cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

699
Views
0
Helpful
6
Replies
jmanzur1683
Beginner

Problem with NAC and Active Directory

Hi.

Please I need help.

I have my server with the "Active Directory SSO" started, but when a user try to connect to the network with his credentials that have in the Active Directory, the agent PC say that "Invalid username and password"

My server is listening by the port 8910.

I have conectivity with the cas and the active directory.

the command kpass runs sucessfully.

Thks.

1 ACCEPTED SOLUTION

Accepted Solutions
Faisal Sehbai
Rising star

Jorge,

If service is running, then you need to focus on the client/AD communication and see where the break is happening.

Can you make sure that in the Unauthenticated Role, you have all the required TCP/UDP ports open, along with ICMP and IP FRAGMENTS to all your Domain Controllers?

HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

View solution in original post

6 REPLIES 6
Faisal Sehbai
Rising star

Jorge,

If service is running, then you need to focus on the client/AD communication and see where the break is happening.

Can you make sure that in the Unauthenticated Role, you have all the required TCP/UDP ports open, along with ICMP and IP FRAGMENTS to all your Domain Controllers?

HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

View solution in original post

Like Faisal said, you've got to open a bunch of ports to each AD domain controller for AD SSO to work.  It's like 8 or so ports, some TCP, some UDP.

Yes I have the following ports open. In the Unauthenticated role

TCP: 88,135,389,445,636,1025,1026

UDP: 0,8,88,123,137,389,636,3268,8910

And I have the same problem.

I have to mention that the command "netstat -a | grep 8910"  is not listening, but in the server the service of Active Directory is stared.

Thks!!

:88,135,389,445,636,1025,1026,8910
:88,135,389,445,636,1025,1026,8910
:88,135,389,445,636,1025,1026,8910

Hmm... what's your deployment model?  Inband, OOB, real-ip gateway, etc?  Also, can you authenticate w/o the use of AD SSO (such as via RADIUS to an ACS box).


David.

You mean the CAS is not listening on 8910 or your DC is not listening on 8910?

Not that this will solve your problem but try 'nestat -an | grep 8910', it is probably translating it to the name of the port.

Do you have a auth server of type active directory (non-sso)? See if that works, otherwise we probably need to start by looking at the agent logs from a host attempting SSO.

Thank you all.

was a certificate problem. but the funny thing is that even I do not listen on port 8910.

Content for Community-Ad