cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2023
Views
0
Helpful
7
Replies

NAC In-Band Virtual Gateway VPN SSO problem

b_lamine81
Level 1
Level 1

Hi,

I have implemented a NAC solution for Remote Users. The CAS appliance in configured in-band invirtual gateway mode.

I have followed all the steps listed in http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml

Remote users can log in succeffuly using cisco vpn software and they can ping the NAS but not the DNS (the ASA offer the IP@ but not the DNS i dont know why).

When I access the NAS, I can download the NAC Agent but VPN SSO is not performed and the Agent asks me to log in using LOCAL DB.

Any help please,

Regards,

1 Accepted Solution

Accepted Solutions

Lamine,

For VPN SSO to work, you have to send the accounting packet to the CAS. The CAS can in turn send that to the ACS if you require accounting also be done on the ACS, but for SSO to work, the accounting has to hit the CAS.

HTH,

Faisal

View solution in original post

7 Replies 7

Faisal Sehbai
Level 7
Level 7

Hi,

Post your network diagram and sh runn from your ASA. You can hide the passwords and keys in there.

Thanks,

Faisal

Hi,

Thanks for your reply,

I've adde the ASA to the ACS, should I add the CAM,CAS too?? if yes, how remote users get their IP@ after vpn sso is performed???

regards,

Hello,

You don't identify the IP addresses of the devices in the picture so I'm going here based on certain assumptions. If these are wrong, then obviously so would be my diagnosis. Is 10.10.40.10 your ACS server? If so, you only have that defined in the ASA and are not sending the accounting packets to your CAS, which is where you have to send your accounting packets from the ASA to get the VPN SSO working.

If this isn't your ACS, please identify what the device's IP addresses are in the diagram.

HTH,

Faisal

Hello,

Thank you for your reply,

yes, the IP@ of the ACS Server is 10.10.40.10.

And I think that the ASA is configured to send accounting packets to the ACS. see bellow:

aaa-server ACS_ACCOUNTING protocol radius
aaa-server ACS_ACCOUNTING host 10.10.40.10
key nac
radius-common-pw nac

!

...

!
tunnel-group REMOTE_USER type ipsec-ra
tunnel-group REMOTE_USER general-attributes
address-pool REMOTE_POOL
authentication-server-group AAA_SRV
accounting-server-group ACS_ACCOUNTING

!

!

!

...

is there any thing messing??

Regards,

Lamine

Lamine,

For VPN SSO to work, you have to send the accounting packet to the CAS. The CAS can in turn send that to the ACS if you require accounting also be done on the ACS, but for SSO to work, the accounting has to hit the CAS.

HTH,

Faisal

Hi,

I know it, but how to do it!!! should I change th IP@ of the Accounting SRV in the ASA config ???

Regards,

Lamine

Lamine,

Yep. Change that on the ASA, either through the CLI or use this link to do it using ASDM: http://bit.ly/b12WFf

HTH,

Faisal

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: