03-03-2010 06:50 PM - edited 02-21-2020 04:31 PM
I have a problem with VPN SSO in NAC Inband VGW. All is configured but:
- CAA request username and password after VPN connection.
- Users dont appear in "Active Clients".
# ASA Configuration
Authentication/Authorization: ACS
Accounting: CAS
# CAS Configuration
VPN Concentrator: ASA
Accounting Server: ACS
Mapping: ASA <> ACS
In addition to CAA request username and password, it is opening all the time after the first login.
03-04-2010 10:33 AM
Eduardo,
Sorry I couldn't get to these before. I'll look at the data and post here later.
Thanks,
Faisal
03-16-2010 06:16 PM
I have an update for this case:
- CAA request username and password after VPN connection.
(Solved) VPN SSO is being done.
- Users dont appear in "Active Clients".
(Solved) VPN Users appear in "Active Clients". I changed ASA's IP address in CAS > VPN Auth > VPN Concentrator.
The only problem now is that the CCA is open from time to time. This interval of time varies according to I change the "Agent VPN Detection Delay" in VPN Auth.
Have some idea of what can be?
03-17-2010 11:26 PM
Hi, Eduardo!
I had a same problem with CAA.
I fixed it by setting SwiftTimeout in registry(HKEY_CURRENT_USER\Software\Cisco\Clean Access Agent\). This solution only work in NAC version <=4.5
In 4.7 you need edit NACAgentCFG.xml file.
I hope it helps you.
03-18-2010 08:12 AM
SwiftTimeout or SwissTimeout? Tell me how should I put there?
I realized that when the VPN user authenticates (SSO), NAC add he to certified devices but "User MAC" is the physical adapter and not VPN adapter.
03-19-2010 12:37 AM
Of course it' swisstimeout! I'm sorry!
Which NAC version do you have?
If you have 4.5.1 please read page C-3 from "Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide Release 4.5(1)".
I think MAC address is OK!
I think that CCA sends all MACs from computer, but puts in Certified Devices List only first one.
03-19-2010 01:55 PM
No problem.... I have NAC 4.7.2.
I tried to add swisstimeout in CCA xml, but did not work.
04-08-2010 03:09 PM
Solved! As requested by the TAC Engineers, was removed the VPN Pool on "Managed Networks."
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide