01-26-2010 06:26 PM - edited 02-21-2020 04:28 PM
Hi,
I have implemented a NAC solution for Remote Users. The CAS appliance in configured in-band invirtual gateway mode.
I have followed all the steps listed in http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
Remote users can log in succeffuly using cisco vpn software and they can ping the NAS but not the DNS (the ASA offer the IP@ but not the DNS i dont know why).
When I access the NAS, I can download the NAC Agent but VPN SSO is not performed and the Agent asks me to log in using LOCAL DB.
Any help please,
Regards,
Solved! Go to Solution.
02-07-2010 12:56 PM
Lamine,
For VPN SSO to work, you have to send the accounting packet to the CAS. The CAS can in turn send that to the ACS if you require accounting also be done on the ACS, but for SSO to work, the accounting has to hit the CAS.
HTH,
Faisal
01-27-2010 09:02 AM
Hi,
Post your network diagram and sh runn from your ASA. You can hide the passwords and keys in there.
Thanks,
Faisal
01-27-2010 10:50 PM
02-06-2010 09:50 PM
Hello,
You don't identify the IP addresses of the devices in the picture so I'm going here based on certain assumptions. If these are wrong, then obviously so would be my diagnosis. Is 10.10.40.10 your ACS server? If so, you only have that defined in the ASA and are not sending the accounting packets to your CAS, which is where you have to send your accounting packets from the ASA to get the VPN SSO working.
If this isn't your ACS, please identify what the device's IP addresses are in the diagram.
HTH,
Faisal
02-06-2010 11:17 PM
Hello,
Thank you for your reply,
yes, the IP@ of the ACS Server is 10.10.40.10.
And I think that the ASA is configured to send accounting packets to the ACS. see bellow:
aaa-server ACS_ACCOUNTING protocol radius
aaa-server ACS_ACCOUNTING host 10.10.40.10
key nac
radius-common-pw nac
!
...
!
tunnel-group REMOTE_USER type ipsec-ra
tunnel-group REMOTE_USER general-attributes
address-pool REMOTE_POOL
authentication-server-group AAA_SRV
accounting-server-group ACS_ACCOUNTING
!
!
!
...
is there any thing messing??
Regards,
Lamine
02-07-2010 12:56 PM
Lamine,
For VPN SSO to work, you have to send the accounting packet to the CAS. The CAS can in turn send that to the ACS if you require accounting also be done on the ACS, but for SSO to work, the accounting has to hit the CAS.
HTH,
Faisal
02-08-2010 02:47 AM
Hi,
I know it, but how to do it!!! should I change th IP@ of the Accounting SRV in the ASA config ???
Regards,
Lamine
02-08-2010 02:40 PM
Lamine,
Yep. Change that on the ASA, either through the CLI or use this link to do it using ASDM: http://bit.ly/b12WFf
HTH,
Faisal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide