Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1165
Views
0
Helpful
3
Replies

NAC OOB AD SSO

Go to solution
zoran.suica
Level 1
Level 1

‎09-06-2010 04:08 AM - edited ‎02-21-2020 04:04 AM

Hello,

I am trying to configure NAC OOB SSO with AD. The software on my CAS and CAM is 4.7(2)

and my AD is Windows Server 2008.

I have some information that with this version of NAC software (4.7.2) I do not need to run ktpass

on AD server. Is this true? Because I didn't find that kind of information in any manual.

So do I need to run ktpass and if I do, what version should I use?

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Faisal Sehbai
Level 7
Level 7

‎09-07-2010 12:12 PM

Zoran,

Check this link. Even though it says it's for 4.8, it works with 4.7.2 also:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1300720

HTH,

Faisal

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Faisal Sehbai
Level 7
Level 7

‎09-07-2010 12:12 PM

Zoran,

Check this link. Even though it says it's for 4.8, it works with 4.7.2 also:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1300720

HTH,

Faisal

0 Helpful

Go to solution
zoran.suica
Level 1
Level 1
In response to Faisal Sehbai

‎09-08-2010 02:27 PM

Faisal,

thank you very much. I did configure it as it says in the document and it is working.

But I have another thing that worries me. Why is it (and is it) necessary to select

"Use Kerberos DES encryption types for this account" under my CAS username when

it also says in the section about windows 7 that I can Enable Additional Algorithms on Existing AD Servers

But it explains only doing it with ktpass. Why can't I just enable other algorithms over ldp?

To be honest I am worried about this DES encryption because it is something my internal control doesn't like.

And I don't know in which step of kerberos authentication (in NAC AD SSO) is DES algorithm used? Between

client and AD or just client and CAS?

So is there a way to avoid DES totally and if not could you at least tell me in which phase of auth. process is it

used so I can see if it is acceptable because of internal control.

Thanks once again,

Zoran

0 Helpful

Go to solution
Faisal Sehbai
Level 7
Level 7
In response to zoran.suica

‎09-09-2010 03:30 AM

Zoran,

Under the user properties, if you uncheck "Use Des encryption...." it will allow all encryption types. You can verify that it is not using DES by doing a packet capture between the CAS and the DC.

HTH,

Faisal

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card