Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAC In-Band for AnyConnect Clients are not put in-band


I am trying desperately to get this working and I know I am VERY close. The problem is AnyConnect users logon the ASA. They get authenticated through the CAS. They open a web page on the CAS. They get a redirect to the agent download. The agent installs. And thats it. Nothing else happens.

In my lab after the agent installs, then the user gets the NAC Agent GUI pop-up and they have to logon again to get to the network they want to get to.

That does not happen in my case. Here is a drawing of the setup. These users are ultimately trying to get to the Terminal Server Farm.

On the CAS I see them as VPN authorized. But the SSO piece does not seem to be working. I dont see them as In-Band. They are not forced into a role.

This may or not be something. Its from the CAS nac_server.log

I see this when an AnyConnect user logs in:

2009-08-27 15:28:50.636 -0400 WARN com.perfigo.wlan.jmx.admin.VPNUserManager - Failed to forward accounting request.Client Receive Exception: Packet Receive Failed (Receive timed out)

I dunno, but I am going nuts on this