NAC OOB AD SSO

Answered Question
Sep 6th, 2010

Hello,

I am trying to configure NAC OOB SSO with AD. The software on my CAS and CAM is 4.7(2)

and my AD is Windows Server 2008.

I have some information that with this version of NAC software (4.7.2) I do not need to run ktpass

on AD server. Is this true? Because I didn't find that kind of information in any manual.

So do I need to run ktpass and if I do, what version should I use?

Thanks

I have this problem too.
0 votes
Correct Answer by Faisal Sehbai about 3 years 7 months ago

Zoran,

Check this link. Even though it says it's for 4.8, it works with 4.7.2 also:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1300720

HTH,

Faisal

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
zoran.suica Wed, 09/08/2010 - 14:27

Faisal,

thank you very much. I did configure it as it says in the document and it is working.

But I have another thing that worries me. Why is it (and is it) necessary to select

"Use Kerberos DES encryption types for this account" under my CAS username when

it also says in the section about windows 7 that I can Enable Additional Algorithms on Existing AD Servers

But it explains only doing it with ktpass. Why can't I just enable other algorithms over ldp?

To be honest I am worried about this DES encryption because it is something my internal control doesn't like.

And I don't know in which step of kerberos authentication (in NAC AD SSO) is DES algorithm used? Between

client and AD or just client and CAS?

So is there a way to avoid DES totally and if not could you at least tell me in which phase of auth. process is it

used so I can see if it is acceptable because of internal control.

Thanks once again,

Zoran

Faisal Sehbai Thu, 09/09/2010 - 03:30

Zoran,

Under the user properties, if you uncheck "Use Des encryption...." it will allow all encryption types. You can verify that it is not using DES by doing a packet capture between the CAS and the DC.

HTH,

Faisal

Actions

Login or Register to take actions

This Discussion

Posted September 6, 2010 at 4:08 AM
Stats:
Replies:3 Avg. Rating:5
Views:560 Votes:0
Shares:0
Tags: nac, ad, oob, sso
+

Related Content

Discussions Leaderboard