Error with GPOs on Cisco NAC

metro.gmarsh · ‎08-10-2007

I have cisco nac deployed inband, all PCs had the CCA Agent deployed via a gpo before the migration. Now that all the systems are behind NAC inband, none of the systems will process GPOs, Machine or user policies. I have the unauthenticated role allowing all traffic to all the domain controllers, but with no luck. If i move the PC to a vlan that is not trunked to the CAS the GPOs process with no problem. Any ideas...?

Joshua Warcop · ‎08-13-2007

This is actually a very similar scenario I'm in right now, I just haven't turned anything on yet. I am quite confused as well about how machine GPO/computer startup scripts would run if behind a NAC controlled port.

I was thinking of doing what you did by allowing the unauthenticated role access to the domain controllers, but I guess that didn't work either.

I'm working in a OOB - VG CAS/CAM and using snmp-mac notification back to the CAM.

Joshua Warcop · ‎08-15-2007

I think the ports list in the CAS Manual is not complete. Try this list of ports from the CAM Manual chapter:User Management: Traffic Control, Bandwidth, Schedule

Allow TCP *:* Server/255.255.255.255: 88

Allow UDP *:* Server/255.255.255.255: 88

Allow TCP *:* Server/255.255.255.255: 389

Allow UDP *:* Server/255.255.255.255: 389

Allow TCP *:* Server/255.255.255.255: 445

Allow UDP *:* Server/255.255.255.255: 445

Allow TCP *:* Server/255.255.255.255: 135

Allow UDP *:* Server/255.255.255.255: 135

Allow TCP *:* Server/255.255.255.255: 3268

Allow UDP *:* Server/255.255.255.255: 3268

Allow TCP *:* Server/255.255.255.255: 139

Allow TCP *:* Server/255.255.255.255: 1025