cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2574
Views
10
Helpful
10
Replies

NAC 4.7.1 ADSSO can't work on client

beckman.yang
Level 1
Level 1

Dear Sir ,

I used NAC 4.7.1 and config  AD SSO with Windows 2k Server . ( LDAP auth is OK)

The service of  SSO is running on CAS , but TCP/8910 port can't be listen .

How should I do open TCP/8910 port and how to fix it ?

10 Replies 10

Faisal Sehbai
Level 7
Level 7

Yang,

That should be available when the SSO service is started. Is the SSO service running?

Have you bounced the perfigo service, or the server itself?

Thanks,

Faisal

Dear Sir ,

ADSSO service is running . I had tried service restart on CAS , but can't work on client .

thanks

Hi,

If SSO service is running, then the next thing you have to look at (if it's failing at the agent) is the ports that are open in the unauthenticated role.

Can you post a listing of those?

Can you also post the output of the following command from your CAS: nslookup where your_domain_name is the domain name you're trying to do SSO against.

Faisal    

Dear Sir ,

fyi

thanks

Hi,

Two things:

- One of your DC's being returned when we do a nslookup is a 169.254 address. This means that one of your DCs has DHCP enabled on one of it's interfaces and that is also being registered in your AD as a DC. This will cause problems for you, so best to have your AD cleaned up

- You posted the netstat output. I was looking for the unauthenticated role policies. To get those, go to the CAM gui, and click on User Roles, Traffic policies, choose unauthenticated role and hit select. The resulting page is what I wanted to see.

Faisal

Dear Sir ,

fyi

thanks

Hello,

Please open traffic to ALL your DCs, and not just one, and try again.

If that doesn't work, try opening ALL IP in the unauthenticated role (just for testing) and see if AD SSO succeeds.

Faisal

Hi Faisal,

I have the same problem and you can see the nslookup result from my CAS.

At Now I could to start the ADSSO Service on CAS but I couldn't see port 8910 opened on CAS.

thanks a lot

Daniel,

The screen shot shows the SSO service not starting. Post your CAS logs so we can see why.

Faisal

Faisal,

thanks for your attention,

We had two problems, first of all our AD Domain was with incorrect number IP add, there were more IP address that is necessary and first we made a clean-up there, second thing was that I saw that machines that couldn't make AD SSO because the kerbero ticket does not appear on machine, I used a Kerbtray program to do this, and i could figure out that there were some UDP ports that does not open.

After this everything works fine.

thanks a lot

Review Cisco Networking for a $25 gift card