05-28-2009 03:46 AM - edited 02-21-2020 03:29 AM
I have implemented cisco NAC IN-Band mode (virtual Gateway). We are still testing the features to deploy it in the customer
network. I have the following observations:
1. NAC Integration with Active Directory for SSO
The integration was done successfully but i have doubt about the user roles as in the document guding the configuration
the role is applied for unathentication role while i have created role called users. when the user logging thru SSO i can see the
user online on unauthentocation rule. is this correct ? how to make the user connected to his role ( User role )
2. when the user connected on the network thru SSO, i have closed the agent from the desktop but the browser and netwrok resoureces
is still accessible , is this normal ?
3. which exact ports are needed to open (tcp & UDP) for integrating NAS with AD SSO bare in mind i have Proxy on the network?
the ports on NAS documents seems not enough for full communication.
4. user cannot browse the internet unless i allow broxy IP from the unauthenticatied role
5. when the user successfully logged on the network thru SSO, why the browser keep redirecting to install Clean access agent?
05-28-2009 05:05 AM
1.) Nope not correct. Your mappings are not working correctly. Go to User Management > Auth Servers > and click the Mapping Rules Tab.
2.) This could be normal behavior if you have allowed those accesses to the unauthenticated role. Go to User Management > User Roles > click the traffic control tab. If you didn't allow it there verify the mac and/or IP address is not "whitelisted". Go to Device Management > and click the devices tab. If neither of these allow the client they may not be set up to go throught he Clean Access server. Verify your vlan mappings are correct. Go to Device Management > CCA Servers > Manage the appropriate server > click advanced > click managed subnet.
3.) Agree. They may not be enough. I recommend using wireshark or similar network sniffer on a host behind the CAS and sniff traffic going to and from the client. You may likely find a port that should be open that is not. Remember by default everything is allowed from a trusted source (DC) to the untrusted source (client) so you probably only need to look at sniffing the client side of the connection. Look for attempts to connect to your DC(s) IP address from the client where the port is not allowed through traffic rules mentioned in #2.
4.) They should not be allowed to browse until moving from unauthenticated to another more trusted role. If they can't browse it means they are not getting placed into the correct role. Again I reference #2 answers above.
5.) It should not. Verify the user after authenticating is not still being placed into the incorrect role. See answers to question 1 above.
Please rate answers if they are helpful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide