Problème avec le CAS (Clean Access Server Administration)

Similar Messages

• Clean Access Server could not establish a secure connection

  I have a OOB Real IP GW setup on v4.1.2
  I seem to have a problem with the CAS connecting to the CAM although I have added the CAS to the CAM and can manage the CAS from the CAM.
  I noticed while troubleshooting client authentication that the client was not being redirected to the logon web page and it had full access to the trusted network from the untrusted authentication vlan. I eventually figured out that if I change the CAS Filter Fallback method from Allow to ignore then it tries to authenticate the client. However the fact that the fallback is activated tells you that something is not right.
  I have 2 problems:
  A) The clients web page is redirected for authentication but it only lists the domain name in the URL and not the hostname or host IP. In the lab I do not have a DNS server and it would not help as it does not include the hostname in the URL anyway. How do I fix this or perhaps it's related to the 2nd problem.
  B) When I manually change the URL by replacing the domain name with the IP of the CAS (untrusted OOB Real IP GW) then I get the following error message when logging on:
  Network Error:
  Clean Access Server could not establish a secure connection to Clean Access Manager at mydomain.com.
  This could be due to one or more of the following reasons: 1) Clean Access Manager certificate has expired 2) Clean Access Manager certificate cannot be trusted or 3) Clean Access Manager cannot be reached.
  Please report this to your network administrator.
  I would guess the culprit is No 2 but surely the system can run on self signed certificates? I have an NTP server so time is in sync. I have even tried regenerating the cetificates on the CAM
  & CAS.
  Any ideas?

  To overcome problem B, I regenerated the SSL Certificates using the host IP address instead of the name for all the CAM & CAS appliances. This seems to have resolved this problem.
  I also SSH'd from each of the CAS's to each of the CAM's from the CLI and it then prompts to permanently store the certificates. I'm not sure it this was necessary though.

• Clean Access Server is unavailable on the network

  I have an issue where randomly (about 4 or 5 users per week out of about 150 concurrent users) people are getting "Clean Access Server is unavailable on the network".  We are using the full client v4.7.0.  Certs and DNS look good, and everything works fine for most people.  I read about the "work offline" bug, do you think that could cause this?  Also, the CAM and CAS clocks are about 4 minutes apart, what kind of issues could this cause?
  Thanks!

  I found it, it was described in TAC Case 614237013 w/ Nate Austin from RTP's AAA TAC.  Bug ID # CSCta39899.  Excerpts from the TAC case are below.
  David Swafford.
  =============================================================
  Subject: SR 614237013 - NAC Agent - CCA Server Unavailable Repeatedly
  Hi David,
  My name is Nate Austin with Cisco TAC and I just accepted ownership of
  your SR regarding NAC Appliance.
  Looking at the logs I can see two way communication with the CAS so we
  know it can reach it IP-wise. All the swiss communication is successful,
  but it appears the HTTPS requests are the ones that are failing.
  I have seen a couple things cause this:
  1) Personal firewall blocking ports from CCA Agent.
  2) More common - We use the same libraries as IE does for making HTTP
  calls - If IE Offline Mode is enabled, this will cause the agent to
  fail. Can you check in IE (especially if Firefox or Chrome are the users
  default browser because they'd never check IE) and see if Offline Mode
  is enabled. If so, disable it and try again?
  Thanks,
  Nate
  =============================================================
  Subject: Re: SR 614237013 - NAC Agent - CCA Server Unavailable Repeatedly
  Sounds good.
  FYI, if this does end up being the problem, there was a bug filed on
  this CSCta39899, and in the 4.8 agent the agent will disable Offline
  mode and re-enable it after it logs in.
  Thanks,
  Nate
  Nathaniel Austin                        Cisco Systems
  Customer Support Engineer               Research Triangle Park, NC

• Network Error: Clean Access Server could not establish a secure connection to Clean Access Manager

  Hello everyone
  I am implementing a failover solution of NAC in OOB VG version 4.8, I have 2 CAS and 2 CAM.
  The Error I am getting is when I connect to both IP address and the FQDN of the CAS.
  ===========
  Network Error:
  Clean Access Server could not establish a secure connection to Clean Access Manager at camsrv3.cadivi.gob.ve.
  This could be due to one or more of the following reasons: 1) Clean Access Manager certificate has expired 2) Clean Access Manager certificate cannot be trusted or 3) Clean Access Manager cannot be reached.
  Please report this to your network administrator.
  ==========
  For the CAM's I use this names camsrv1 and camsrv2. then generate a CSR in the camsrv1 with the name camsrv3.mycompany.com corresponding  to virtual ip and it exported to camsrv2, Install the CA certificate of the company and everything works perfect.
  This is the failover configuration
  CAM:
  Primary:     10.1.206.248 camsrv1.mycompany.com
  Secondary: 10.1.206.249 camsrv2.mycompany.com
  Virtual:       10.1.206.250 camsrv3.mycompany.com
  Then I do exactly the same steps for the CAS's and this is the failover configuration:
  Primary:     10.1.216.248 cassrv1.mycompany.com
  Secondary: 10.1.216.249 cassrv2.mycompany.com
  Virtual:       10.1.216.250 cassrv3.mycompany.com
  Then I add the certificate of CAM in the CAS on the tab "Trusted Certificate Authorities"  and vice versa.
  The communication between all the CAM´s and CAS´s is correct (Primary, Secondary and Virtual). I can ping the IP and the FQDN and I can also manage the CAS through the CAM.
  I verify that the time was right in the CAM and the CAS and all good up there.
  Appreciate your help
  Eduardo Navas

  Eduardo,
  Bump up the CAS/CAS communications logging on both the CAS and CAMs, and then look in the log files for clues.
  On CAM they live in /perfigo/control/tomcat/logs and on CAS in /perfigo/access/tomcat/logs
  HTH,
  Faisal
  If you find this post helpful, please rate so others can find the answer easily

• Invalid Clean Access Server

  We are seeing these messages in our CAM logs:
  "Unable to add user to Clean Access Server <CAS IP>, [00:00:00:00:AA:13 ## x.x.x.x] username"
  While the clients see:
  "Invalid Clean Access Server"
  We are running 4.1.3.1 software and using In-Band for our wireless. This is best reproduced by logging into CA via the agent and then move locations (wireless). At the new location the agent says "logged-in" but when you open a web browser you are redirected to the web authentication page. When you login to the web auth page you'll fail and receive the "Invalid Clean Access Server" error message below the login form. After this you are in a loop you can't get out of even after right-clicking the agent and logging off.
  The problem started after our upgrade from 4.1.1 to 4.1.3.1. Our TAC engineer hasn't found a solution yet so I thought I'd post here. Any help would be greatly appreciated.
  Thanks,
  -Dusty

  I'll answer my own question:
  Bug: CSCsl70418

• Clean access server and wireless users

  Hi,
  The AP has several vlans (employee, guest). There is a trunk up to the switch and all l3 vlan interfaces are created on the switch.
  I would like to add a clean access server.
  1) Besides the configuration of the clean access server, do I just need to move the l3 vlan interface from the switch to the clan access server untrusted interface?
  2) Is the ip address of the trusted interface on the clean access server a trunk too?
  Thank you,
  Best regards,
  Pascal

  I think yes. The ip address of the trusted interface on the clean access server needs to be configured as a trunk too. This is upto my knowledge.

• NAC/Clean Access Server no longer intercepting Clients after upgrade

  We recently upgraded our CISCO Clean Access Manager and Server to version 4.8.2 from 4.8.0.  Everything seemed to be working fine but I had a user log in without having the NAC Agent running and they had full access.  We didn't change anything other than upgrading to the new version.  We have found that the user has access even before the Windows Agent is completed with the assessement of the client.  It worked fine before the upgrade....Again, we made no changes other than upgrading to the new version (no route changes, etc).
  I even tried an explicit deny for the user's workstation's mac and the NAC SErver still let him through....I am a bit perplexed...Thanks for any assistance.

  Hmm, i removed the line but it does not help me ?
  I did run following command in terminal:
  sudo pico /Library/Server/Mail/Config/postfix/main.cf
  Removed the "reject_non_fqdn_helo_hostname" from the line smtpd_helo_restrictions.
  Saved the file and restarted Mail service
  get this in  log when i try to send from a windows client with Outlook2010:
  Aug 15 17:42:09 lundmark.jetoma.se log[236]: auth: Error: od(annicalundmark,192.168.20.103): Authentication server failed to complete the requested operation.
  Aug 15 17:42:09 lundmark.jetoma.se log[236]: auth: Error: od(annicalundmark,192.168.20.103): authentication failed for user=annicalundmark, method=DIGEST-MD5
  Have tryed different ports like 25 and 587 with SSL, TLS and "none" in SMTP advanced settings on klient.
  I did use the same instructions before in Lion server and there it did work ?!
  Any more ideas ?
  regards
  Jörgen

• Cisco Clean Access Server eth0 port inactive on install

  I am trying to learn how the Cisco NAC appliances work. I have created a small self-contained test network with a Server 2003 domain controller, a fake domain setup and some workstations joined to the domain.
  I have two NAC appliances, one is the Server and one is the Manager.
  When I follow the instructions from the manual to install the server from the CD everything seems to go fine. I plan to use it as a bridge in the network so I applied the same IP address to both the eth0 and eth1 interface (the eth1 interface is not connected to the network during install as per instructions)
  Here is the issue I am having: After configuration is finished and the CCA server re-boots, I cannot ping the server when it is connected by eth0. If I swap the network cable over to eth1, however I can ping the device.
  Is this normal?

  I have the same issue. But it gets even stranger; I had the CAM/CAS working in a test LAN enviroment, got the AD SSO to work by appllying VLANs based on AD group membership of the user logging on. Client was pleased.
  Move the two NAC devices to their location and reloaded clean both CAM & CAS from CD, did the same configuration and now eth0 (Trusted) can't see the AD domain controller but can see the CAM. I ran nslookup on the CAS to test the network settings and the result is no server found - the DNS server is the AD domain controller.

• Confusion on Cisco clean access and Cisco NAC

  Dear Pros,
  I still confuse with the name mismatch as above. Please any one give me the correct NAC part number for both server and manager
  swamy

  Cisco Clean Access and NAC are the same.
  NAC is just the new naming.
  You can have NAC installed in two way, Framework or Appliance mode.
  I think Framework is not available anymore (I may be wrong).
  If you go with the appliance, you'll need a minimum of two. 1 for the CAM (Clean Access Manager) which manages the policies and 1 for the CAS (Clean Access Server) that is the "filter" between your authentication lan and your prod network.
  Dominic

• Clean access agent logoff

            We have layer 2 virtual gateway mode - and cisco clean access server/manger running Version 4.5.1
  this client is windows xp sp3 and using CCA agent
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Version 4.5.1.0
  when they right click the cca agent and click logoff they get the attached errors - this is only happening to certain laptops

  Hi,
  It looks like your client machine is not trusting the CAS certificate.
  If you add the CAS certificate under the trusted certificate authorities, does the same error occurs?
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Clean Access Agent can't popup

  Hi, we setup a CAS and CAM in L2 OOB virtuil gateway and the switch is a 3560 using SVI and L3 for routing. We can authenticate using web agent but there is a problem when using a Clean Access agent. I have configured the discovery host using the ip address of the CAM but the login doesn't popup. I changed the discovery host of the ip of the server and tried reinstalling the access agent but login doesn't popup. Do I need to reboot the server when i changed the ip of the discovery host?What do i need to configure on the CAM or CAS?

  For L2 or L3 deployments, the Clean Access Agent will pop up on the client if "Popup Login Window" is enabled on the Agent and the Agent detects it is behind the Clean Access Server. If the Agent does not pop up, this indicates it cannot reach the CAS.
  To Troubleshoot L2 Deployments:
  1. Make sure the client machine can get a correct IP address. Open a command tool (Start > Run > cmd) and type ipfconfig or ipconfig /all to check the client IP address information.
  2. If necessary, type ipconfig /release, then ipconfig /renew to reset the DHCP lease for the client.
  To Troubleshoot L3 Deployments:
  1. Check whether the Discovery Host field is set to the IP address of the CAM itself under Device Management > Clean Access > Clean Access Agent > Installation | Discovery Host. This field must be the address of a device on the trusted side and cannot be the address of the CAS.
  2. Uninstall the Clean Access Agent on the client.
  3. Change the Discovery Host field to the IP address of the CAM and click Update.
  4. Reboot the CAS.
  5. Re-download and re-install the Clean Access Agent on the client.
  Note The Login option on the Clean Access Agent is correctly disabled (greyed out) in the following cases:
  •For OOB deployments, the Agent user is already logged in through the CAS and the client port is on the Access VLAN.
  •For multi-hop L3 deployments, Single Sign-On (SSO) has been enabled and the user has already authenticated through the VPN concentrator (therefore is already automatically logged into Cisco NAC Appliance).
  •MAC address-based authentication is configured for the machine of this user and therefore no user login is required.

• Clean Access HTTP redirect wrong after IP address change

  Hi,
  Wondered if anyone had seen this:
  We have a Clean Access server running in VGW mode for VPN traffic, after a redesign the IP address has changed (the trusted and untrusted are the same).
  Unfortunately when a user logs in it still uses the old IP address in the HTTP redirect, this has been confirmed by looking at the HTML source.
  Apart from that it looks fine, new SSL certificate etc.
  Any ideas apopreciated, thanks.
  Jim.

  For all deployments, if planning to configure the Clean Access Server in Virtual Gateway mode (IB or OOB), do not connect the untrusted interface (eth1) of the standalone CAS or HA-Primary CAS until after you have added the CAS to the CAM from the web admin console. For Virtual Gateway HA-CAS pairs, also do not connect the eth1 interface of the HA-Secondary CAS until after HA configuration is fully complete. Keeping the eth1 interface connected while performing initial installation and configuration of the CAS for Virtual Gateway mode can result in network connectivity issues.
  When setting up a CAS in Virtual Gateway mode, you specify the same IP address for the trusted (eth0) and untrusted (eth1) network interfaces during the initial installation of the CAS via CLI. At this point in the installation, the CAS does not recognize that it is a Virtual Gateway. It will attempt to connect to the network using both interfaces, causing collisions and possible port disabling by the switch. Disconnecting the untrusted interface until after adding the CAS to the CAM in Virtual Gateway mode prevents these connectivity issues. Once the CAS has been added to the CAM in Virtual Gateway mode, you can reconnect the untrusted interface.
  Administrators must use the procedure mentioned in the below URL for correct configuration of a Virtual Gateway Central Deployment:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/418/cas/s_instal.html#wp1045874

• Snow Leopard 10.6.1 Exchange 2007 with CAS and MBX Server

  Hi, i have a problem with 10.6.0 and 10.6.1 with connect to exchange 2007.
  we have 2 exchange Servers. one is the CAS (Client Access Server) and the other server is a mailbox server. The client have to connect to CAS and he connects to the mailbox server.
  My problem is the connect with MAIL, iCAL or Adressbook.
  „The Server doenst answer. Please make sure that the network ......“
  The network works fine but i can not connect.
  Greetings

  Hi kjbowler & welcome to discussions
  http://support.apple.com/kb/DL907
  ...it it will work using HP stuff exclusively w/SL, this is the only way to proceed.
  I don't see why you can't just print @ 400% tho...

• Cisco Clean Access Manager is a software or hardware?

  HI,all
  Cisco Clean Access Manager is a software integratedin the Cisco Clean Access Server or a single hardware device?
  Nac is new to me.I cann't open the NAC flash demo,so anyone can provider me with the NAC appliance and NAC Framework deployed toplogy?Thank you.
  Respects!
  MinQuant

  Hi,
  This is an appliance ... so i'ts hardware
  Look here for more information on the subject:
  http://www.cisco.com/en/US/products/ps6128/products_qanda_item0900aecd803be813.shtml
  If you find this post usefull
  please don't forget to rate this
  #Iwan Hoogendoorn

• Clean Access and Windows 2003 Server

  I am trying to install the Clean Access Client on a VM running Windows 2003 Server. When I connect to our customer's network the VPN client appears to connect properly and I see the Clean Access window. Then it all seems to fall over. My customer tells me I should see a blue window with a red OK button on it but I never see it. As a result I never get completely into the network. Is this because I am running this on Windows 2003 Server or should I be looking at something else? Can this run in a Virtual Environment and on 2003 Server?

  I work it out partially by myself:
  1)
  (excuse me, I meant "kinit and Krb5LoginModule" not "kinit and kinit.exe").
  Krb5LoginModule seems to work now (with TCP). The output is:
  KRBError:sTime is Tue Jun 01 17:13:51 CEST 2004 1086102831000
  suSec is 945761
  error code is 52
  error Message is Response too big for UDP, retry with TCP
  realm is SSOTEST.RTC.CH
  sname is krbtgt/SSOTEST.RTC.CH
  KrbKdcReq send: kdc=rtcnt978.ssotest.rtc.ch TCP:88, timeout=30000, number of retries =3, #bytes=232
  DEBUG: TCPClient reading 1496 bytes
  KrbKdcReq send: #bytes read=1496
  KrbKdcReq send: #bytes read=1496
  EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
  KrbAsRep cons in KrbAsReq.getReply sso_testuserCommit Succeeded
  Which is what I want (it tries first with UDP, then the KDC says the TGT is too big for UDP and the client tries again with TCP)
  2)
  I still have the error :-(