Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1033
Views
0
Helpful
6
Replies

Problem with NAC and Active Directory

Go to solution
jmanzur1683
Level 1
Level 1

‎10-21-2010 03:46 PM - edited ‎02-21-2020 04:07 AM

Hi.

Please I need help.

I have my server with the "Active Directory SSO" started, but when a user try to connect to the network with his credentials that have in the Active Directory, the agent PC say that "Invalid username and password"

My server is listening by the port 8910.

I have conectivity with the cas and the active directory.

the command kpass runs sucessfully.

Thks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Faisal Sehbai
Level 7
Level 7

‎10-21-2010 08:43 PM

Jorge,

If service is running, then you need to focus on the client/AD communication and see where the break is happening.

Can you make sure that in the Unauthenticated Role, you have all the required TCP/UDP ports open, along with ICMP and IP FRAGMENTS to all your Domain Controllers?

HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Faisal Sehbai
Level 7
Level 7

‎10-21-2010 08:43 PM

Jorge,

If service is running, then you need to focus on the client/AD communication and see where the break is happening.

Can you make sure that in the Unauthenticated Role, you have all the required TCP/UDP ports open, along with ICMP and IP FRAGMENTS to all your Domain Controllers?

HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

0 Helpful

Go to solution
csmgdswafford
Level 1
Level 1
In response to Faisal Sehbai

‎10-27-2010 11:43 AM

Like Faisal said, you've got to open a bunch of ports to each AD domain controller for AD SSO to work.  It's like 8 or so ports, some TCP, some UDP.

0 Helpful

Go to solution
jmanzur1683
Level 1
Level 1
In response to csmgdswafford

‎10-27-2010 03:38 PM

Yes I have the following ports open. In the Unauthenticated role

TCP: 88,135,389,445,636,1025,1026

UDP: 0,8,88,123,137,389,636,3268,8910

And I have the same problem.

I have to mention that the command "netstat -a | grep 8910"  is not listening, but in the server the service of Active Directory is stared.

Thks!!

:88,135,389,445,636,1025,1026,8910
:88,135,389,445,636,1025,1026,8910
:88,135,389,445,636,1025,1026,8910
0 Helpful

Go to solution
csmgdswafford
Level 1
Level 1
In response to jmanzur1683

‎10-28-2010 04:22 AM

Hmm... what's your deployment model?  Inband, OOB, real-ip gateway, etc?  Also, can you authenticate w/o the use of AD SSO (such as via RADIUS to an ACS box).


David.

0 Helpful

Go to solution
Elly Bornstein
Cisco Employee
Cisco Employee
In response to jmanzur1683

‎10-28-2010 12:26 PM

You mean the CAS is not listening on 8910 or your DC is not listening on 8910?

Not that this will solve your problem but try 'nestat -an | grep 8910', it is probably translating it to the name of the port.

Do you have a auth server of type active directory (non-sso)? See if that works, otherwise we probably need to start by looking at the agent logs from a host attempting SSO.

0 Helpful

Go to solution
jmanzur1683
Level 1
Level 1
In response to Elly Bornstein

‎11-23-2010 11:36 AM

Thank you all.

was a certificate problem. but the funny thing is that even I do not listen on port 8910.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card