Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1494
Views
0
Helpful
3
Replies

CCA with ASA VPN Support

Jason Bomar
Level 4
Level 4

‎06-07-2007 02:30 PM - edited ‎02-21-2020 03:05 PM

Hello -

I have been working on a lab set up that I would like to be able to show to potential customers for NAC Appliance (or CCA). I had no problems when using NAC in L3 OOB as might be deployed in a routed LAN type of setting, but I am having a horrible time getting it to work L3-IB with VPN/SSO even though I am trying my best to go by the documentation:

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml

I find a few very confusing things about this document, and am suspecting that is where my trouble lies:

1) There is no mention of the RADIUS set up on this document other than to say "set it up". So I am wondering...

a) What version of ACS do I need? (3.3 currently).

b) Which RADIUS Service (IOS? IETF?)

c) What is the IP of the RADIUS server in that document? I see two addresses: 172.18.124.101 and 172.18.85.181. To make matters worse, there are discrepancies in the config of the ASA in that document which conflict with the screen shots.

Any help anyone can provide would be great.

Thanks,

Jason Bomar, CCIE #9316

Labels:
0 Helpful
3 Replies 3

pcomeaux
Cisco Employee
Cisco Employee

‎06-09-2007 11:59 AM

Hi James -

Thanks for configuring NAC Appliance. We definitely want for you to be successful.

Let's see if I can help.

1a - 3.3 should work

1b - CAM will be added as IETF radius type for user authentication

1b - CAS will be added as IETF radius type for radius accouting

1c - Wherever you see the multiple addresses for ACS, just use the one ACS server address that you have

Let us know how these changes help.

peter

0 Helpful

Jason Bomar
Level 4
Level 4
In response to pcomeaux

‎06-11-2007 10:33 AM

Just so I understand, because this differs from the document I linked a fair amount ... the ASA (Concentrator) should AAA Auth to the CAM (which will pass it through to the ACS 3.3 as IETF) and should AAA Account to the CAS (which will pass it through to the ACS as IETF which will use it to SSO to the network) ... is that right? So the ASA does not require to point to the ACS directly?

0 Helpful

Jason Bomar
Level 4
Level 4
In response to pcomeaux

‎06-11-2007 11:42 AM

Still does not seem to be working, here are some snippets to show what I am doing...

ASA (Concentrator - 192.168.70.51)

aaa-server authgroup host 192.168.69.50 (CAM)

authentication-port 1812

aaa-server CAS_Accounting protocol radius

aaa-server CAS_Accounting host 192.168.70.50 (CAS)

authentication-port 1812

accounting-port 1813

tunnel-group vpngroup general-attributes

authentication-server-group authgroup

accounting-server-group CAS_Accounting

RADIUS Auth set up (CAM 192.168.69.50)

Server Name: 192.168.70.21 (ACS 3.3)

Server Port: 1812

NAS-Identifier: 192.168.69.50 (CAM)

RADIUS Type: PAP

RADIUS Acct set up (CAS 192.168.70.50)

VPN Concentrator: 192.168.70.51 (ASA-Inside)

RADIUS Accounting Server: 192.168.70.50 (CAS)

RADIUS Accounting Port: 1813

Accounting Mapping: ASA-Inside to CAS port 1813

Does this sound right? When I try and connect, my VPN does not authenticate. Prior to this, I was configured to have the ASA talk directly to the ACS as a RADIUS authentication server (CAS was always the Accounting Server).

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents