AD SSO problem on NAC configuration

Unanswered Question
Mar 6th, 2008
User Badges:

Hello there,

I have configured CAS and CAM. I want my users to authenticate using AD SSO. I have followed all procedures outlined in the CAM

configuration guide(allow access to AD on Unauthenticated role, create the cas user, run the ktpass command etc.). The AD SSO service run successfully and i can telnet the CAS on port 8910. My problem is when users login in the domain, AD SSO is not performed(they are asked for usernane and password). Using kerbtray i realised that they are not getting kerberos tickets. I tried to allow ICMP in the Unauthenticated role but when a user complete to login to the PC i cant ping the DC but when the Agent pops up and enter the password for a user created in the CAM i can ping the DC but not any other system on the network. Local accounts in the CAM can login successfully. Any idea please!

Best regards,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
gopinath.krishn... Thu, 03/06/2008 - 09:30
User Badges:

hey you can call me i can help u out if u wanted... my no is 91-9282241257

You need to create policy in unauthenticated role with any host any ports in untrused side and allow any host with the following port tcs & upd port numbers mentioned below, if your login domain has one parent and many child servers. if not u can create policy for sepcific server by allowing the below mentioned tcp/udp port number in trusted side

Allowing Authentication Server Traffic for Windows Domain Authentication

If you want users on the network to be able to authenticate to a Windows domain prior to authenticating to the Cisco NAC Appliance, the following minimum policies allow users in the Unauthenticated role access to AD (NTLM) login servers:

Allow TCP *:* Server/ 88

Allow UDP *:* Server/ 88

Allow TCP *:* Server/ 389

Allow UDP *:* Server/ 389

Allow TCP *:* Server/ 445

Allow UDP *:* Server/ 445

Allow TCP *:* Server/ 135

Allow UDP *:* Server/ 135

Allow TCP *:* Server/ 3268

Allow UDP *:* Server/ 3268

Allow TCP *:* Server/ 139

Allow TCP *:* Server/ 1025

IT_Data_CorporateNet Fri, 03/07/2008 - 01:21
User Badges:

Thanks a lot. It works!!!

In my first config i didn't include UDP ports.

One more question.

In my purchase i purchased two servers, one was to be a fail over. I dint know about CAM. I decided to use the fail over server as the CAM and the other as CAS. I had only 1 PAK for the server for 250 users. To start the configuration

i decided to download the evaluation version which include license for both CAS and CAM. Now my NAC is working and i want to deploy it on the live network and the evaluation version is about to expire. My question is, should i buy another licence for the CAM or i can use the PAK i have to request for license for the CAM?

gopinath.krishn... Fri, 03/07/2008 - 06:54
User Badges:

you cant purchase only two servers separately, surely you should have purchased cam too. because most of the user related configuration will be done on cam... jus check with cisco whether you have got the fo bundle license or whether it is for one cam and one cas.... you should have two pak.. one for cam and one for cas...


This Discussion