I have been working on a lab set up that I would like to be able to show to potential customers for NAC Appliance (or CCA). I had no problems when using NAC in L3 OOB as might be deployed in a routed LAN type of setting, but I am having a horrible time getting it to work L3-IB with VPN/SSO even though I am trying my best to go by the documentation:
I find a few very confusing things about this document, and am suspecting that is where my trouble lies:
1) There is no mention of the RADIUS set up on this document other than to say "set it up". So I am wondering...
a) What version of ACS do I need? (3.3 currently).
b) Which RADIUS Service (IOS? IETF?)
c) What is the IP of the RADIUS server in that document? I see two addresses: 172.18.124.101 and 172.18.85.181. To make matters worse, there are discrepancies in the config of the ASA in that document which conflict with the screen shots.
Just so I understand, because this differs from the document I linked a fair amount ... the ASA (Concentrator) should AAA Auth to the CAM (which will pass it through to the ACS 3.3 as IETF) and should AAA Account to the CAS (which will pass it through to the ACS as IETF which will use it to SSO to the network) ... is that right? So the ASA does not require to point to the ACS directly?
Does this sound right? When I try and connect, my VPN does not authenticate. Prior to this, I was configured to have the ASA talk directly to the ACS as a RADIUS authentication server (CAS was always the Accounting Server).
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...