Cisco Cisco NAC Appliance 4.1.0
Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Configure Traffic Policies for Unauthenticated Role
Configure Traffic Policies for Unauthenticated Role
A user in the domain logging into his/her Windows machine sends credentials to the root domain
controller to perform the first portion of Kerberos ticket exchange (as shown in
controller to perform the first portion of Kerberos ticket exchange (as shown in
). Once the
machine receives a Service Ticket, the Agent uses it to validate the client authentication through the
CAS. Only when the CAS validates the authentication is the user allowed network access, and there is
no need for a separate user login through the Clean Access Agent.
CAS. Only when the CAS validates the authentication is the user allowed network access, and there is
no need for a separate user login through the Clean Access Agent.
As
illustrates, the CAS is configured to read the login credentials of user machines as they
authenticate to the Active Directory server. Ports must be opened on the CAS to allow the authentication
traffic to pass to through the CAS to/from the Active Directory server. The administrator can open either
TCP or UDP ports, depending on what the Active Directory server uses. Configure traffic policies for
the Unauthenticated role to allow these ports on the trusted-side IP address of the AD server.
traffic to pass to through the CAS to/from the Active Directory server. The administrator can open either
TCP or UDP ports, depending on what the Active Directory server uses. Configure traffic policies for
the Unauthenticated role to allow these ports on the trusted-side IP address of the AD server.
Note
This will allow the client to authenticate to the AD and for GPO and scripts to run.
Cisco recommends that you install Cisco Security Agent (CSA) on the AD/DMZ AD.
Required TCP Ports
If the Active Directory server is using Kerberos, the following TCP ports must be opened on the CAS.
•
TCP 88 (Kerberos)
•
TCP 135 (RPC)
•
TCP 389 (LDAP) or TCP 636 (LDAP with SSL)
•
TCP 1025 (RPC)–non-standard
•
TCP 1026 (RPC)–non-standard
Alternative UDP Ports
If it is not known whether the Active Directory server is using Kerberos, you must open the following
UDP ports instead:
UDP ports instead:
•
UDP 88 (Kerberos)
•
UDP 389 (LDAP) or UDP 636 (LDAP with SSL)
Note
Typically, the LDAP protocol uses plain text when sending traffic on TCP/UDP port 389. If encryption
is required for LDAP communications, use TCP / UDP port 636 (LDAP with SSL encryption) instead.
is required for LDAP communications, use TCP / UDP port 636 (LDAP with SSL encryption) instead.
To Add Policies for AD Server
1.
Go to User Management > User Roles > List of Roles > Policies [Unauthenticated Role]. This
brings up the IP traffic policy form for the Unauthenticated Role.
brings up the IP traffic policy form for the Unauthenticated Role.
2.
With the direction dropdown set for Untrusted ->Trusted, click the Add Policy link. The Add Policy
form appears (
form appears (