Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
557
Views
5
Helpful
3
Replies

AD SSO problem on NAC configuration

IT_Data_CorporateNet
Level 1
Level 1

‎03-06-2008 08:50 AM - edited ‎02-21-2020 01:55 AM

Hello there,

I have configured CAS and CAM. I want my users to authenticate using AD SSO. I have followed all procedures outlined in the CAM

configuration guide(allow access to AD on Unauthenticated role, create the cas user, run the ktpass command etc.). The AD SSO service run successfully and i can telnet the CAS on port 8910. My problem is when users login in the domain, AD SSO is not performed(they are asked for usernane and password). Using kerbtray i realised that they are not getting kerberos tickets. I tried to allow ICMP in the Unauthenticated role but when a user complete to login to the PC i cant ping the DC but when the Agent pops up and enter the password for a user created in the CAM i can ping the DC but not any other system on the network. Local accounts in the CAM can login successfully. Any idea please!

Best regards,

Stanslaus.

0 Helpful
3 Replies 3

gopinath.krishna
Level 1
Level 1

‎03-06-2008 09:30 AM

hey you can call me i can help u out if u wanted... my no is 91-9282241257

You need to create policy in unauthenticated role with any host any ports in untrused side and allow any host with the following port tcs & upd port numbers mentioned below, if your login domain has one parent and many child servers. if not u can create policy for sepcific server by allowing the below mentioned tcp/udp port number in trusted side

Allowing Authentication Server Traffic for Windows Domain Authentication

If you want users on the network to be able to authenticate to a Windows domain prior to authenticating to the Cisco NAC Appliance, the following minimum policies allow users in the Unauthenticated role access to AD (NTLM) login servers:

Allow TCP *:* Server/255.255.255.255: 88

Allow UDP *:* Server/255.255.255.255: 88

Allow TCP *:* Server/255.255.255.255: 389

Allow UDP *:* Server/255.255.255.255: 389

Allow TCP *:* Server/255.255.255.255: 445

Allow UDP *:* Server/255.255.255.255: 445

Allow TCP *:* Server/255.255.255.255: 135

Allow UDP *:* Server/255.255.255.255: 135

Allow TCP *:* Server/255.255.255.255: 3268

Allow UDP *:* Server/255.255.255.255: 3268

Allow TCP *:* Server/255.255.255.255: 139

Allow TCP *:* Server/255.255.255.255: 1025

IT_Data_CorporateNet
Level 1
Level 1
In response to gopinath.krishna

‎03-07-2008 01:21 AM

Thanks a lot. It works!!!

In my first config i didn't include UDP ports.

One more question.

In my purchase i purchased two servers, one was to be a fail over. I dint know about CAM. I decided to use the fail over server as the CAM and the other as CAS. I had only 1 PAK for the server for 250 users. To start the configuration

i decided to download the evaluation version which include license for both CAS and CAM. Now my NAC is working and i want to deploy it on the live network and the evaluation version is about to expire. My question is, should i buy another licence for the CAM or i can use the PAK i have to request for license for the CAM?

0 Helpful

gopinath.krishna
Level 1
Level 1
In response to IT_Data_CorporateNet

‎03-07-2008 06:54 AM

you cant purchase only two servers separately, surely you should have purchased cam too. because most of the user related configuration will be done on cam... jus check with cisco whether you have got the fo bundle license or whether it is for one cam and one cas.... you should have two pak.. one for cam and one for cas...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card