We have 2 NAC managers and 2 NAC servers. We have a failover solution. Our deployment is OOB Layer 2 Central Virtual Gateway. We have successfully added NAS into NAM and we did the required configuration in NAM like configuring VLAN mapping (from the untrusted vlan 913 to the trusted vlan 910), adding managed subnet, switch profile, port profile, adding switches (cisco 3560) to NAM, configuring user roles, local users and also user login page.
Then we have tested it by connecting PC to the controlled port on the switch.
The configuration of the controlled port was on VLAN 910 and after connecting the PC, it's converted to VLAN 913 then we successfully got an IP from the dhcp which is configured on the switch but the authentication login page didn't appear! and also, when we disconnect the PC from that port, the configuration isn't converted from vlan 913 to vlan 910 so we have to change it manually everytime to do our tests.
What should we do to let the login page appear and also automatically let NAM change the port configuration after disconnecting the PC?
Thanks in advance.
Solved! Go to Solution.
Some things to check for:
- Make sure that managed subnets are configured correctly (Untrusted VLAN, an IP address instead of subnet)
- Make sure there are no L3 SVIs for the untrusted VLANs
- How are you trying to get to the authentication page? If just browsing to any website, make sure DNS is working, other wise try with an IP address in the browser
- Try browsing to the IP address of the CAS
thanks alot for your reply, i tried to browse the IP address of the CAS and i could access it successfully. I browsed a web site using IP address, the authentication page had appeared and when i login with the local username and password, the following message appears :
Clean Access Server could not establish a secure connection to Clean Access Manager at CAI35554424ZNM1.
This could be due to one or more of the following reasons: 1) Clean Access Manager certificate has expired 2) Clean Access Manager certificate cannot be trusted or 3) Clean Access Manager cannot be reached.
Please report this to your network administrator.
Also, when i connect the PC to the controlled port (which is in the untrusted VLAN 913), i could get ip from the DHCP but this vlan isn't mapped to the trusted vlan (910) and still in vlan 913 on the switch. please find the attached the vlan mapping, port profile and managed subnet configuration.
Thanks again for your cooperation!
Are your certificates for the CAM and the CAS issued to IP addresses or DNS names? If DNS names, are those names resolvable by your DNS server that your clients use? Can the CAM and CAS resolve each others name?
thanks for your help as we managed to issue anew certificate with the ip address of NAM instead of NAS and it worked and the agent is downloaded and worked fine.
but we have another issue faced us in the implementation is the integration with Active directory on windows 2008 (we have read that it supports ony specific versions of 2003) ? so if you have any update on that please do .
Thanks in advance
we have tried to make SSO with Single Active Directory on windows Server 2003 R2 SP2 and did the required configuration on both NAC and AD and we did the KTPass.exe command and it succeeded to make the user is set to be Des-only encryption.
but when we update the windows authentication - Active Directory SSO in the NAC we get the following error :
Error : Could not start the SSO service. Please check the configuration.
can you help us in this error.
the KTPass command is :
C:\Program Files\Support Tools>ktpass.exe -princ test/cai35554424zdc1.domain.com@DOMAIN.COM -mapuser test -pass test123 -out c:\test.keytab -ptype KRB5_NT_PRINCIPAL +Desonly
and the logs are attached
Thanks for help
the KTPass command is as following:
C:\Program Files\Support Tools>ktpass.exe -princ test/cai35554424zdc1.domain.com@DOMAIN.COM -mapuser test -pass test123 -out c:\mai.keytab -ptype KRB5_NT_PRINCIPAL +Desonly
and the attached log file.
Wrong log files. I'm looking for the CAS logs where the SSO service is started. To get those, log on to your CAS by going to https://
i do not know if the logs for the CAS will help you now as we have done High Availability for the CAM and the CAS but i submitted it to you.
so we can go on troubleshooting this issue after the following one.
we have now another problem.
we have made HA for two CAM and two CAS the failover for both CAMs and both CASs works fine and stable
the active CAM see the active CAS but if i rebooted the Active CAS , the CAM can't see the new active CAS
and the same case happens if i made the other CAM active.
i have attached a picture for our scenario.
we have reached the solution for the HA- problem just now
but still the Integration with AD is not solved yet.
thanks for your help,
Like I mentioned before, we need to look at the CAS logs for that. Log in to https://ip_address_of_cas/admin and get the logs from support logs tab