NAC ADSSO doesn't work

a.goldstein · ‎03-14-2008

Hi there,

I have 1 CAS and 1 CAM. Everything works fine if I use localDB authentication.

I tried to complete SSO AD configuration, from CAM installation guide. SSO service started to work successful. I'm trying to login to the domain - It's ok, I see green kerbtray icon, tickets are ok, but anyway I receive CCA Agent login/password screen.

AD logging looks like: (172.16.13.100 is AD server)

Mar 14, 2008 1:10:00 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDC

INFO: GSSServer - SPN : [cisco/computer-c.zozo.gov@ZOZO.GOV]

Mar 14, 2008 1:10:00 PM com.perfigo.wlan.jmx.admin.GSSServer buildKDCList

INFO: buildKDCList - KDC-1: computer-c.zozo.gov/172.16.13.100

Mar 14, 2008 1:10:10 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDC

INFO: GSSServer - KDC(s) : [172.16.13.100]

Mar 14, 2008 1:14:22 PM com.perfigo.wlan.jmx.admin.GSSRetrier$RetrierTask run

INFO: GSSR - Windows SSO is running

Mar 14, 2008 1:19:22 PM com.perfigo.wlan.jmx.admin.GSSRetrier$RetrierTask run

INFO: GSSR - Windows SSO is running

What's may be wrong in my configuration? Local time on CAM, CAS and AD is the same, TCP/8910 in CAS is in listening mode. I opened full IP from * to my AD Server for Unauthenticated Role.

Regards,

Andrey

a.goldstein · ‎03-14-2008

ooops, I found the problem.

Workstation OS version was w2003server. With w2000wks and XP my configuration is working.

Regards,

Andrey

yprasannas · ‎05-30-2008

I am having issue with AD SSO. CAS talks to AD because the service is started.

1. I can login to the domain but the NAC agent displays the window..Windows domain authentication but gives me a username and password window with drop down box as LOCAL DB.

Any help is appreciated.

gojericho0 · ‎06-02-2008

Have you created an Authentication Server for your AD SSO?

Log on to CAM

User Management -> Authentication Server

vinhtran427 · ‎06-10-2008

Have you verify User Login Page content setting to include "Available Providers"?

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_pages.html#wp1095025

yprasannas · ‎06-11-2008

It worked. I was missing the VLAN mapping.

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_auth.html#wp1158789

mrSS · ‎08-04-2008

hello yprasannas...

We are having the same issue with AD SSO...Loging into the domain is ok, but we set the CCA Agent login/password screen as well...We also configured vlan mapping as well, but no luck...

I noticed vlan mapping fixed your issue, what other things did you do?

Thanks

vinhtran427 · ‎08-04-2008

Are you running OOB Layer-3 with Real-IP gateway? Are you running 4.1.3? Are you using Certificate Authority? If the answer is yes to all. You may want to review this http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/413/413rn.html#wp74768. Be careful though, you may also need to apply an egress ACL to block trusted vlan from sending TCP-8910 to the FQDN of the OOB-CAS's Untrusted IP. Otherwise, the CCA agent may continue to send TCP-8910 to CAS and process SSO and refresh IP continuously(looping process).

mrSS · ‎08-05-2008

i answered yes to the first 2...not sure about the certificate authority...ill take a look at the link and update....thanks for the response

manfernandez · ‎12-01-2009

I am having an issue with Windows Server 2008 Datacenter Core 2 64Bit and AD SSO.

I am getting the “Client not found in Kerberos database (6)” error I confirmed that the customer has the KB951191 hot fix.

TAC is saying it is not supported on Windows 2008 64Bit although their documentation says it IS supported with the new v4.7.1

Anyone else running 2008 64 with issues similar?