https://community.cisco.com/t5/network-security/cisco-nac-ad-sso/m-p/1615296#M811711 <HTML><HEAD></HEAD><BODY><P>Hi <SPAN class="jiveTT-hover-user jive-username-link active_link">Sanjeev,</SPAN></P><P></P><P>I was implemented the Cisco NAC in a multi domain environment and works fine until the customer add third AD server on Windows 2008.</P><P></P><P>Do you verify that the created user CASUSER is <SPAN class="active_link">visible</SPAN> on domain B?</P><P>The CASUSER in my opinon must be created on root domain and will be broadcasted to domains A&amp;B.</P><P>Do you used LDAP user mapping to roles?</P><P>Do you tested that was created user in domain B and verify in site A? It's the simple test for what you want to do.</P><P>Which version Cisco NAC have you got?</P><P></P><P>Kamil</P><DIV class="jive-author"><EM><BR /></EM></DIV></BODY></HTML> Sun, 27 Feb 2011 10:51:49 GMT wkamil123 2011-02-27T10:51:49Z https://community.cisco.com/t5/network-security/cisco-nac-ad-sso/m-p/1615292#M811630 <P>Hi,</P><P></P><P>I need help with configuring CASUser Account for NAC AD SSO in a multidomain enviorment.</P><P>We have two child domain (based on region) say A &amp; B. We have created the casuser account in domain A. If a user from Domain A login, everything works fine and they are authenticated.</P><P>But the problem starts if some one from domian B tries to login - they are authenticated by AD (checked through kerbtray and net time \set (can't see ticket for casuser account)....the NAC agaent keeps on prompting for username &amp; password.</P><P></P><P>Domain: Windows 20003</P><P>Domain functional level: Windows 2000 native</P><P>Cisco NAC Agent: Version : <SPAN id="about_appver">4.8.0.32</SPAN></P> Fri, 21 Feb 2020 12:15:46 GMT https://community.cisco.com/t5/network-security/cisco-nac-ad-sso/m-p/1615292#M811630 sanjeev3090 2020-02-21T12:15:46Z https://community.cisco.com/t5/network-security/cisco-nac-ad-sso/m-p/1615293#M811649 <HTML><HEAD></HEAD><BODY><P>Which domain is the master? The domain in site A&amp;B&nbsp; are Windows 2000 native?</P><P>Do you configure kerbtray only on master domain?</P><P></P><P>Kamil</P></BODY></HTML> Fri, 25 Feb 2011 15:10:00 GMT https://community.cisco.com/t5/network-security/cisco-nac-ad-sso/m-p/1615293#M811649 wkamil123 2011-02-25T15:10:00Z https://community.cisco.com/t5/network-security/cisco-nac-ad-sso/m-p/1615294#M811663 <HTML><HEAD></HEAD><BODY><P>Which domain is the master? The domain in site A&amp;B&nbsp; are Windows 2000 native?</P><P>Do you configure kerbtray only on master domain?</P><P></P><P>Kamil</P></BODY></HTML> Fri, 25 Feb 2011 15:10:09 GMT https://community.cisco.com/t5/network-security/cisco-nac-ad-sso/m-p/1615294#M811663 wkamil123 2011-02-25T15:10:09Z https://community.cisco.com/t5/network-security/cisco-nac-ad-sso/m-p/1615295#M811685 <HTML><HEAD></HEAD><BODY><P>Hi Kamil,</P><P></P><P>Thanks for your response.</P><P></P><P>I guess you are quering about the KTpass command as kerbtray is just a tool to display the ticket information.</P><P>Both A &amp; B are child domains as we don't have any user accounts in root domain. The CAS user account was created in domain A (having multiple DC's in both domain A &amp; B) and we ran the ktpass command for the CASUSER account in domain A. Everything works fine for users created in domain A.</P><P></P><P>Our requirement is that when user in domain B are visiting domain A, they can be authenticated as well through NAC.</P></BODY></HTML> Sun, 27 Feb 2011 09:43:06 GMT https://community.cisco.com/t5/network-security/cisco-nac-ad-sso/m-p/1615295#M811685 sanjeev3090 2011-02-27T09:43:06Z https://community.cisco.com/t5/network-security/cisco-nac-ad-sso/m-p/1615296#M811711 <HTML><HEAD></HEAD><BODY><P>Hi <SPAN class="jiveTT-hover-user jive-username-link active_link">Sanjeev,</SPAN></P><P></P><P>I was implemented the Cisco NAC in a multi domain environment and works fine until the customer add third AD server on Windows 2008.</P><P></P><P>Do you verify that the created user CASUSER is <SPAN class="active_link">visible</SPAN> on domain B?</P><P>The CASUSER in my opinon must be created on root domain and will be broadcasted to domains A&amp;B.</P><P>Do you used LDAP user mapping to roles?</P><P>Do you tested that was created user in domain B and verify in site A? It's the simple test for what you want to do.</P><P>Which version Cisco NAC have you got?</P><P></P><P>Kamil</P><DIV class="jive-author"><EM><BR /></EM></DIV></BODY></HTML> Sun, 27 Feb 2011 10:51:49 GMT https://community.cisco.com/t5/network-security/cisco-nac-ad-sso/m-p/1615296#M811711 wkamil123 2011-02-27T10:51:49Z