NAC Appliance with AD SSO issue

Unanswered Question
Dec 4th, 2008


I'm testing NAC Appliance with AD SSO. The SSO seems to be Ok. Anyway, users'll be prompted with agent login dialog if they don't login to the AD. In addition, they can't pass the authentication even if they use the correct credential. How can I discard this dialog? I'd like to force them to login to the AD. Please advice.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
nitass Sat, 12/13/2008 - 19:33

Sorry I misunderstood. Actually, there are 2 authentication servers. One is Kerberos and the other one is AD SSO. Both are pointed to the same domain controller. The reason I created the Kerberos is for allowing user to login through web login for downloading agent at the first time. After that, AD SSO will be used for authenticating.

Anyway, the problem is if user, laptop, does not login to the domain, the agent dialog will display and still allow user to login via the Kerberos. I do not want thing like this. How can I do? Please advice.



Craig Hyps Thu, 12/18/2008 - 13:03


If you only wish to allow AD logins, then AD SSO should be attempted first which it sounds like it is. If for any reason SSO fails for a user, then you can configure an authentication server that uses Kerberos (AD) or LDAP. This can be same server used for AD SSO, but needs to be a separate authentication server which can be enabled for the user login page. The user login page can have the allowed options which can include one or more auth servers.



nitass Thu, 12/18/2008 - 22:51

Hi Chyps,

Would it be possible to use an authentication server (i.e. kerberos) for web login only? I do not want that authentication server to be used by clean access agent in case SSO fails.

Thanks and regards,


Craig Hyps Fri, 12/19/2008 - 08:52

The auth server options selected on the user login page are configurable to a specific VLAN or operating system, so it would be possible to have different auth servers selected for Windows and say Linux/MAC users, but for users that map to same login page, both Web auth and agent-based users (including AD SSO users) will see the same auth server list.


nitass Sat, 12/20/2008 - 03:13

Hi Chyps,

Thanks. It seems that it could not be possible to only enable Kerberos auth server for web auth (and disable the same Kerberos auth server for agent based).

Thanks again,



This Discussion