Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

NAC In-Band Virtual Gateway VPN SSO problem

Hi,

I have implemented a NAC solution for Remote Users. The CAS appliance in configured in-band invirtual gateway mode.

I have followed all the steps listed in http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml

Remote users can log in succeffuly using cisco vpn software and they can ping the NAS but not the DNS (the ASA offer the IP@ but not the DNS i dont know why).

When I access the NAS, I can download the NAC Agent but VPN SSO is not performed and the Agent asks me to log in using LOCAL DB.

Any help please,

Regards,

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: NAC In-Band Virtual Gateway VPN SSO problem

Lamine,

For VPN SSO to work, you have to send the accounting packet to the CAS. The CAS can in turn send that to the ACS if you require accounting also be done on the ACS, but for SSO to work, the accounting has to hit the CAS.

HTH,

Faisal

7 REPLIES

Re: NAC In-Band Virtual Gateway VPN SSO problem

Hi,

Post your network diagram and sh runn from your ASA. You can hide the passwords and keys in there.

Thanks,

Faisal

New Member

Re: NAC In-Band Virtual Gateway VPN SSO problem

Hi,

Thanks for your reply,

I've adde the ASA to the ACS, should I add the CAM,CAS too?? if yes, how remote users get their IP@ after vpn sso is performed???

regards,

Re: NAC In-Band Virtual Gateway VPN SSO problem

Hello,

You don't identify the IP addresses of the devices in the picture so I'm going here based on certain assumptions. If these are wrong, then obviously so would be my diagnosis. Is 10.10.40.10 your ACS server? If so, you only have that defined in the ASA and are not sending the accounting packets to your CAS, which is where you have to send your accounting packets from the ASA to get the VPN SSO working.

If this isn't your ACS, please identify what the device's IP addresses are in the diagram.

HTH,

Faisal

New Member

Re: NAC In-Band Virtual Gateway VPN SSO problem

Hello,

Thank you for your reply,

yes, the IP@ of the ACS Server is 10.10.40.10.

And I think that the ASA is configured to send accounting packets to the ACS. see bellow:

aaa-server ACS_ACCOUNTING protocol radius
aaa-server ACS_ACCOUNTING host 10.10.40.10
key nac
radius-common-pw nac

!

...

!
tunnel-group REMOTE_USER type ipsec-ra
tunnel-group REMOTE_USER general-attributes
address-pool REMOTE_POOL
authentication-server-group AAA_SRV
accounting-server-group ACS_ACCOUNTING

!

!

!

...

is there any thing messing??

Regards,

Lamine

Re: NAC In-Band Virtual Gateway VPN SSO problem

Lamine,

For VPN SSO to work, you have to send the accounting packet to the CAS. The CAS can in turn send that to the ACS if you require accounting also be done on the ACS, but for SSO to work, the accounting has to hit the CAS.

HTH,

Faisal

New Member

Re: NAC In-Band Virtual Gateway VPN SSO problem

Hi,

I know it, but how to do it!!! should I change th IP@ of the Accounting SRV in the ASA config ???

Regards,

Lamine

Re: NAC In-Band Virtual Gateway VPN SSO problem

Lamine,

Yep. Change that on the ASA, either through the CLI or use this link to do it using ASDM: http://bit.ly/b12WFf

HTH,

Faisal

1485
Views
0
Helpful
7
Replies
CreatePlease to create content