CLEANACCESS Archives

April 2009

CLEANACCESS@LISTSERV.MIAMIOH.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: CLEANACCESS Digest - 23 Apr 2009 to 24 Apr 2009 (#2009-77)
From:
"Riegert, Timothy J." <[log in to unmask]>
Reply To:
Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:
Mon, 27 Apr 2009 13:25:18 -0400
Content-Type:
text/plain
Parts/Attachments:
text/plain (81 lines) 
Not sure if anyone has already discussed this / investigated, but we had to enable DCERPC inspection on our Cisco FWSM when we started locking down communications to the Domain Controllers. Perhaps, there is some epmap port-hopping going on. If this is the case, you could place the DCs behind a firewall, enable the DCERPC application inspection on the firewall, and then permit ALL TRAFFIC to the DCs at the NAC appliance.

Full disclosure: We haven't deployed to our academic campus yet, so this is just mere speculation.

Thoughts?


-Tim

Tim Riegert
Towson University
Network Engineer



-----Original Message-----
From: Cisco Clean Access Users and Administrators [mailto:[log in to unmask]] On Behalf Of Daniel Sichel
Sent: Monday, April 27, 2009 11:43 AM
To: [log in to unmask]
Subject: Re: CLEANACCESS Digest - 23 Apr 2009 to 24 Apr 2009 (#2009-77)

>Does anyone have a list of TCP\UDP ports that need to be allowed for a
>PC to be part of a Windows domain.  The PCs are behind Clean Access and
>are filtered in a group.  The DC is not behind CA so we've created a
>rule to allow certain ports to be open to communicate back and forth
>with the DC's subnet.  Joining the domain has been remedied but we are
>not getting Group Policies and other domain functions to propagate
>properly.  Anyone who can shed some light would be much appreciated.


I believe the following is recommended
Port 88 tcp and udp
Port 389 tcp and udp
Port 445 tcp and udp
Port 135 tcp and udp
Port 139 tcp

Cisco also lists port 1025 TCP and 3268 tcp and udp, I  am not sure why.
I would also add ports 137 and 138 TCP and UDP, plus, as discussed
below, ICMP traffic to DCs.

You will not get group policies to propagate properly even using the
Cisco
provided checkbox to do a policy update (at least in version 4.5). The
only solution
that we have found is to allow all ip traffic to our DCs. I cannot find
what 
exactly Microsoft is doing even using packet traces, but I did see that
you MUST allow ICMP traffic to the DC
for group policy to happen. Heaven knows why. Also don't forget your
WSUS server. This all means you can't use
Cisco's solution for delaying login (which doesn't really work anyway,
so small loss there). I really wish that I 
Could also get a list of traffic GENUINELY REQUIRED for AD stuff to
work. My guess is that there is a bug in
Clean Access that is not really letting through traffic correctly when
specific ports are delineated, but that
Works fine with the wildcard. However there are not enough hours in the
day to do even more testing for Cisco. 

It is quite clear that their testing of Clean Access in an AD
environment is completely inadequate. Don't expect
That to change any time soon. 

Another thing I just found out (last week) is that netbios (even over
tcp/ip) takes a VERY long time to
Discover shares, so you have to allow a LONG time after the workstation
comes onto the access VLAN
For some shares to appear. This has caused us significant pain and on
top of that, many shortcuts, 
(especially in toolbars for some reason) seem to break.

I have been fighting this for three years, and only recently have I
finally got this working well enough 
To turn my users loose on it. If you use roaming profiles, you will have
even more headaches.

Cheers,

Dan Sichel

ATOM RSS1 RSS2