02-03-2011 07:42 AM - edited 02-21-2020 04:14 AM
We have a NAC appliance inband working on a wireless network against AD,
wireless Windows users are authenticated perfectly.
Recently, domain administrators have changed the policy of AD user accounts and this forces them to change your password every 2 months, but when all domain users are instructed to change password at next logon, all others users use the wired network without NAC can change it, but users which use the wireless network through the NAC can not and therefore not can validate the AD any more, I have to connect them by cable and change and so then work through the wireless network.
Note.- All the wireless windows users credentials must have cached locally on the laptop prevously using a cable, because if not they could never opened his desktop.
Does any one have idea about the solution?
02-03-2011 09:08 AM
Hi e.bayon,
I think to solve your problem you'll have to create a traffic policy for unauthenticated users to the domain controller/AD server. The thing would be to determine the ports that AD uses to issue password change requests and allow that traffic through.
I'll do a quick search on those port numbers and tell you what I find.
The easy interim solution is to allow all traffic to the AD server but it's not very security-friendly =]
~Xavier
02-03-2011 09:12 AM
I found this paragraph in the following article. These MIGHT be the ports you need to unblock.
http://support.microsoft.com/kb/832017
The Net Logon system service maintains a security channel between your computer and the domain controller to authenticate users and services. It passes the user's credentials to a domain controller and returns the domain security identifiers and the user rights for the user. This is typically referred to as pass-through authentication. Net Logon is configured to start automatically only when a member computer or domain controller is joined to a domain. In the Windows 2000 Server and Windows Server 2003 families, Net Logon publishes service resource locator records in the DNS. When this service runs, it relies on the WORKSTATION service and on the Local Security Authority service to listen for incoming requests. On domain member computers, Net Logon uses RPC over named pipes. On domain controllers, it uses RPC over named pipes, RPC over TCP/IP, mailslots, and Lightweight Directory Access Protocol (LDAP).
System service name: Netlogon
Application protocol | Protocol | Ports |
NetBIOS Datagram Service | UDP | 138 |
NetBIOS Name Resolution | UDP | 137 |
NetBIOS Session Service | TCP | 139 |
SMB | TCP | 445 |
LDAP | UDP | 389 |
RPC¹ | TCP | 135, random port number between 1024 - 65535 135, random port number between 49152 - 65535² |
¹ For more information about how to customize this port, see the "Domain controllers and Active Directory" section in the "References" section.
² This is the range in Windows Server 2008 and in Windows Vista.
Note The Net Logon service uses RPC over named pipes for down-level clients. This service has the same firewall requirements as those of the "File and Printer Sharing" feature.
I'm no Microsoft expert at all but I hope it helps (even a little bit)
~Xavier
02-03-2011 09:15 AM
Actually come to think of it...these are all the same ports you unlock for AD-SSO anyway...bah. Back to square one I guess lol.
Sorry =P
02-03-2011 10:50 AM
Helo,
It seems that some port used by the client to connect to AD is not allowed to pass trough NAS when the user is using the wireless network before the authentication.
Make sure that all ports listed on configure guide are allowed.
Best Regards
02-03-2011 11:57 PM
Hi, again and many thanks to all people.
We´ve opened all TCP and UDP ports at unauthenticated Role traffic policy from IP Wireless Client Network to all AD contoller servers.
The problem is not to get the first time wireless connection and user authentication from laptop to the Windows domain, because that we´ve got it connecting the laptop to the network with cable and afterwards the user credentials are cached at the laptop and from this moment all next wirless connections from the laptop to the Windows domain works fine.
The problem is when the password accounts domain policy plays and it asks to users to change the password, the wired PC domain users can do it, but the wireless users can not, because the WiFi connection works, but the CCA Agent pass the old cached credentials to the AD, and they don´t match with the new accounts domain policy and the customer never watch on his laptop screen a pop-up from the AD to change from the old password to the new one.
That is basically the issue.
02-04-2011 05:38 AM
Well I know that version 4.8.0 has an option to refresh the Windows domain policy group after login with the agent, if that would somehow help, I suggest you look into upgrading your NAC system software
02-07-2011 01:48 AM
Hi, The NAC version 4.(7).2 has the same option that you have mentioned from 4.(8).0 and it´s checked from the the begining of the deployment, but it doesn´t fix our problem.
Many thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide