08-11-2011 09:57 AM - edited 03-10-2019 06:18 PM
NAC VPN SSO version 4.8.2.
Using a Mac OS X 10.6 Snow Leopard system with the Cisco 4.9.01.0280 IPSEC VPN client, I am able to VPN in with Single Sign-On (SSO) and successfully complete a NAC posture assessment.
However, if I use the same system, and switch to the built-in Cisco IPSEC VPN functionality in Mac OS X, the VPN connection is successful, but the SSO piece appears to fail as the NAC agent prompts the user for authentication.
It seems strange that it would work with the separate Cisco client and not the built-in IPSEC, since it is actually the VPN ASA that passes the RADIUS accounting packet to the CAS for the SSO, and it isn't clear to me why the VPN client would even be involved or effect this. Is there some kind of hook in the Cisco VPN client that is involved in SSO?
Has anyone else tried using the built-in IPSEC functionality in Mac OS X with NAC? If so, what were your experiences?
The reason this is important is that Mac OS X 10.7 Lion boots to a 64 bit kernel by default. The Cisco IPSEC client does not support 64 bit, nor do there appear to be any plans to support it. The built-in IPSEC does support 64 bit. We're not yet ready to roll out the AnyConnect client, so I really need to find a solution for 64 bit IPSEC connectivity with NAC. Thanks for any feedback that anyone can offer.
09-06-2011 01:31 PM
Official response from TAC: NAC VPN SSO not supported with built-in IPSEC on Mac OS X.
11-17-2011 02:09 PM
2 updates:
1. According to TAC, this is officially supported with NAC 4.9.
2. It actually does work with NAC 4.8, my problem was on the VPN ASA. The default VPN group policy on the ASA had the CAS designated as the Radius accounting server. However, when I created a new policy for testing the Mac OS X built-in IPSEC, it did not inherit the value, and thus was not sending the accounting packet to the CAS. Once I found and fixed this, NAC with built-in IPSEC started working.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide