Clean Access SSO

Similar Messages

• Smartcard authentication for Clean Access SSO

  Is anyone doing smartcard authentication into clean access via SSO? I have an issue where the UPN is not the username and the domain suffix is different from the AD domain so the agent is appending  @domain.com to the $user$ variable and so it is failing to authenticate.

  Did you run KTPASS correctly?
  I had the same problem, (very undocumented 'feature', I would say) the KTPASS command must be run slightly different when running against a DC, versus running it against a AD Domain.
  For Domain Authentication:
  ktpass.exe -princ cleanaccess/domain_in_lower_case.co.za@DOMAIN_IN_UPPER_CASE.CO.ZA -mapuser cleanaccess -pass mypassword -out c:\cleanaccess.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly
  For AD Server Authentication:
  ktpass.exe -princ cleanaccess/SERVERNAME.domain_in_lower_case.co.za@DOMAIN_IN_UPPER_CASE.CO.ZA -mapuser cleanaccess -pass mypassword -out c:\cleanaccess.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly
  NOTE: SERVERNAME need to be exactly as indicated under My Computer > Properties. (ie, correct UPPERCASE and lowercase letters in the right places)
  Another thing to look out for is the cleanaccess AD account you have created, make sure that the display name matches the account name, and do not specify anything for the Firstname, Lastname fields. This seems to break things ans gets the authentication to fail for some reason.
  O, and if you have set up the account at first for DC Server Authentication, delete it and recreate it for the AD Domain Authentication, because that breaks it too, when you run the KTPASS.EXE again.
  Another thing, try using ADSSO without the lookup account configured to see that the machine authenticates first, then ad the Lookup Account, maybe the problem lies there.
  Hope this helps.

• Anyconnect Client & Clean Access SSO

  I have a ASA 5550 setup with the AnyConnect Essentials License and it works. Behind the VPN we have a CA server running 4.1.8 using SSO. The VPN aspect of this works but I've run into a issue with OSX and the CA Agent. Windows and the CA Agent SSO works. When you connect to the VPN via AnyConnect on a MAC (OSX 10.5.8) it connects but when the CA Agent starts communicating with the CAS you are disconnected.
  I've looked the traffic between the ASA and CAS, the Radius traffic looks good. Is this a bug?
  ASA: 8.2(1)
  CAS/CAM: 4.1.8
  MAC CA Agent: 4.5.0 (it is supported per docs).
  Thanks,
  -Dusty

  Hi Dusty,
  Try this:
  - Look in your appropriate user directory for the CCAAgent dir (in my case it was: /Users/tprender/Library/Application Support/Cisco Systems/CCAAgent)
  - Create a preference.plist file if it doesn't already exist -- if it does exist , just add the key/value strings for "VlanDetectInterval" below
  - To create the file, do "vi preference.plist" and enter this data:
  <?xml version="1.0" encoding="UTF-8"?> http://www.apple.com/DTDs/ PropertyList-1.0.dtd">
  AutoPopup
  yes
  VlanDetectInterval
  0
  - Save this file (in vi, :wq and ) and restart the Cisco NAC Agent (right click the icon and exit, then relaunch from your Applications menu)
  The VlanDetectInterval must be set to 0 (default is 5) as Macintoshes do stupid things with the vpn interface.
  I hope this helps. Please rate if you find this a valid solution.
  Cheers,
  Tim

• Clean Access Agent can't popup

  Hi, we setup a CAS and CAM in L2 OOB virtuil gateway and the switch is a 3560 using SVI and L3 for routing. We can authenticate using web agent but there is a problem when using a Clean Access agent. I have configured the discovery host using the ip address of the CAM but the login doesn't popup. I changed the discovery host of the ip of the server and tried reinstalling the access agent but login doesn't popup. Do I need to reboot the server when i changed the ip of the discovery host?What do i need to configure on the CAM or CAS?

  For L2 or L3 deployments, the Clean Access Agent will pop up on the client if "Popup Login Window" is enabled on the Agent and the Agent detects it is behind the Clean Access Server. If the Agent does not pop up, this indicates it cannot reach the CAS.
  To Troubleshoot L2 Deployments:
  1. Make sure the client machine can get a correct IP address. Open a command tool (Start > Run > cmd) and type ipfconfig or ipconfig /all to check the client IP address information.
  2. If necessary, type ipconfig /release, then ipconfig /renew to reset the DHCP lease for the client.
  To Troubleshoot L3 Deployments:
  1. Check whether the Discovery Host field is set to the IP address of the CAM itself under Device Management > Clean Access > Clean Access Agent > Installation | Discovery Host. This field must be the address of a device on the trusted side and cannot be the address of the CAS.
  2. Uninstall the Clean Access Agent on the client.
  3. Change the Discovery Host field to the IP address of the CAM and click Update.
  4. Reboot the CAS.
  5. Re-download and re-install the Clean Access Agent on the client.
  Note The Login option on the Clean Access Agent is correctly disabled (greyed out) in the following cases:
  •For OOB deployments, the Agent user is already logged in through the CAS and the client port is on the Access VLAN.
  •For multi-hop L3 deployments, Single Sign-On (SSO) has been enabled and the user has already authenticated through the VPN concentrator (therefore is already automatically logged into Cisco NAC Appliance).
  •MAC address-based authentication is configured for the machine of this user and therefore no user login is required.

• Clean Access & Windows Loginscript Problems

  Hi Everyone
  We are installing NAC Cisco Clean Access.
  The CAS is installed as L2 Virutal Gateway OutOfBand - with SSO towards the AD.
  We are experiencing some problems related to Windows Domain login scripts (vbs)
  They are not executed.
  It looks like the Microsoft Group Policies are pushed to the Client, but the login script never starts.
  "Everything" else works - VLAN Mapping, Network Access and so on.
  We have modified the "Unauthenticated Role" so that a Domain Logon can be done.
  Does anyone have experience related to this issue?
  Greetings
  Jarle

  Hi all,
  We experienced 2 problems with the login sript.
  A) The ipconfig /release and /renew were ocassionnaly taking place in the middle of the script execution so part of the mapped drive were missing.
  B) Apparently, whether you are using linkup or MAC notification to control you switchport access, the auth VLAN is set on the switchport only when it "sees" the MAC address of the controlled PC. In our case the network card driver loads in windows XP and the switchport is bounced to auth VLAN and while the process is done, if users logs in to quickly, the windows XP machine loads it credential from cache (doesn't see domain controller) and therefore login script is not executed at all.
  Best way to fix A) problem, is to do like jvr755 suggest. we
  and for fix to B), I opened a case with cisco because when the switch sends SNMP Link-Up trap to the CAM it sould be set to Auth VLAN right away, but in our case it's not.
  Finally, When debugging, I think it's very usefull to do a "show run int FX/X" on the port controlled by the NAC while booting the PC, it really helps to see what's going on in the booting process.
  Dominic

• Anyone using Cisco Clean Access with Juniper SSL VPN?

  We're testing Cisco Clean Access with Juniper SSL VPN, and are running into a problem with single sign on. The Juniper box is sending the user's source IP as the framed-ip-address, and not the Network Connect assigned IP, which is why we need to get SSO to work. Has anyone done this, and what did you do to get it working? Thanks.

  Hi,
  I've no experience with this app but it does list
  Juniper as a sujpported client:
  http://www.equinux.com/us/products/vpntracker/interoperability.html

• Clean Access Server could not establish a secure connection

  I have a OOB Real IP GW setup on v4.1.2
  I seem to have a problem with the CAS connecting to the CAM although I have added the CAS to the CAM and can manage the CAS from the CAM.
  I noticed while troubleshooting client authentication that the client was not being redirected to the logon web page and it had full access to the trusted network from the untrusted authentication vlan. I eventually figured out that if I change the CAS Filter Fallback method from Allow to ignore then it tries to authenticate the client. However the fact that the fallback is activated tells you that something is not right.
  I have 2 problems:
  A) The clients web page is redirected for authentication but it only lists the domain name in the URL and not the hostname or host IP. In the lab I do not have a DNS server and it would not help as it does not include the hostname in the URL anyway. How do I fix this or perhaps it's related to the 2nd problem.
  B) When I manually change the URL by replacing the domain name with the IP of the CAS (untrusted OOB Real IP GW) then I get the following error message when logging on:
  Network Error:
  Clean Access Server could not establish a secure connection to Clean Access Manager at mydomain.com.
  This could be due to one or more of the following reasons: 1) Clean Access Manager certificate has expired 2) Clean Access Manager certificate cannot be trusted or 3) Clean Access Manager cannot be reached.
  Please report this to your network administrator.
  I would guess the culprit is No 2 but surely the system can run on self signed certificates? I have an NTP server so time is in sync. I have even tried regenerating the cetificates on the CAM
  & CAS.
  Any ideas?

  To overcome problem B, I regenerated the SSL Certificates using the host IP address instead of the name for all the CAM & CAS appliances. This seems to have resolved this problem.
  I also SSH'd from each of the CAS's to each of the CAM's from the CLI and it then prompts to permanently store the certificates. I'm not sure it this was necessary though.

• Windows Vista conflicting with Clean Access?

  When I try to log into Clean Access to use the internet, it gives me an error message saying that in order to fulfill all of my requirements and get into the system, I need to download windows defender. But Windows defender comes with Windows Vista, which is what I have...So when I try to download Windows Defender and install it, it gives me a popup saying that I already have it on my comnputer and that I don't need to download it. Any ideas? Anybody? Please? Am I even in the right place for this kind of question?

  If you using Windows Vista,You already have windows defender. Ensure the version of the defender because if Windows Defender informed you that an update is available, you are running an older version.
  Below are Windows Vista Supported Antispyware Product as of the latest release of the Cisco Clean Access software.
  Product version - 1.x
  AS Checks Supported
  (Minimum Agent Version Needed) are:
  Installation - (4.0.5.0)
  Spyware Definition - (4.0.5.0)

• Plse...help me on the communicating between CLEAN ACCESS MANAGER and Switch 3560E-24Ps by snmp

  Dear All,
  I try to configure in both Clean Access Manager and Switch 3560E-24Ps on SNMP Version 2 protocol but I can't make it working together (For CAM and Switch 3560G-48Ps I can do that). Plse give me any suggestion to solve that problem. All configuration is as below:

  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cam/412_cam_book.html

• WebGate Error Report - The URL /access/sso is reserved for use by Oracle...

  We are getting a 500 error on the web gates when logging in.
  They have been working before, but are now reporting the error below.
  2010/01/27@07:09:25.632239 18521 33 WEB ERROR 0x0000151F /export/build40/Oblix/coreid1014/palantir/commonlib/src/apache2_req_info.cpp:170 "WebGate Error Report" Message^The URL /access/sso is reserved for use by Oracle Access Manager and has been used with incorrect parameters. ReqReq^POST /access/sso HTTP/1.1 ReqProto^HTTP/1.1 ReqHost^p1uawbsv1.portal.internal ReqStatLine^ ReqStatus^200 ReqRawUri^/access/sso ReqUri^/access/sso ReqFilename^/u01/app/oracle/product/11.1.1/ohs1/instances/instance1/config/OHS/ohs1/htdocs/access ReqPath^/sso ReqArgs^
  The configuration uses form based login
  Details for Authentication Scheme
  Level           1
  Challenge Method           Form
  Challenge Parameter           
  creds:userid password
  form:/oamsso/login.html
  action:/access/sso
  passthrough:no
  SSL Required           No
  Challenge Redirect           
  Enabled           Yes

  thanks,
  the login post goes to /access/sso, but now i am getting 404 error /access/sso
  Below is what I currently have the following in httpd.conf, which is the same as in a working environment.
  The web gate policy resources include /portal and /public, but no mention of /access. How does web gate know how to intercept /access/sso?
  [2010-01-28T10:50:42.9609+11:00] [OHS] [ERROR:32] [OHS-9999] [core.c] [host_id: p1uawbs02] [host_addr: 10.252.16.223] [tid: 18] [user: oracle] [ecid: 0000Pa_5qz3BP9s5Gj0Fyf0001rV00009_] [rid: 0] [VirtualHost: main] File does not exist: /u01/app/oracle/product/11.1.1/ohs1/instances/instance2/config/OHS/ohs1/htdocs/access
  #*** BEGIN WebGate Specific ****
  LoadFile "/u01/app/oracle/product/11.1.1/ohs1/oam/webgate/access/oblix/lib/libgcc_s.so.1"
  LoadFile "/u01/app/oracle/product/11.1.1/ohs1/oam/webgate/access/oblix/lib/libstdc++.so.5"
  LoadModule obWebgateModule "/u01/app/oracle/product/11.1.1/ohs1/oam/webgate/access/oblix/apps/webgate/bin/webgate.so"
  WebGateInstalldir "/u01/app/oracle/product/11.1.1/ohs1/oam/webgate/access"
  WebGateMode PEER
  <Location /access/oblix/apps/webgate/bin/webgate.cgi>
  SetHandler obwebgateerr
  </Location>
  <Location "/oberr.cgi">
  SetHandler obwebgateerr
  </Location>
  <LocationMatch "/*">
  AuthType Oblix
  require valid-user
  </LocationMatch>
  #*******Default Login page alias***
  Alias /oamsso "/u01/app/oracle/product/11.1.1/ohs1/oam/webgate/access/oamsso"
  <LocationMatch "/oamsso/*">
  Satisfy any
  </LocationMatch>
  #*** END WebGate Specific ****

• Clean access rules and Windows service pack 3

  I am having a small issue with our Clean Access Manager blocking any Windows XP computer that has service pack 3 installed. The main failure it is giving in the reports is this
  Failed Checks:
  pc_Windows-XP-SP2, Registry Check [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion contains Service Pack 2]
  pc_Windows-XP-SP1, Registry Check [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion contains Service Pack 1]
  The key that is there when sp3 is installed is this:
  \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion contains Service Pack 3
  I have verified that pc_Windows-XP-SP1 and pc_Windows-XP-SP2 are there as well as created a check for service pack 3 eric_pc_Windows-XP-SP3 and added the check to the rules governing windows updates for XP pro/home and windows media edition. But for some reason they are not taking effect. The CAM is running version 4.1.3.1 and the the CAA is version 4.1.3.2. Any assistance would be greatly appreciated.
  Thank you,
  Eric

  Here is the configuration guide for the Clean Access Manager which will help you :
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_instal.html

• Clean Access and Windows 2003 Server

  I am trying to install the Clean Access Client on a VM running Windows 2003 Server. When I connect to our customer's network the VPN client appears to connect properly and I see the Clean Access window. Then it all seems to fall over. My customer tells me I should see a blue window with a red OK button on it but I never see it. As a result I never get completely into the network. Is this because I am running this on Windows 2003 Server or should I be looking at something else? Can this run in a Virtual Environment and on 2003 Server?

  I work it out partially by myself:
  1)
  (excuse me, I meant "kinit and Krb5LoginModule" not "kinit and kinit.exe").
  Krb5LoginModule seems to work now (with TCP). The output is:
  KRBError:sTime is Tue Jun 01 17:13:51 CEST 2004 1086102831000
  suSec is 945761
  error code is 52
  error Message is Response too big for UDP, retry with TCP
  realm is SSOTEST.RTC.CH
  sname is krbtgt/SSOTEST.RTC.CH
  KrbKdcReq send: kdc=rtcnt978.ssotest.rtc.ch TCP:88, timeout=30000, number of retries =3, #bytes=232
  DEBUG: TCPClient reading 1496 bytes
  KrbKdcReq send: #bytes read=1496
  KrbKdcReq send: #bytes read=1496
  EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
  KrbAsRep cons in KrbAsReq.getReply sso_testuserCommit Succeeded
  Which is what I want (it tries first with UDP, then the KDC says the TGT is too big for UDP and the client tries again with TCP)
  2)
  I still have the error :-(

• Run-time error '7': Out of memory - Cisco Clean Access problem

  Hi all,
  I hope this question is in the appropriate place. I'm trying to use my company's vpn service. Here's how the process should work:
  1) Log on with username/password using Cisco AnyConnect VPN Client
  2) Log-in to the portal. During this step the Cisco Clean Access Agent is supposed to automatically log-in. However I get the following error:
  Run-time error '7':
  Out of memory
  My company's network services didn't seem to be much of a help so I was hoping one of you would have a good suggestion(s).
  Please keep in mind that I'm not great with computers. I know how to use them and all that but I'm not familiar with the inner-workings at all (registry editing etc.)
  Thanks in advance!
  -Bill

  I should add that the version of CCA is 4.1.10

• Help with Clean Access Architecture

  Hello All,
  I wanted to engage some of the NetPros out there about designing our Clean Access architecture. We purchased 4 3140s (2 x CAMs w/ FO, 2 x CASs w/ FO). The goal is to use Clean Access to validate select areas of our head quarters, along with validate users in a remote location.
  The HQ part of the design I can understand without issue. It's when we begin to deal with the remote office that I become uncertain about the design. The remote office is MPLS connected to HQ (L3 multi-hop). We want users in the remote office to also be L2 authenticate to the Clean Access cluster at HQ. Across MPLS this does not appear to be straightforward. We'd like to do a L2 deployment, but from what I've read this will require using L2TPv3 at the remote office to "tunnel" the VLANs from HQ to remote and vice-versa. My fear is that now the default gateway for the remote clients is the HQ Clean Access cluster. Therefore... all traffic will be "switched" across their WAN link. This becomes and issue as the remote office has local Windows domain controllers for faster file access on another VLAN... and in this scenario it sounds like the workstations would have to travel across the L2TPv3 tunnel to HQ to just have to go back across the tunnel to the remote office for file access. Sounds slow!
  Does anyone have recommendations as to how to design this centralized, L2, OOB architecture. In my mind I would want the clients attempting authentication to the switch... switch forward to the CAS... CAS validates posture and passes down necessary VLAN to switch. All VLAN'ing and switching is kept remote. We operate all 3750 switches... so our infrastructure can work with NAC. Sorry for the long post, just wanted to try to explain the requirements. Thanks for the help.
  -Mike
  http://cs-mars.blogspot.com

  Hi Mike -
  Very good questions. You definitely do not need the L2TPv3 across the WAN to control the ports at the remote site.
  The CASs can be deployed L2 In-Band (IB), L3 In-Band (IB), L2 Out-of-Band (OOB) or L3 Out-of-Band (OOB).
  L3 OOB can be used to control the switches at the remote sites. A 2nd vlan is required for the remote site to serve as the authentication vlan. All ports start off on this Auth Vlan when a user plugs in.
  The user receives an IP Address on this Auth Vlan and the local L3 device is the GWY. The L3 device should have ACLs to protect the rest of the network from this Auth Vlan. The only permit entries in the ACL should let the users get to CAS and the remediation servers. Using a network like 192.168.x.x and varying the 3rd octet on a per-site basis simplifies the ACLs if you are using the 10.x.x.x as your internal addressing. The ACLs should be places on all the MPLS routers to protect the production network from the Auth network.
  Once the user proves trustworthy, the Clean Access changes the vlan on the switch to the production/normal vlan and the user has complete access as before.
  CASs can be either one of the 4 roles (L2 IB, L3 IB, L2 OOB, L3 OOB) when they are added to the CAM.
  If you plan to use L2 OOB for your HQ and L3 OOB for the remotes, you may need to add 1 more CAS pair to your architecture.
  We have some great diagrams that the Clean Access product team have put together that will illustrate this architecture to you.
  Your local SE / CSE should be able to provide this to you.
  Let us know if you have any follow up questions.
  Hope this helps.
  peter

• Confusion on Cisco clean access and Cisco NAC

  Dear Pros,
  I still confuse with the name mismatch as above. Please any one give me the correct NAC part number for both server and manager
  swamy

  Cisco Clean Access and NAC are the same.
  NAC is just the new naming.
  You can have NAC installed in two way, Framework or Appliance mode.
  I think Framework is not available anymore (I may be wrong).
  If you go with the appliance, you'll need a minimum of two. 1 for the CAM (Clean Access Manager) which manages the policies and 1 for the CAS (Clean Access Server) that is the "filter" between your authentication lan and your prod network.
  Dominic