LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

November 2010

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS November 2010

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: NAC 4.8 SSO and WIN7
From:	Rob Chee <[log in to unmask]>
Reply To:	Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:	Fri, 12 Nov 2010 06:27:09 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (64 lines)

Antonio,

I've set this up successfully for a client using NAC 4.8 and Windows 2003
domain controllers.  They were running 4.8 and initially had the ktpass
command with the +DesOnly at the end.  When they introduced Windows 7
machines into the network we found that AD SSO did not work for those
computers.  At that time we followed the instructions in the guide you
posted.  We created another AD user to assign to the AD SSO portion of the
NAC server config.  The ktpass command used for this user did not have the
+DesOnly at the end.  We then changed the NAC Servers to use the new AD
user and everything worked correctly for both the Windows 7 and Windows XP
computers.

I have a little blog on why the +DesOnly is not required.
http://www.netcraftsmen.net/resources/blogs/cisco-nac-ad-sso-support-for-no
n-des-encryption-types.html

Are you sure the users had a valid Kerberos ticket?  You can use
kerbtray.exe on the end clients to verify that they weren't using cached
credentials...

Are you using ACLs to restrict the authentication VLAN?  I've seen cases
when one of the domain controllers was blocked by the authentication VLAN
ACL, which caused problems similar to what you're seeing...

------------------------------------------------------
Rob Chee, CCIE #8188 (R&S and Security)
Senior Network Consultant
Chesapeake NetCraftsmen, LLC.
Company Website:  http://www.netcraftsmen.net
My Blog:  http://www.netcraftsmen.net/resources/blogs/blogger/Rob%20Chee/
Mobile:  571-437-2829
------------------------------------------------------




On 11/10/10 7:59 AM, "Antonio Soares" <[log in to unmask]> wrote:

>I have a customer that is running 4.8. The upgrade to this release was
>made
>a few days ago. After running the procedure to support the Windows 7
>clients, we see that SSO is not working. We are using ktpass version
>5.2.3790.1830 and this is a Windows 2003 environment.
>
>The procedure is this one:
>
>http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide
>/4
>8/cas/s_adsso.html#wp1277452
>
>The problem is that the users do the Windows authentication and the NAC
>Agent window appears for login. SSO does not work for these users.
>
>Anyone has seen this problem before ?
>
>
>Thanks.
>
>Regards,
>
>Antonio Soares, CCIE #18473 (R&S/SP)
>[log in to unmask]

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU