Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1280
Views
0
Helpful
2
Replies

NAC agent SSO with Anyconnect Issue

ben.posner
Level 1
Level 1

‎02-08-2012 11:11 AM - edited ‎03-10-2019 06:48 PM

I want to preface this by saying that i am very green when it comes to NAC. we had an implementation done for my organization by a 3rd party vendor with no training and I don't have a good working knowledge of the system at all.

my immediate problem is with the SSO of the NAC client. SSO works fine if a user engages our Anyconnect VPN connections by opening the already installed Anyconnect client and logging in as usual. the NAC agent pops up a few moments later and you're in.

but when a user uses the browser to log in to the SSL portal and then get the Anyconnect pushed down to them, once the connection is made the NAC agent pops up a Login screen instead of just going thru as it does for the other scenario.

i've had a look at my Mapping Rules for the cisco VPN and it appears we're mapping role based on IP address. Expressions like (0,8 contains 10.56.80) etc. and as stated above, these seem to work fine when you launch Anyconnect standalone but not when Anyconnect is launched by the web browser login prodcedure.

Any ideas or places i should be looking?

Thanks in advance,

Ben Posner

Labels:
0 Helpful
2 Replies 2

ben.posner
Level 1
Level 1

‎02-08-2012 12:52 PM

update

debug radius on the ASA to ensure that both login scenarios are sending hte same data to the NAC. they are NOT. the debug radius output from the working anyconnect scenario (stand alone launch) shows three extra lines that the debug from the non-working scenario (web launched) that are missing:

Radius: Type = 8 (0x08) Framed-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.56.81.11 (0x0A38510B)

since i'm using the framed-ip-address as part of they nac profile identification i'd say that this is WHY the nac isn't working right in the web launched scenario but i don't know why the ASA isn't sending this info to the NAC...

0 Helpful

chris harrison
Level 1
Level 1
In response to ben.posner

‎03-30-2012 12:41 AM

Hi

I also had this issue. I enabled 'interim-accounting update' in the RADIUS server properties:

aaa-server NACSERVER protocol radius

interim-accounting-update

This resolved it for me.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents