Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAC VPN single sign on

One our client location they implimented NAC appliacne, configured active directory single sign on its working fine, also configured for VPN single sign on when, its configured as per cisco documentation, but when vpn client login they can successfuly login but the thing is Clean access agent doesn't popup aslo i cant see any vpn users in online list,(vpn users authetication through ACS server), if any one send proper step by step configuration for VPN SSO in NAC that would be great thanks

regards

Walter Mavely

12 REPLIES
New Member

Re: NAC VPN single sign on

-- configuration at the ACS:

Adding users

Adding clients AAA (PIX, CAS, CAM).

-- Configure PIX:

Adding the ACS for authentication.

Adding all that CAS server accounting.

-- configurationCAS:

Setting up the CAS to support the VPN SSO

-- Activation of the SSO and port definition of accounting at the CAS from the web interface MAC

-- Added concentrator (Pix)

-- Adding the ACS as a radius accounting server

-- Adding a mapping between the VPN concentrator and radius accounting server

-- Assign a role to VPN clients.

Anonymous
N/A

Re: NAC VPN single sign on

Anonymous
N/A

Re: NAC VPN single sign on

Anonymous
N/A

Re: NAC VPN single sign on

Anonymous
N/A

Re: NAC VPN single sign on

Anonymous
N/A

Re: NAC VPN single sign on

Anonymous
N/A

Re: NAC VPN single sign on

Did you solve the problem whit the page redirection ?

If so, How did you solve that ?

I have the same problem after the VPN user authenticates. It seem that the NAS doesn`t do a DIscovers and didn`t redirect the portal.

Also I tried installing locally the NAA and it didint work.

-------------------------------

I TRIED CHANGING TO REAIL IP GATEWAY AND IT WORKS GOOD. BUT I NEED TO IMPLEMENT ON VIRTUAL GATEWAY.

Re: NAC VPN single sign on

What is the VPN user experience. Is it safe to assume that the VPN user can connect to the ASA but cannot access internal resources.

Lets start by confirming the pathway is good. Add 'All Traffic' to the unauthenticated role and confirm you can now access the internet network.

Gold

Re: NAC VPN single sign on

make sure the vpn traffic is somehow being directed through the cas.

it doesn't sound like it is.

is the cas in virtual gateway IB or layer 3 IB mode? is it more than one hop away from the vpn device?

New Member

Re: NAC VPN single sign on

I have exactly the same issue....the CCA Agent does not pop-up; I did follow the document properly.

I know the traffic is passing thru the CAS because the only traffic passing from the VPN client to the inside network is what is indicated on the filter for that role on the CAS.

Any advises?

Re: NAC VPN single sign on

Walter,

The agent only popups when it senses the Swiss response from the CAS. That only happens when traffic hits the CAS's untrusted interface, and the CAS checks against its list of known clients and if it doesn't find that client, it will ask the agent to pop up and ask for authentication.

If you're not seeing the pop-up, make sure the traffic is traversing the CAS. Try to browse to the IP address of the CAS itself from the client and see what response you get. Alternatively, try going to an internal resource on https/http ports and see if that gets you the redirection page. With the agent installed, the agent sends out an UDP packet every 5 seconds to the discovery host. The discovery host should be a resource on the trusted side to which clients can only get after crossing through the CAS.

HTH,

Faisal

New Member

Re: NAC VPN single sign on

Hi Walter Mavely,

Hopefully your issue is solved now, as your msg was posted about 1.5 year ago.

Did you already implement SSO on the desk phone ? Our customers use the ALM single sign on client to connect the desktop with the ip phone. See also http://www.spectra-ts.nl/default.asp?name=solutions&page=1

If you have any questions, let me know.

1727
Views
0
Helpful
12
Replies