I have been working on a lab set up that I would like to be able to show to potential customers for NAC Appliance (or CCA). I had no problems when using NAC in L3 OOB as might be deployed in a routed LAN type of setting, but I am having a horrible time getting it to work L3-IB with VPN/SSO even though I am trying my best to go by the documentation:
I find a few very confusing things about this document, and am suspecting that is where my trouble lies:
1) There is no mention of the RADIUS set up on this document other than to say "set it up". So I am wondering...
a) What version of ACS do I need? (3.3 currently).
b) Which RADIUS Service (IOS? IETF?)
c) What is the IP of the RADIUS server in that document? I see two addresses: 172.18.124.101 and 172.18.85.181. To make matters worse, there are discrepancies in the config of the ASA in that document which conflict with the screen shots.
Any help anyone can provide would be great.
Jason Bomar, CCIE #9316
Hi James -
Thanks for configuring NAC Appliance. We definitely want for you to be successful.
Let's see if I can help.
1a - 3.3 should work
1b - CAM will be added as IETF radius type for user authentication
1b - CAS will be added as IETF radius type for radius accouting
1c - Wherever you see the multiple addresses for ACS, just use the one ACS server address that you have
Let us know how these changes help.
Just so I understand, because this differs from the document I linked a fair amount ... the ASA (Concentrator) should AAA Auth to the CAM (which will pass it through to the ACS 3.3 as IETF) and should AAA Account to the CAS (which will pass it through to the ACS as IETF which will use it to SSO to the network) ... is that right? So the ASA does not require to point to the ACS directly?
Still does not seem to be working, here are some snippets to show what I am doing...
ASA (Concentrator - 192.168.70.51)
aaa-server authgroup host 192.168.69.50 (CAM)
aaa-server CAS_Accounting protocol radius
aaa-server CAS_Accounting host 192.168.70.50 (CAS)
tunnel-group vpngroup general-attributes
RADIUS Auth set up (CAM 192.168.69.50)
Server Name: 192.168.70.21 (ACS 3.3)
Server Port: 1812
NAS-Identifier: 192.168.69.50 (CAM)
RADIUS Type: PAP
RADIUS Acct set up (CAS 192.168.70.50)
VPN Concentrator: 192.168.70.51 (ASA-Inside)
RADIUS Accounting Server: 192.168.70.50 (CAS)
RADIUS Accounting Port: 1813
Accounting Mapping: ASA-Inside to CAS port 1813
Does this sound right? When I try and connect, my VPN does not authenticate. Prior to this, I was configured to have the ASA talk directly to the ACS as a RADIUS authentication server (CAS was always the Accounting Server).