I beg to differ about the CCA version. I have been running SSO on 4.1.1 for a year and currently have 4.1.2.1 working IB & OOB Virtual Gateway. You do not necessarily need the latest release & associated bugs.
Bruce Osborne Liberty University -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Sichel Sent: Wednesday, May 21, 2008 2:07 PM To: [email protected] Subject: Re: [CLEANACCESS] CLEANACCESS Digest - 20 May 2008 (#2008-92) >SSO Has anyone else beaten this beast and care to share your experiences? I am not sure if I have exactly beaten it, but I have it working kind of. First off, are your clients and servers on the same IP LAN segment? If so make SURE you are using the LATEST Clean Access release. It contains a vital fix to the click router if you are using OOB Virtual gateway in this mode. Otherwise authentication and redirection to the client install page won't work. Second, try opening ALL ports for the unauthenticated role to the auth server farm for testing. This eliminates the question of whether it is SSO or not. When doing the ktpass thing and setting up your SSO ID for the ldap search, FOLLOW THE INSTRUCTIONS EXACTLY ON ALL AUTH SERVERS. If you foul it up, even once, and the ID is locked out or fails, start AGAIN with a TOTALLY NEW USER ID. Also, use the Microsoft LDAP utility (lde.exe or something like, I forget which) to check your LDAP name and get the OU, CN, and other LDAP stuff correct character for character. Pay CLOSE attention to the Cisco instructions on where all upper case and where correct case are used. The details really matter here. Make sure the SNMP stuff is working for sets and gets on the test switch. This was a pain for me, because on my old, dumb 2950 which supports (allegedly) SNMP v1 and v2c, it works with V1, but SSO did NOT work with V2c, at least on the IOS version I was using. Ooops. So try back revving if the port is not switching vlan after authentication. You can put the switch itself on some type of management vlan and trunk it just fine so that your unencrypted SNMP strings aren't visible to end users or hackers who can't do vlan hopping. Just make sure that your management vlan on the trunk to the switch is not the same default vlan that you use for the clean access server if you are doing the OOB virtual gateway. Cisco says the Clean Access servers need a default vlan that goes nowhere and they are specific about when to plug in the untrusted interface. Believe them on this, they mean it. These things are doing weird stuff with layer 2 and wreck havoc on spanning tree and everything else if they become visible at layer 3. Trust me don't go there, on a 4506 it takes between 3-7 minutes for them to block IP traffic on your LAN if they become visible. Don't ask how I know. Finally put wireshark on the test work station in non promiscuous mode when trying the log in. That will tell you what is really being seen no matter what you think is being seen. The swiss packets are, I think on port 8995 and 8996 or something like that. Wireshark doesn't know what they are, but they do show up. Hope this helps a bit. Daniel Sichel, CCNP, MCSE,MCSA,MCTS (Windows 2008) Network Engineer Ponderosa Telephone (559) 868-6367
