Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

NAC In-Band with AD SSO

I have implemented cisco NAC IN-Band mode (virtual Gateway). We are still testing the features to deploy it in the customer

network. I have the following observations:

1. NAC Integration with Active Directory for SSO

The integration was done successfully but i have doubt about the user roles as in the document guding the configuration

the role is applied for unathentication role while i have created role called users. when the user logging thru SSO i can see the

user online on unauthentocation rule. is this correct ? how to make the user connected to his role ( User role )

2. when the user connected on the network thru SSO, i have closed the agent from the desktop but the browser and netwrok resoureces

is still accessible , is this normal ?

3. which exact ports are needed to open (tcp & UDP) for integrating NAS with AD SSO bare in mind i have Proxy on the network?

the ports on NAS documents seems not enough for full communication.

4. user cannot browse the internet unless i allow broxy IP from the unauthenticatied role

5. when the user successfully logged on the network thru SSO, why the browser keep redirecting to install Clean access agent?

New Member

Re: NAC In-Band with AD SSO

1.) Nope not correct. Your mappings are not working correctly. Go to User Management > Auth Servers > and click the Mapping Rules Tab.

2.) This could be normal behavior if you have allowed those accesses to the unauthenticated role. Go to User Management > User Roles > click the traffic control tab. If you didn't allow it there verify the mac and/or IP address is not "whitelisted". Go to Device Management > and click the devices tab. If neither of these allow the client they may not be set up to go throught he Clean Access server. Verify your vlan mappings are correct. Go to Device Management > CCA Servers > Manage the appropriate server > click advanced > click managed subnet.

3.) Agree. They may not be enough. I recommend using wireshark or similar network sniffer on a host behind the CAS and sniff traffic going to and from the client. You may likely find a port that should be open that is not. Remember by default everything is allowed from a trusted source (DC) to the untrusted source (client) so you probably only need to look at sniffing the client side of the connection. Look for attempts to connect to your DC(s) IP address from the client where the port is not allowed through traffic rules mentioned in #2.

4.) They should not be allowed to browse until moving from unauthenticated to another more trusted role. If they can't browse it means they are not getting placed into the correct role. Again I reference #2 answers above.

5.) It should not. Verify the user after authenticating is not still being placed into the incorrect role. See answers to question 1 above.

Please rate answers if they are helpful.

CreatePlease to create content