03-03-2010 06:50 PM - edited 02-21-2020 04:31 PM
I have a problem with VPN SSO in NAC Inband VGW. All is configured but:
- CAA request username and password after VPN connection.
- Users dont appear in "Active Clients".
# ASA Configuration
Authentication/Authorization: ACS
Accounting: CAS
# CAS Configuration
VPN Concentrator: ASA
Accounting Server: ACS
Mapping: ASA <> ACS
In addition to CAA request username and password, it is opening all the time after the first login.
03-04-2010 10:33 AM
Eduardo,
Sorry I couldn't get to these before. I'll look at the data and post here later.
Thanks,
Faisal
03-16-2010 06:16 PM
I have an update for this case:
- CAA request username and password after VPN connection.
(Solved) VPN SSO is being done.
- Users dont appear in "Active Clients".
(Solved) VPN Users appear in "Active Clients". I changed ASA's IP address in CAS > VPN Auth > VPN Concentrator.
The only problem now is that the CCA is open from time to time. This interval of time varies according to I change the "Agent VPN Detection Delay" in VPN Auth.
Have some idea of what can be?
03-17-2010 11:26 PM
Hi, Eduardo!
I had a same problem with CAA.
I fixed it by setting SwiftTimeout in registry(HKEY_CURRENT_USER\Software\Cisco\Clean Access Agent\). This solution only work in NAC version <=4.5
In 4.7 you need edit NACAgentCFG.xml file.
I hope it helps you.
03-18-2010 08:12 AM
SwiftTimeout or SwissTimeout? Tell me how should I put there?
I realized that when the VPN user authenticates (SSO), NAC add he to certified devices but "User MAC" is the physical adapter and not VPN adapter.
03-19-2010 12:37 AM
Of course it' swisstimeout! I'm sorry!
Which NAC version do you have?
If you have 4.5.1 please read page C-3 from "Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide Release 4.5(1)".
I think MAC address is OK!
I think that CCA sends all MACs from computer, but puts in Certified Devices List only first one.
03-19-2010 01:55 PM
No problem.... I have NAC 4.7.2.
I tried to add swisstimeout in CCA xml, but did not work.
04-08-2010 03:09 PM
Solved! As requested by the TAC Engineers, was removed the VPN Pool on "Managed Networks."
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: