I have configured CAS and CAM. I want my users to authenticate using AD SSO. I have followed all procedures outlined in the CAM
configuration guide(allow access to AD on Unauthenticated role, create the cas user, run the ktpass command etc.). The AD SSO service run successfully and i can telnet the CAS on port 8910. My problem is when users login in the domain, AD SSO is not performed(they are asked for usernane and password). Using kerbtray i realised that they are not getting kerberos tickets. I tried to allow ICMP in the Unauthenticated role but when a user complete to login to the PC i cant ping the DC but when the Agent pops up and enter the password for a user created in the CAM i can ping the DC but not any other system on the network. Local accounts in the CAM can login successfully. Any idea please!
hey you can call me i can help u out if u wanted... my no is 91-9282241257
You need to create policy in unauthenticated role with any host any ports in untrused side and allow any host with the following port tcs & upd port numbers mentioned below, if your login domain has one parent and many child servers. if not u can create policy for sepcific server by allowing the below mentioned tcp/udp port number in trusted side
Allowing Authentication Server Traffic for Windows Domain Authentication
If you want users on the network to be able to authenticate to a Windows domain prior to authenticating to the Cisco NAC Appliance, the following minimum policies allow users in the Unauthenticated role access to AD (NTLM) login servers:
In my purchase i purchased two servers, one was to be a fail over. I dint know about CAM. I decided to use the fail over server as the CAM and the other as CAS. I had only 1 PAK for the server for 250 users. To start the configuration
i decided to download the evaluation version which include license for both CAS and CAM. Now my NAC is working and i want to deploy it on the live network and the evaluation version is about to expire. My question is, should i buy another licence for the CAM or i can use the PAK i have to request for license for the CAM?
you cant purchase only two servers separately, surely you should have purchased cam too. because most of the user related configuration will be done on cam... jus check with cisco whether you have got the fo bundle license or whether it is for one cam and one cas.... you should have two pak.. one for cam and one for cas...