Solved: Re: ADSSO not starting due to ADSSO

talha_490 · ‎11-09-2009

We have a core switch with FWSM. All the users Default gateway is FWSM.

There is an access switch where the user is connected. The mode of

deployment for NAC is L2 OOB VGW. The switch is added to the Nac. ADSSO is configured on the nac and the service is started. As soon as i restart the PC, it is not able to contact DC while all the ports are opened to DC. No agent Popup appears. It does not show any keys in Kerbtray.

The sequence is

Since the client username and pass has been cached local so it is able to

logon.

The client gets an ip address from the DHCP and it is in authentication

vlan which is 110.Now there is no agent coming up unless i do the below

when i do arp -a in cmd it shows me invalid mac address of the Default GW. Now if i add a static mac address on the client PC, Popup immediately

occurs. OR if a do a ping from the FWSM which is the Default GW

then the pop up immediately occurs.

I capture the packet through ethereal and noticed that the client is

sending arp request but it is not receiving any reply. The capture is also attached. Note that 192.168.3.1 is the gateway and 192.168.3.3 is the client.

FWSM version is 3.1(4) working in FO.

What do you suggest ?

Faisal Sehbai · ‎11-09-2009

Talha,

I suspect there's something wrong with the config, but would be very tricky to get resolved with the to-and-fro in the forums.

If you're not able to resolve your default gateway's arp, either the mappings aren't working, or you might have the "Enable subnet-based VLAN retag" option on. If both of these things are set and it still doesn't work, I would like to look at the setup live, so please open a TAC case and lets have a TAC engineer peer over your settings.

HTH,

Faisal

View solution in original post

Faisal Sehbai · ‎11-09-2009

Talha,

Do you have the VLAN mapping configured from VLAN 110 to whatever your access VLAN is?

For testing, can you allow all IP in your unauthenticated roles to your DCs and then see if you can access anything after logging in to the machine?

Thanks,

Faisal

talha_490 · ‎11-09-2009

Dear Faisal,

Thanks for your reply. First of all vlan mapping is configured. Vlan 110 is mapped to vlan 14. and all the ports are opened to DC.

As i said, if i add a static arp entry, i can not logon through local database not not through ADSSO. if you will see the support logs in the previous e-mail it shows me invalid arp as 00-00-00-00-00-00 for Def GW.

Faisal Sehbai · ‎11-09-2009

Talha,

I suspect there's something wrong with the config, but would be very tricky to get resolved with the to-and-fro in the forums.

If you're not able to resolve your default gateway's arp, either the mappings aren't working, or you might have the "Enable subnet-based VLAN retag" option on. If both of these things are set and it still doesn't work, I would like to look at the setup live, so please open a TAC case and lets have a TAC engineer peer over your settings.

HTH,

Faisal

talha_490 · ‎11-16-2009

Thanks Fasehbai,

i had Enable subnet-based VLAN retag option on.

Regards

Talha

grant.maynard · ‎11-23-2009

I agree with fasehbai, you're trying to do too much in one go. Leave the AD SSO issue aside for now, troubleshoot the CAS VGW. Check the settings for Managed Subnets and VLAN Mapping.