Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

NAC 4.5 ADSSO on multiple AD servers not working, how to troubleshoot?

Hi All,

     I'm handling a NAC (CAS and CAM ver 4.5) to be implemented to a network on production.  The network has two working AD servers, one acting as back-up.  We want to configure the NAC to be able to run ADSSO even if the active AD fails, so we configured NAC to run ADSSO on multiple servers.  I followed the documents, run ktpass for multiple ADs, installed kerbtray to see Kerb tickets, but still I'm puzzled of the problem.  My CAS shows the the ADSSO service is already started, but my workstation cannot perform Single-sign On.  After the "performing AD authentication" window, the agent then reverts back to as a local account.  Please help guys.  I'm willing to share other details about this.  Thanks.

Regards,

Dan

5 REPLIES

Re: NAC 4.5 ADSSO on multiple AD servers not working, how to tro

Dan,

If the service is started and SSO still failing, check for open ports on your unauthenticated traffic policy. For testing you can open all IP, and if that works, then look closely at the documented port openings and have them open.

HTH,

Faisal

New Member

Re: NAC 4.5 ADSSO on multiple AD servers not working, how to tro

Hi Faisal,

     The Unauthorized role is already in all trafic enabled policy.  My problem is that the KT that is shown in the workstation is different from the one I created using ktpass, although I matched the cases of the domain and the one in the ktpass.  I deeply appreciate if you can help.  Thanks.

Regards,

Dan

Re: NAC 4.5 ADSSO on multiple AD servers not working, how to tro

Dan,

Do you still have the text of the ktpass run you did on that account?

Faisal

New Member

Re: NAC 4.5 ADSSO on multiple AD servers not working, how to tro

Make sure check "Domain" instead of "single AD server" in CAS authentication page.

Alex

Re: NAC 4.5 ADSSO on multiple AD servers not working, how to tro

Check the syntax of ktpass.

Also make sure the DCs and the CAS are synchronised to the same time source (or the CAS is synched to the DC itself)

313
Views
5
Helpful
5
Replies
CreatePlease to create content