cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

1165
Views
0
Helpful
7
Replies
Highlighted
Beginner

Problem With VPN SSO - NAC Inband VGW

I have a problem with VPN SSO in  NAC Inband VGW. All is configured but:

- CAA request username and  password after VPN connection.

- Users dont appear in "Active Clients".

# ASA  Configuration

Authentication/Authorization: ACS

Accounting:  CAS

# CAS  Configuration

VPN Concentrator: ASA

Accounting Server: ACS

Mapping:  ASA <> ACS

In addition to CAA request username and password, it is opening all the time after the first login.

7 REPLIES 7
Rising star

Re: Problem With VPN SSO - NAC Inband VGW

Eduardo,

Sorry I couldn't get to these before. I'll look at the data and post here later.

Thanks,

Faisal

Beginner

Re: Problem With VPN SSO - NAC Inband VGW

I have an update for this case:

- CAA request username and password after VPN connection.

(Solved) VPN SSO is being done.

-  Users dont appear in "Active Clients".

(Solved) VPN Users appear in "Active Clients". I changed ASA's IP address in CAS > VPN Auth > VPN Concentrator.

The only problem now  is that the CCA is open from time to time. This interval of time varies  according to I change the "Agent VPN Detection Delay" in VPN Auth.

Have some idea of what can be?

Beginner

Re: Problem With VPN SSO - NAC Inband VGW

Hi, Eduardo!

I had a same problem with CAA.

I fixed it by setting SwiftTimeout in registry(HKEY_CURRENT_USER\Software\Cisco\Clean Access Agent\). This solution only work in NAC version <=4.5

In 4.7 you need edit NACAgentCFG.xml file.

I hope it helps you.

Beginner

Re: Problem With VPN SSO - NAC Inband VGW

SwiftTimeout or SwissTimeout? Tell me  how should I put there?

I realized that when the VPN  user authenticates (SSO), NAC add he to certified devices but "User MAC" is the physical adapter and not VPN adapter.

Beginner

Re: Problem With VPN SSO - NAC Inband VGW

Of course it' swisstimeout! I'm sorry!

Which NAC version do you have?

If you have 4.5.1 please read page C-3 from "Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide Release 4.5(1)".

I think MAC address is OK!

I think that CCA sends all MACs from computer, but puts in Certified Devices List only first one.

Beginner

Re: Problem With VPN SSO - NAC Inband VGW

No problem.... I have NAC 4.7.2.

I tried to add swisstimeout in CCA xml, but did not work.

Beginner

Re: Problem With VPN SSO - NAC Inband VGW

Solved! As requested by  the TAC Engineers, was removed the VPN Pool on "Managed Networks."

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here