Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem With VPN SSO - NAC Inband VGW

I have a problem with VPN SSO in  NAC Inband VGW. All is configured but:

- CAA request username and  password after VPN connection.

- Users dont appear in "Active Clients".

# ASA  Configuration

Authentication/Authorization: ACS

Accounting:  CAS

# CAS  Configuration

VPN Concentrator: ASA

Accounting Server: ACS

Mapping:  ASA <> ACS

In addition to CAA request username and password, it is opening all the time after the first login.

7 REPLIES

Re: Problem With VPN SSO - NAC Inband VGW

Eduardo,

Sorry I couldn't get to these before. I'll look at the data and post here later.

Thanks,

Faisal

New Member

Re: Problem With VPN SSO - NAC Inband VGW

I have an update for this case:

- CAA request username and password after VPN connection.

(Solved) VPN SSO is being done.

-  Users dont appear in "Active Clients".

(Solved) VPN Users appear in "Active Clients". I changed ASA's IP address in CAS > VPN Auth > VPN Concentrator.

The only problem now  is that the CCA is open from time to time. This interval of time varies  according to I change the "Agent VPN Detection Delay" in VPN Auth.

Have some idea of what can be?

New Member

Re: Problem With VPN SSO - NAC Inband VGW

Hi, Eduardo!

I had a same problem with CAA.

I fixed it by setting SwiftTimeout in registry(HKEY_CURRENT_USER\Software\Cisco\Clean Access Agent\). This solution only work in NAC version <=4.5

In 4.7 you need edit NACAgentCFG.xml file.

I hope it helps you.

New Member

Re: Problem With VPN SSO - NAC Inband VGW

SwiftTimeout or SwissTimeout? Tell me  how should I put there?

I realized that when the VPN  user authenticates (SSO), NAC add he to certified devices but "User MAC" is the physical adapter and not VPN adapter.

New Member

Re: Problem With VPN SSO - NAC Inband VGW

Of course it' swisstimeout! I'm sorry!

Which NAC version do you have?

If you have 4.5.1 please read page C-3 from "Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide Release 4.5(1)".

I think MAC address is OK!

I think that CCA sends all MACs from computer, but puts in Certified Devices List only first one.

New Member

Re: Problem With VPN SSO - NAC Inband VGW

No problem.... I have NAC 4.7.2.

I tried to add swisstimeout in CCA xml, but did not work.

New Member

Re: Problem With VPN SSO - NAC Inband VGW

Solved! As requested by  the TAC Engineers, was removed the VPN Pool on "Managed Networks."

1077
Views
0
Helpful
7
Replies
CreatePlease login to create content