I am trying to get SSO working for a CAS/CAM in a inband virtual gateway for VPN users coming in off a ASA5520. There are two VPN groups each with its own group policy and tunnel group. One group uses a Windows IAS Radius Server and the other a token based RADIUS RSA device.
Users use the AnyConnect client to connect to the ASA where they are dumped into a vlan. SSO works for the group that uses the Winodws radius server. On the CAS the Cisco VPN Auth server has the Unauthenticated Group as the default group, and then I use mapping rules (Framed_IP_Address) to get the different vpn groups into the right roles. This works for the one group, but since SSO is not working on the second group the CAS never gets the chance to assign them into the correct role.
The only thing I got is this from the ASA:
AAA Marking RADIUS server billybob in aaa-server group cas_accounting as ACTIVE
AAA Marking RADIUS server billybob in aaa-server group cas_accounting as FAILED
Sorry, I spoke too soon. After the reboot which i thought fixed everything, I only tried the VPN group that hadnt worked before. When it did funtion, I assumed the other group would work because it always had. But dont you know it.... not to be. It seems as thought the CAS only wants to be the accounting server to one group.
This is the stange thing. For days Group A (Windows Radius Server) was working and Group B (RSA Radius Server) would not work. Then for some reason I had to reboot the CAS and BOOM...Group B started working and Group A STOPPED working.
So on the ASA I now get these:
AAA Marking RADIUS server cas2-hvn-3515 in aaa-server group cas_accounting2 as ACTIVE
AAA Marking RADIUS server cas2-hvn-3515 in aaa-server group cas_accounting2 as FAILED
Where cas_accounting2 is the AAA server group for Group A
On the ASA I can see that the FW sends a packet to the cas:
"send pkt cas2-hvn-3515/1813"
but the FW never gets an answer back from the CAS for Group A whereas with Group B I can see the response from the CAS.
"rad_vrfy() : response message verified"
What can I look for in the CAS logs to see where the problem is. I will try and setup a packet capture on the CAS and debug it too.
On the CAS I had two VPN concentrators declared because I thought I needed two for the two groups each with thier own shared secret. I didnt realize that the communication is between the ASA and the CAS only. I thought the conversation involved the Radius server as well, and if I have two Radius servers I needed two VPN concentrators in the CAS. So the accounting request and the account reponse is between the CAS and the ASA only.
All you need is one VPN concentrator declared on the CAS and in the ASA use the same AAA server for accounting for both VPN tunnel groups and you are good.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :