https://community.cisco.com/t5/network-access-control/nac-wireless-oob-using-vpn-sso-not-working/m-p/2002835#M169174 <P>Dilema </P><P></P><P>Customer has 4 5508 wireless lan controllers being serviced by 3 NAC Servers</P><P></P><P>WLC configuration will allow me to put in all 3 NAC Servers in the radius accounting field for VPN-SSO functionality.</P><P>Radius acct updates allow sso through the CAS … BUT the wlc will only notify the first nac server in the list as radius acct entry 2 and 3 will only be forwarded if Acct packets timeout to the first. </P><P></P><P>Now VPN-SSO will only work if the client uses the first nac server and the other 2 are now manual auth only. </P><P></P><P></P><P>What is the solution folks </P> Mon, 11 Mar 2019 02:15:05 GMT ROBERT WATSON 2019-03-11T02:15:05Z https://community.cisco.com/t5/network-access-control/nac-wireless-oob-using-vpn-sso-not-working/m-p/2002835#M169174 <P>Dilema </P><P></P><P>Customer has 4 5508 wireless lan controllers being serviced by 3 NAC Servers</P><P></P><P>WLC configuration will allow me to put in all 3 NAC Servers in the radius accounting field for VPN-SSO functionality.</P><P>Radius acct updates allow sso through the CAS … BUT the wlc will only notify the first nac server in the list as radius acct entry 2 and 3 will only be forwarded if Acct packets timeout to the first. </P><P></P><P>Now VPN-SSO will only work if the client uses the first nac server and the other 2 are now manual auth only. </P><P></P><P></P><P>What is the solution folks </P> Mon, 11 Mar 2019 02:15:05 GMT https://community.cisco.com/t5/network-access-control/nac-wireless-oob-using-vpn-sso-not-working/m-p/2002835#M169174 ROBERT WATSON 2019-03-11T02:15:05Z https://community.cisco.com/t5/network-access-control/nac-wireless-oob-using-vpn-sso-not-working/m-p/2002836#M169184 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Are you using virtual gateway? I am trying to understand how you could have 3 CAS server on the same L2 segment (same SSID) without introducing a spanning tree loop. Typically you would run a CAS pair in HA and point the accounting server to the trusted interface VIP to handle HA, as far as 3 different servers, if they are on seperate vlans, then you will have seperate SSIDs which you can assign each SSID its own primary accounting server which the clients agent traffic will be switched to.</P><P></P><P>Thanks,</P><P>Tarik Admani</P></BODY></HTML> Wed, 27 Jun 2012 22:27:54 GMT https://community.cisco.com/t5/network-access-control/nac-wireless-oob-using-vpn-sso-not-working/m-p/2002836#M169184 Tarik Admani 2012-06-27T22:27:54Z https://community.cisco.com/t5/network-access-control/nac-wireless-oob-using-vpn-sso-not-working/m-p/2002837#M169197 <HTML><HEAD></HEAD><BODY><P> There are 3 seperate Wlan's each mapped to a CAS.&nbsp; Will re-order per wlan tomorrow thanks for the tip</P></BODY></HTML> Wed, 27 Jun 2012 23:10:50 GMT https://community.cisco.com/t5/network-access-control/nac-wireless-oob-using-vpn-sso-not-working/m-p/2002837#M169197 ROBERT WATSON 2012-06-27T23:10:50Z https://community.cisco.com/t5/network-access-control/nac-wireless-oob-using-vpn-sso-not-working/m-p/2002838#M169248 <HTML><HEAD></HEAD><BODY><P>Not a problem, I hope that helps!</P></BODY></HTML> Wed, 27 Jun 2012 23:24:15 GMT https://community.cisco.com/t5/network-access-control/nac-wireless-oob-using-vpn-sso-not-working/m-p/2002838#M169248 Tarik Admani 2012-06-27T23:24:15Z https://community.cisco.com/t5/network-access-control/nac-wireless-oob-using-vpn-sso-not-working/m-p/2002839#M169301 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>Let me know if that helped. </P><P></P><P>Thanks</P></BODY></HTML> Sun, 01 Jul 2012 03:36:58 GMT https://community.cisco.com/t5/network-access-control/nac-wireless-oob-using-vpn-sso-not-working/m-p/2002839#M169301 Tarik Admani 2012-07-01T03:36:58Z