Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
602
Views
0
Helpful
3
Replies

Configure ADSSO with NAC

azfar.afif
Level 1
Level 1

‎10-02-2012 02:02 AM - edited ‎03-12-2019 05:41 PM

Hi Guys,

I need to configure my Cisco NAC (ADSSO) with Windows Server 2008 R2 Enterprise (64). For now we only can ADSSO with Windows XP. Windows 7 still using normal authentication. We are using KTPass to authenticate with NAC server. We are using Windows 2008 at 2003 functional level.

Anyone can help me regarding this?

Best Regards,

Azfar

Labels:
0 Helpful
3 Replies 3

Tarik Admani
VIP Alumni
VIP Alumni

‎10-02-2012 08:57 AM

Azfar,

There are a few things that you need to check/perform when configuring ADSSO. First you must check that proper version of ktpass is installed on the machine you generate the kerberos ticket for the CAS service account (I recommend using a different account for this just so you can roll back, also you can not run ktpass successfully more than once for the same service account, please delete the account first, recreate the account and try again):

http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/agntsprt.html#wp228565

After this you need to follow the steps to generate the kerberos ticket:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cas/s_adsso.html#wp1301231

Here is an example more specific to your environment:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cas/s_adsso.html#wp1277452

Since you are running in a mixed environment you must enable additional algorithms:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cas/s_adsso.html#wp1277452

If it fails, then purchase ISE.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

azfar.afif
Level 1
Level 1
In response to Tarik Admani

‎10-02-2012 07:59 PM

Hi Tarik,

Thanks for your reply. Actually i have configure all of those. I already check the ktpass version and enable additional algorhythms. but Windows 7 still fail to authenticate using ADSSO. From cisco support guide says that we can running in mixed mode environment. what can we do to check why windows 7 still fail without purchase ISE?

.

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to azfar.afif

‎10-02-2012 08:16 PM

You can install kerbtray to see if the kerberos ticket for the CAS service account is enabled.

Here is the ADSSO troubleshooting guide, also did you restart the services after adding the additional algorithms, can you paste the line that you modified in the starttomcat file?

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1321779

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents