 with the Windows NAC Agent version 184.108.40.206 running on the server for posture assessment of our clients connecting via SSL AnyConnect VPN. The CAS is running in an in-band Layer 2 Virtual Gateway deployment. After a user connects to the VPN and attempts to browse to a network resource via a web browser they are redirected (as expected) to the CAS server to download and install the NAC Agent. Once the NAC agent is installed it attempts to begin the posture assessment. The assessment window sits for a few seconds, closes and then starts the assessment again. This cycle continues in an endless loop. Does anyone know what could be causing this?
I checked the logs from the NAC agent. It's generating the following logs over and over:
02/11/2014 14:12:52 NETLOGON (ID=0x0c8a): This computer could not authenticate with \\server.domain.com, a Windows domain controller for domain DOMAIN-DOM, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.
02/11/2014 14:12:37 Microsoft-Windows-GroupPolicy (ID=0x0469): The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
02/11/2014 14:12:04 Microsoft-Windows-GroupPolicy (ID=0x05dd): The Group Policy settings for the user were processed successfully. There were no changes detected since the last successful processing of Group Policy.
Looks like it is unable to authenticate to my domain controller although there is a "success" log right before the errors.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...