NAC - not redirecting users to login page after upgrade
We have a NAC appliance system, consisting of one NAC manager and a failover pair of NAC servers. All machines are 3300. It is mostly used to control wireless access to our network with the web login function.
This has worked fine since installation with version 4.1.1, except some Mac and Vista users has had some, for example Safari has users have not been able to log in.
About a week ago I noticed that version 4.1.3 was supposed to fix some problems with some browsers, so I decided to upgrade. I downloaded the cca-upgrade-4.1.3 file from cisco, and uploaded to the manager and servers from the web admin pages. Then I ran the upgrade, first on the manager, then on the servers. Everything seemed to go fine when I checked the logs.
However, after the upgrade users connecting to the net on the unprotected side of the NAC server are not redirected to the login page. Their browser tries to connect to whatever they have as startpage, and then times out.
Machines connected to the protected net get a correct IP, they can look up DNS names, and if they type the name or IP of the login page they get to it, they can login, and then everything works.
I have checked with tcpdump that the first request reaches the active NAC server, but nothing happens. Nothing can be seen in any logs on the server or the manager.
I have checked all the troubleshooting ideas from the manual, the release notes, and the Nac Appliance book, but now I am out of ideas.
Re: NAC - not redirecting users to login page after upgrade
Yes, we found the problem. It seems as if 4.1.3 handles addresses a bit different, so we had to change the configuration a bit.
When you run the NAS as a virtual gateway, you still have to set IP addresses to the "trusted" and "untrusted" interfaces. When we installed 4.1.2 we set up a real address, routed in our network, on the trusted interface, and a private, unrouted, address on the untrusted. When a user connects to the untrusted net and tries to surf, they should be redirected to a login page.
In 4.1.2, I believe that the NAS redirected to the address on the trusted side. In 4.1.3 it seems to redirect to the address on the untrusted side. Since that address is not routed, the client never reaches the login page.
We solved it by setting the same routable address on both the trusted and untrusted side. Since the NAS acts as a bridge when set up as a virtual gateway, this seems to work, even if it is a bit unintuitive.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...