Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
325
Views
0
Helpful
1
Replies

NAC In-Band with AD SSO

abuatiya
Level 1
Level 1

‎05-28-2009 03:46 AM - edited ‎02-21-2020 03:29 AM

I have implemented cisco NAC IN-Band mode (virtual Gateway). We are still testing the features to deploy it in the customer

network. I have the following observations:

1. NAC Integration with Active Directory for SSO

The integration was done successfully but i have doubt about the user roles as in the document guding the configuration

the role is applied for unathentication role while i have created role called users. when the user logging thru SSO i can see the

user online on unauthentocation rule. is this correct ? how to make the user connected to his role ( User role )

2. when the user connected on the network thru SSO, i have closed the agent from the desktop but the browser and netwrok resoureces

is still accessible , is this normal ?

3. which exact ports are needed to open (tcp & UDP) for integrating NAS with AD SSO bare in mind i have Proxy on the network?

the ports on NAS documents seems not enough for full communication.

4. user cannot browse the internet unless i allow broxy IP from the unauthenticatied role

5. when the user successfully logged on the network thru SSO, why the browser keep redirecting to install Clean access agent?

0 Helpful
1 Reply 1

greg.washburn
Level 1
Level 1

‎05-28-2009 05:05 AM

1.) Nope not correct. Your mappings are not working correctly. Go to User Management > Auth Servers > and click the Mapping Rules Tab.

2.) This could be normal behavior if you have allowed those accesses to the unauthenticated role. Go to User Management > User Roles > click the traffic control tab. If you didn't allow it there verify the mac and/or IP address is not "whitelisted". Go to Device Management > and click the devices tab. If neither of these allow the client they may not be set up to go throught he Clean Access server. Verify your vlan mappings are correct. Go to Device Management > CCA Servers > Manage the appropriate server > click advanced > click managed subnet.

3.) Agree. They may not be enough. I recommend using wireshark or similar network sniffer on a host behind the CAS and sniff traffic going to and from the client. You may likely find a port that should be open that is not. Remember by default everything is allowed from a trusted source (DC) to the untrusted source (client) so you probably only need to look at sniffing the client side of the connection. Look for attempts to connect to your DC(s) IP address from the client where the port is not allowed through traffic rules mentioned in #2.

4.) They should not be allowed to browse until moving from unauthenticated to another more trusted role. If they can't browse it means they are not getting placed into the correct role. Again I reference #2 answers above.

5.) It should not. Verify the user after authenticating is not still being placed into the incorrect role. See answers to question 1 above.

Please rate answers if they are helpful.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card