One our client location they implimented NAC appliacne, configured active directory single sign on its working fine, also configured for VPN single sign on when, its configured as per cisco documentation, but when vpn client login they can successfuly login but the thing is Clean access agent doesn't popup aslo i cant see any vpn users in online list,(vpn users authetication through ACS server), if any one send proper step by step configuration for VPN SSO in NAC that would be great thanks
-- configuration at the ACS:
Adding clients AAA (PIX, CAS, CAM).
-- Configure PIX:
Adding the ACS for authentication.
Adding all that CAS server accounting.
Setting up the CAS to support the VPN SSO
-- Activation of the SSO and port definition of accounting at the CAS from the web interface MAC
-- Added concentrator (Pix)
-- Adding the ACS as a radius accounting server
-- Adding a mapping between the VPN concentrator and radius accounting server
-- Assign a role to VPN clients.
Did you solve the problem whit the page redirection ?
If so, How did you solve that ?
I have the same problem after the VPN user authenticates. It seem that the NAS doesn`t do a DIscovers and didn`t redirect the portal.
Also I tried installing locally the NAA and it didint work.
I TRIED CHANGING TO REAIL IP GATEWAY AND IT WORKS GOOD. BUT I NEED TO IMPLEMENT ON VIRTUAL GATEWAY.
What is the VPN user experience. Is it safe to assume that the VPN user can connect to the ASA but cannot access internal resources.
Lets start by confirming the pathway is good. Add 'All Traffic' to the unauthenticated role and confirm you can now access the internet network.
make sure the vpn traffic is somehow being directed through the cas.
it doesn't sound like it is.
is the cas in virtual gateway IB or layer 3 IB mode? is it more than one hop away from the vpn device?
I have exactly the same issue....the CCA Agent does not pop-up; I did follow the document properly.
I know the traffic is passing thru the CAS because the only traffic passing from the VPN client to the inside network is what is indicated on the filter for that role on the CAS.
The agent only popups when it senses the Swiss response from the CAS. That only happens when traffic hits the CAS's untrusted interface, and the CAS checks against its list of known clients and if it doesn't find that client, it will ask the agent to pop up and ask for authentication.
If you're not seeing the pop-up, make sure the traffic is traversing the CAS. Try to browse to the IP address of the CAS itself from the client and see what response you get. Alternatively, try going to an internal resource on https/http ports and see if that gets you the redirection page. With the agent installed, the agent sends out an UDP packet every 5 seconds to the discovery host. The discovery host should be a resource on the trusted side to which clients can only get after crossing through the CAS.
Hi Walter Mavely,
Hopefully your issue is solved now, as your msg was posted about 1.5 year ago.
Did you already implement SSO on the desk phone ? Our customers use the ALM single sign on client to connect the desktop with the ip phone. See also http://www.spectra-ts.nl/default.asp?name=solutions&page=1
If you have any questions, let me know.