topic NAC VPN SSO Help in Network Access Control

NAC VPN SSO Help

t805986 — Mon, 11 Mar 2019 01:32:57 GMT

I have recently inherited the administration of a NAC solution that is in need of a tune up (currently running 4.1.8!!). The biggest compliant I get from users is that VPN SSO does not work and that users must open a web browser to authenticate to NAC once their SSL VPN has been established. I'm quite familiar with how to configure VPN SSO and I'm ready to do so, however I can't find the answer to one specific question I have. Can you enable VPN SSO for a select types of users only? We have a combination of both employees (who have the agent) and contractors (who don't have the agent). I only want VPN SSO to work for employees and I want contractors to have to open a web browser to authenticate. Is this possible and if so how? I have found that if you don't have the agent and VPN SSO is enabled the login is very awkward. You open a browser, you get redirected to NAC and then you get logged in once java or active x runs without having to provide your credentials and then you don't get redirected back to your orginal http request.

Thanks!

NAC VPN SSO Help

Tarik Admani — Sat, 12 Nov 2011 04:27:42 GMT

For your employees you can use the class attribute to map them to a user role within NAC under the Cisco VPN auth provider mapping criteria. You can also map the contractors class attribute to the uanauthenticate role so when the pull up their browser they will see the authenticaiton page. Once they authenticate then in their user role you can select the redirection page.

Hope this helps.

Tarik Admani

NAC VPN SSO Help

t805986 — Sun, 13 Nov 2011 01:45:44 GMT

That works. Thank you!

NAC VPN SSO Help

dgoodenberger — Thu, 17 Nov 2011 01:04:49 GMT

What does the class attribute correspond to with VPN SSO that is matched against? (E.g., the VPN group name, etc.?)

I would like to do something similar with VPN SSO, but map users to roles based on their VPN pool IP address. How would this be accomplished?

Re: NAC VPN SSO Help

t805986 — Thu, 17 Nov 2011 14:03:11 GMT

You really have two options. My VPN SSO mapping rules match radius attribute 25, which is the name of the VPN group policy the user belongs to. When the ASA sends the accounting message to the NAC to indicate a new user has logged in, it includes radius attribute 25.

The other option is to just match based on "Framed IP Address". EIther one should work.

Re: NAC VPN SSO Help

dgoodenberger — Thu, 17 Nov 2011 21:01:14 GMT

Thanks for the reply. I tried attribute 25, but it wasn't working. When I enabled "debug radius decode" on the ASA (v 8.2.4) I can see that this attribute is not in the RADIUS accounting packet sent to the CAS (v 4.8.2).

I'm working with "Framed IP Address" (attribute 😎 which is being sent, but the matching is not very elegant for what I want to do. Since I cannot match using CIDR or a range, it seems I have to write multiple mapping rules and use e.g, "starts with" matching.

Re: NAC VPN SSO Help

dgoodenberger — Thu, 17 Nov 2011 22:01:50 GMT

Ended up with the following matching based on Framed IP Address, which mostly does what I want:

(0,8 contains 192.168.47) maps to Role1

(NOT (0,8 contains 192.168.47)) maps to Role2

The second express was key, since I have a fairly large range of VPN pool IPs for that Role, and the negation saved me from having to write a bunch of rules for different segments of the IP ranges.

The only downside was that the pool I was going to use for Role1 was smaller than a /24, but I didn't see a way to easily match that, so I just increased the pool size to facilitate matching.

Enhancement request for Cisco: please add more flexible matching, e.g., regex, to NAC role mapping!