Mike, I was on a tech call with Cisco last week about SSO in our environment. We are running 4.1.8 and he told me I had to upgrade to 4.7 because the AD servers are 2008 64-bit and 4.1.8 doesn't support that version. He also mentioned that I would need to wait until 4.7.2. There must be bug fix or something. I didn't ask further details since 4.7 is not in our future. If this is in fact true, I'd suggest you double-check with Cisco before you continue to rack your brain thinking it is WPA and radius.
Hope that helps. On Jan 21, 2010, at 11:24 AM, Mike Diggins wrote: I've been trying unsuccessfully to get SSO working using a Cisco autonomous AP (1240 series, IOS 12.4(10b)JDA3) and WPA-Enterprise. I've managed to get WPA working, but not with SSO, despite following a number of Cisco (VPN SSO) deployment guides. I know the autonomous stuff isn't supported, but I was hoping it would work, since our site has a 50/50 split of that and lightweight. I configured my CCA Server (In-band Virtual Gateway, 4.7.1) according to the VPN SSO guide, and pointed my AP radius accounting server to it. Debugging on the AP seems to indicate the accounting packets are successfully sent to the CCA server, when I log in via WPA from my XP client. However, the Agent prompts for my username and password as it usually does, and there is no indication the CCA Server is even acknowledging that. I'm not even sure how to debug that end. Does anyone have an autonomous AP working using SSO? Was there anything unusual about the setup that the documentation might not cover? One thing I wondered was whether the Radius attributes being sent from my AP were sufficient for SSO. It includes my client MAC address but not the client IP address. Is that a show stopper? -Mike
