My name is Daniel Yamashita and I'm in charge of the deployment of the CCA in one of our customers. I've already made a couple of deployments using the 3350 and 3310 Cisco appliances, both in HA FO and Single modes and in SW versions 4.1 and 4.5.
I'm facing some functionality issues and I was wondering if you guys could help me. Here is the scenario:
- The LAN isn't segmented, there is only ONE Access L3 VLAN, which has ID 20 , NAME Corp and IP belonging to the 172.20.0.0/16 subnet. There is a VLAN 1000 which is device management only.
-There is only 3 Requirements on the CCA solution: McAfee Installation verifier, McAfee Virus Definition(McAfee Server managed locally) verifier and Windows Hot-fixes,Updates verifier(WSUS Server managed locally).
I opted for the OOB VIP Gtw deployment mainly because some of the employee working stations have statically assigned IP addresses and there are 3 CASs appliances since there is 800+ stations that will work with CCA Agent locally installed.
-Attached to this follows a Logical Topology of the deployment, IP addresses and trunk configs as well.
1)Instability: If all 3 instances of CAS are up and running, I get a âNot Connectedâ randomly in any of CASs. After a HW reboot the appliance returns to answering pings.
2)SSO: I've deployed the CCA Agent in one employee desktop controlled via Port Profile @ CAM. The SSO process, starts, no error message is displayed but the Local DB authentication screen comes in sequence, which doesn't work as well.
3)Authentication: As soon as the auth process starts, the Cisco 4509 HSRP Switch-CORE starts to run towards High CPU Process, it stays at almost 80%.
4)IP: The station gets an IP from the DHCP Server at the Acess VLAN 20 but can ping only one of the CASs and nothing else.
5)All ports and IP addresses regarding the SSO process are open and permitted to go through the CASs on ALL User Roles via Traffic Control Settings - including the Unauthenticated Role.
I understand then that the clients are not connecting through local or SSO mode, is that correct?
I would suggest 3 things so far:
1. Check the logs on the switches where the CAS's are connected, I had a similar problem where CAS would stop responding and the switches would complain about vlan mismatch or mac flapping, if you notice errors on the switches verify that you have:
* Vlan mapping enabled correctly
* Different native VLAN on the switch interface for trusted and untrusted CAS ethx.
* The correct vlans configured on each port: for untrusted just the authentication (layer 2) vlans, for trusted interface the access vlan (20) and the management vlan.
2. Enable the management vlan tag on the trusted interface of the CAS and use your CAS management vlan.
3. On the CAM go to the Clean access server section, manage one of your CAS's, the first window will show the services currently running on the CAS, verify if the SSO service is running, if it's not running, verify the configuration. If it's not allowing you to enable it, verify the time settings on your devices, the AD user and all the other settings needed for this to work.
So.. you have 2 network segments on the same authentication vlan and only one mapping???
I'm not sure this is possible... for what I've tested I believe you should have 2 auth vlans (one for each subnet) and 2 mappings to 2 different access vlans...
You could confirm this testing with only one network and removing the configuration for the other managed subnet and see if you notice any difference. That would help us all know if that's possible or not.
It is possible to implement SSO in a NAC scheme in which the CAS this OOB LAN switch into a manageable pace so if I set the CAS and CAM or switches case are similar to those applied to wireless and VPN users , if any can provide me documentation.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :