NAC Agent AD SSO delayed 10 minutes to logon

Moises Araujo · ‎07-31-2012

Hi,

I installed NAC in OOB layer 2 with AD SSO and the NAC AD SSO process is very slow (about 10 minutes)

I first logon on Windows with username and password in the domain.

After about of 1-2 minutes, the NAC Agent stays in the system tray and shows to me the certificate message:

I click in yes and after about 5 minutes, the NAC Agent shows to me the certificate message again. I click in yes again then the Nac Agent popup with the message: "Executing automatic login Windows Domain for NAC":

After about 3 minutes the Nac Agent gives me access to network:

I configured rules for Unauthenticated Role to allow:

TCP - 88,135,139,389,445,636,1025,1026,3268,49152-65535

UDP - 88,123,137,389,636

ICMP - Allowed ICMP to Domain Controller

Its about 10 minutes to logon, I tested in Windows XP, Windows Vista and Windows 7 machines.

Thanks

Moises Araujo

Tarik Admani · ‎07-31-2012

Moises,

Can you verify if the ports listed above are open to all the domain controllers that this workstation could connect to. You can issue a dns query against the entire domain and cross reference this list with your unauthenticated role.

thanks,

Tarik Admani
*Please rate helpful posts*

saxenanitesh8522 · ‎08-01-2012

Hi

Certificate should be asked only once. can you save the certificate or push it through AD so it will not keep on asking.

Nitesh

"please rate helpful posts"

Moises Araujo · ‎08-01-2012

@Tarik Admani

How can I issue a dns query against the entire domain and cross reference this list with the unauthenticated role?

Some ports listed are open and others closed, there are some specific port that need be open?

@Nitesh

The certificate is asked two times, and sometimes he popup again even after logged. I tried install the certificate when he popup at the first time, but he continues to ask again after about after 5 minutes. How I can push it through AD? Are you asking to install the certificate on AD Server?

Thanks

Moises Araujo

Tarik Admani · ‎08-01-2012

Moises,

If you run nslookup from the machine you are testing with that should get you all the DC records. Also if you run a dns query on the CAS server that should give you the same results also. Once you get all the DCs on your network you will have to open the ports to all these ip addresses in this guide - http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_adsso.html#wp1174219

Thanks,

Tarik Admani
*Please rate helpful posts*

Moises Araujo · ‎08-01-2012

Tarik Adman,

I executed the nslookup in the machine that I am testing and in the NAC Server, there are three AD Servers, and they are the same in the machine and in the NAC Server.

I already added the policy to permit the requested ports in the Unauthenticated Role for the three AD Servers:

TCP: 88,135,139,389,445,636,1025,1026,3268,49152-65535

UDP: 88,123,137,389,636

ICMP to the three AD (I can ping the three AD from de cmd testing machine when I am waiting for authenticate)

The NAC Agent is still showing two times the certificate and after about 5minutes he try to logon in the Windows Domain (about 3 minutes to logon)

Thanks
Moises

Tarik Admani · ‎08-01-2012

Moises,

Did you also allow ip fragment?

Tarik Admani
*Please rate helpful posts*

Tarik Admani · ‎08-01-2012

Are the domain controllers on the same vlan as the nac server? Are you using virtual gateway?

Thanks,

Tarik Admani
*Please rate helpful posts*

Moises Araujo · ‎08-01-2012

Allowed IP Fragment for the all three Domains controllers.

The Domain Controllers are in the same vlan of the nac server trusted interface.

I am using OOB Virtual Gateway L2

Thanks

Moises

Tarik Admani · ‎08-01-2012

Make sure that all three domain controllers and any other services such as dns (if on the same subnet as the trusted interface) have a static route pointing out the trusted interface.

Thanks,

Tarik Admani
*Please rate helpful posts*