Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAC Appliance with AD SSO issue

Hi,

I'm testing NAC Appliance with AD SSO. The SSO seems to be Ok. Anyway, users'll be prompted with agent login dialog if they don't login to the AD. In addition, they can't pass the authentication even if they use the correct credential. How can I discard this dialog? I'd like to force them to login to the AD. Please advice.

Thanks,

Nitass

6 REPLIES
New Member

Re: NAC Appliance with AD SSO issue

the system (PC/Laptop) is already joined the domain.?

New Member

Re: NAC Appliance with AD SSO issue

Sorry I misunderstood. Actually, there are 2 authentication servers. One is Kerberos and the other one is AD SSO. Both are pointed to the same domain controller. The reason I created the Kerberos is for allowing user to login through web login for downloading agent at the first time. After that, AD SSO will be used for authenticating.

Anyway, the problem is if user, laptop, does not login to the domain, the agent dialog will display and still allow user to login via the Kerberos. I do not want thing like this. How can I do? Please advice.

Thanks,

Nitass

Cisco Employee

Re: NAC Appliance with AD SSO issue

Nitass,

If you only wish to allow AD logins, then AD SSO should be attempted first which it sounds like it is. If for any reason SSO fails for a user, then you can configure an authentication server that uses Kerberos (AD) or LDAP. This can be same server used for AD SSO, but needs to be a separate authentication server which can be enabled for the user login page. The user login page can have the allowed options which can include one or more auth servers.

Regards,

chyps

New Member

Re: NAC Appliance with AD SSO issue

Hi Chyps,

Would it be possible to use an authentication server (i.e. kerberos) for web login only? I do not want that authentication server to be used by clean access agent in case SSO fails.

Thanks and regards,

Nitass

Cisco Employee

Re: NAC Appliance with AD SSO issue

The auth server options selected on the user login page are configurable to a specific VLAN or operating system, so it would be possible to have different auth servers selected for Windows and say Linux/MAC users, but for users that map to same login page, both Web auth and agent-based users (including AD SSO users) will see the same auth server list.

/chyps

New Member

Re: NAC Appliance with AD SSO issue

Hi Chyps,

Thanks. It seems that it could not be possible to only enable Kerberos auth server for web auth (and disable the same Kerberos auth server for agent based).

Thanks again,

Nitass

375
Views
4
Helpful
6
Replies
CreatePlease login to create content