Error with GPOs on Cisco NAC

Unanswered Question
Aug 10th, 2007

I have cisco nac deployed inband, all PCs had the CCA Agent deployed via a gpo before the migration. Now that all the systems are behind NAC inband, none of the systems will process GPOs, Machine or user policies. I have the unauthenticated role allowing all traffic to all the domain controllers, but with no luck. If i move the PC to a vlan that is not trunked to the CAS the GPOs process with no problem. Any ideas...?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Joshua Warcop Mon, 08/13/2007 - 05:45

This is actually a very similar scenario I'm in right now, I just haven't turned anything on yet. I am quite confused as well about how machine GPO/computer startup scripts would run if behind a NAC controlled port.

I was thinking of doing what you did by allowing the unauthenticated role access to the domain controllers, but I guess that didn't work either.

I'm working in a OOB - VG CAS/CAM and using snmp-mac notification back to the CAM.

Joshua Warcop Wed, 08/15/2007 - 13:28

I think the ports list in the CAS Manual is not complete. Try this list of ports from the CAM Manual chapter:User Management: Traffic Control, Bandwidth, Schedule

Allow TCP *:* Server/ 88

Allow UDP *:* Server/ 88

Allow TCP *:* Server/ 389

Allow UDP *:* Server/ 389

Allow TCP *:* Server/ 445

Allow UDP *:* Server/ 445

Allow TCP *:* Server/ 135

Allow UDP *:* Server/ 135

Allow TCP *:* Server/ 3268

Allow UDP *:* Server/ 3268

Allow TCP *:* Server/ 139

Allow TCP *:* Server/ 1025


This Discussion