https://community.cisco.com/t5/network-security/problem-with-nac-and-active-directory/m-p/1570777#M770087 <HTML><HEAD></HEAD><BODY><P>Like Faisal said, you've got to open a bunch of ports to each AD domain controller for AD SSO to work.&nbsp; It's like 8 or so ports, some TCP, some UDP.</P></BODY></HTML> Wed, 27 Oct 2010 18:43:57 GMT csmgdswafford 2010-10-27T18:43:57Z https://community.cisco.com/t5/network-security/problem-with-nac-and-active-directory/m-p/1570775#M770085 <P>Hi.</P><P></P><P></P><P>Please I need help.</P><P></P><P></P><P>I have my server with the "Active Directory SSO" started, but when a user try to connect to the network with his credentials that have in the Active Directory, the agent PC say that "Invalid username and password"</P><P></P><P></P><P>My server is listening by the port 8910.</P><P></P><P>I have conectivity with the cas and the active directory.</P><P></P><P>the command kpass runs sucessfully.</P><P></P><P></P><P>Thks.</P> Fri, 21 Feb 2020 12:07:46 GMT https://community.cisco.com/t5/network-security/problem-with-nac-and-active-directory/m-p/1570775#M770085 jmanzur1683 2020-02-21T12:07:46Z https://community.cisco.com/t5/network-security/problem-with-nac-and-active-directory/m-p/1570776#M770086 <HTML><HEAD></HEAD><BODY><P>Jorge,</P><P></P><P>If service is running, then you need to focus on the client/AD communication and see where the break is happening.</P><P></P><P>Can you make sure that in the Unauthenticated Role, you have all the required TCP/UDP ports open, along with ICMP and IP FRAGMENTS to all your Domain Controllers?</P><P></P><P>HTH,</P><P>Faisal</P><P>--</P><P>If you find this post helpful, please rate so others can find the answer easily</P></BODY></HTML> Fri, 22 Oct 2010 03:43:47 GMT https://community.cisco.com/t5/network-security/problem-with-nac-and-active-directory/m-p/1570776#M770086 Faisal Sehbai 2010-10-22T03:43:47Z https://community.cisco.com/t5/network-security/problem-with-nac-and-active-directory/m-p/1570777#M770087 <HTML><HEAD></HEAD><BODY><P>Like Faisal said, you've got to open a bunch of ports to each AD domain controller for AD SSO to work.&nbsp; It's like 8 or so ports, some TCP, some UDP.</P></BODY></HTML> Wed, 27 Oct 2010 18:43:57 GMT https://community.cisco.com/t5/network-security/problem-with-nac-and-active-directory/m-p/1570777#M770087 csmgdswafford 2010-10-27T18:43:57Z https://community.cisco.com/t5/network-security/problem-with-nac-and-active-directory/m-p/1570778#M770088 <HTML><HEAD></HEAD><BODY><P>Yes I have the following ports open. In the Unauthenticated role</P><P></P><P>TCP: 88,135,389,445,636,1025,1026</P><P>UDP: 0,8,88,123,137,389,636,3268,8910</P><P></P><P>And I have the same problem.</P><P></P><P>I have to mention that the command "netstat -a | grep 8910"&nbsp; is not listening, but in the server the service of Active Directory is stared.</P><P></P><P></P><P>Thks!!</P><P></P><P></P><P></P><TABLE class="stock"><TBODY><TR title="88(Kerberos), 135(RPC), 389(LDAP), 445(SMB), 636(LDAP), 1025(RPC), 1026(RPC)"><FORM><TD>:88,135,389,445,636,1025,1026,8910</TD><TD><INPUT id="fromcheck" name="fromcheck" type="hidden" value="1" /></TD></FORM></TR></TBODY></TABLE><TABLE class="stock"><TBODY><TR title="88(Kerberos), 135(RPC), 389(LDAP), 445(SMB), 636(LDAP), 1025(RPC), 1026(RPC)"><FORM><TD>:88,135,389,445,636,1025,1026,8910</TD><TD><INPUT id="fromcheck" name="fromcheck" type="hidden" value="1" /></TD></FORM></TR></TBODY></TABLE><TABLE class="stock"><TBODY><TR title="88(Kerberos), 135(RPC), 389(LDAP), 445(SMB), 636(LDAP), 1025(RPC), 1026(RPC)"><FORM><TD>:88,135,389,445,636,1025,1026,8910</TD><TD><INPUT id="fromcheck" name="fromcheck" type="hidden" value="1" /></TD></FORM></TR></TBODY></TABLE></BODY></HTML> Wed, 27 Oct 2010 22:38:09 GMT https://community.cisco.com/t5/network-security/problem-with-nac-and-active-directory/m-p/1570778#M770088 jmanzur1683 2010-10-27T22:38:09Z https://community.cisco.com/t5/network-security/problem-with-nac-and-active-directory/m-p/1570779#M770089 <HTML><HEAD></HEAD><BODY><P>Hmm... what's your deployment model?&nbsp; Inband, OOB, real-ip gateway, etc?&nbsp; Also, can you authenticate w/o the use of AD SSO (such as via RADIUS to an ACS box).</P><P><BR />David.</P></BODY></HTML> Thu, 28 Oct 2010 11:22:10 GMT https://community.cisco.com/t5/network-security/problem-with-nac-and-active-directory/m-p/1570779#M770089 csmgdswafford 2010-10-28T11:22:10Z https://community.cisco.com/t5/network-security/problem-with-nac-and-active-directory/m-p/1570780#M770090 <HTML><HEAD></HEAD><BODY><P>You mean the CAS is not listening on 8910 or your DC is not listening on 8910?</P><P></P><P>Not that this will solve your problem but try 'nestat -an | grep 8910', it is probably translating it to the name of the port.</P><P></P><P>Do you have a auth server of type active directory (non-sso)? See if that works, otherwise we probably need to start by looking at the agent logs from a host attempting SSO.</P></BODY></HTML> Thu, 28 Oct 2010 19:26:23 GMT https://community.cisco.com/t5/network-security/problem-with-nac-and-active-directory/m-p/1570780#M770090 Elly Bornstein 2010-10-28T19:26:23Z https://community.cisco.com/t5/network-security/problem-with-nac-and-active-directory/m-p/1570781#M770091 <HTML><HEAD></HEAD><BODY><P><SPAN id="result_box" lang="en"><SPAN>Thank you all.<BR /><BR /></SPAN><SPAN>was a certificate problem. </SPAN><SPAN>but the funny thing is that even I do not listen on port 8910.</SPAN></SPAN></P></BODY></HTML> Tue, 23 Nov 2010 19:36:46 GMT https://community.cisco.com/t5/network-security/problem-with-nac-and-active-directory/m-p/1570781#M770091 jmanzur1683 2010-11-23T19:36:46Z