LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

May 2008

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS May 2008

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: AD SSO - required open ports?
From:	"Speight, Howard" <[log in to unmask]>
Reply To:	Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:	Tue, 20 May 2008 14:02:34 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (79 lines)

We opened it up (as suggested in doc) to get it working, then tried
locking it back down... AD is using a random port in the upper range,
finally just allowed all traffic and limited access to DC...

-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Justin Howell
Sent: Tuesday, May 20, 2008 13:13
To: [log in to unmask]
Subject: Re: AD SSO - required open ports?

Yeah we had the same experience when we set things up. After hours of
troubleshooting with TAC we finally threw in the towel, allowed all
traffic to the DC's, and added ACLs to limit access. We never could
figure out why the logons would never complete, never saw any traffic on
a sniff that looked like it was being blocked.

Justin Howell
Telecommunications Network Technician
Solano Community College

-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Jay Patel
Sent: Tuesday, May 20, 2008 9:43 AM
To: [log in to unmask]
Subject: Re: AD SSO - required open ports?

It truly is a beast.  Are you using roaming profiles?

----
-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Stempien, Dave
Sent: Tuesday, May 20, 2008 12:29 PM
To: [log in to unmask]
Subject: AD SSO - required open ports?

Does anyone have a definitive list of the ports required to be open in
the
unauthenticated role for AD SSO to work?  I've opened the following
ports to
our DCs per the suggestion of the Cisco documentation:

TCP 88 - Kerberos
TCP 135 - RPC
TCP 389 - LDAP
TCP 1025 - RPC
TCP 1026 - RPC

After doing some sniffing, I discovered that our DCs are also using UDP
for
kerberos and LDAP, so I opened the following:

UDP 88 - UDP-Kerberos
UDP 389 - UDP-LDAP

Also, per a previous suggestion by Cisco TAC, I also opened:

TCP 445 - SMB

Finally, ICMP and DNS is also allowed.

Currently, my test machine won't even completely log into the domain let
alone perform SSO.  It's stuck at "Applying computer settings..."  If I
completely disable my unauthenticated policy (except for ICMP and DNS),
I
can log into my test machine using cached credentials.

Has anyone else beaten this beast and care to share your experiences?

Thanks!

--
Dave Stempien, Network Security Engineer
University of Rochester Medical Center
Information Systems Division
(585) 784-2427

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU