NAC Appliance (CCA): Configure and Troubleshoot the Active Directory Windows Single Sign On (SSO)

Similar documents
SINGLE SIGN ON. The following document describes the configuration of Single Sign On (SSO) using a Windows 2008 R2 or Windows SBS server.

Fixing Issues with Corporate Directory Lookup from the Cisco IP Phone

CA SiteMinder Federation Standalone

DoD Common Access Card Authentication. Feature Description

IBM Security Access Manager v8.x Kerberos Part 1 Desktop Single Sign-on Solutions

ACS 5.x: LDAP Server Configuration Example

User Management: Configuring Auth Servers

Configuring Integrated Windows Authentication for IBM WebSphere with SAS 9.2 Web Applications

Comodo Certificate Manager

ZENworks 11 Support Pack 4 User Source and Authentication Reference. October 2016

Security Provider Integration Kerberos Authentication

IBM Security Access Manager v8.x Kerberos Part 2

Windows AD Single Sign On

CTC Fails to Start on Windows XP with Cisco Security Agent

Configuring Cisco CallManager IP Phones to Work With IP Phone Agent

RSA SecurID Ready with Wireless LAN Controllers and Cisco Secure ACS Configuration Example

Symbols. Numerics I N D E X

Troubleshooting Single Sign-On

Novell Kerberos Login Method for NMASTM

Realms and Identity Policies

Secure Web services with WebSphere Application Server and Microsoft Windows Communication Foundation

Troubleshooting Single Sign-On

Reestablishing a Broken CallManager Cluster SQL Subscription with Cisco CallManager

SAML-Based SSO Configuration

HP Operations Orchestration Software

UCCE WebView Frequently Asked Questions

IPCC: Lightweight Directory Access Protocol (LDAP) Troubleshooting Guide

Forescout. Configuration Guide. Version 3.5

Troubleshooting Web Authentication on a Wireless LAN Controller (WLC)

Realms and Identity Policies

Single Sign On (SSO) with Polarion 17.3

Using Kerberos Authentication in a Reverse Proxy Environment

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Use NAT to Hide the Real IP Address of CTC to Establish a Session with ONS 15454

NAC Appliance (Cisco Clean Access) In Band Virtual Gateway for Remote Access VPN Configuration Example

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

Check Password Synchronization with the Admin Utility in the Cisco CallManager Cluster

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Migrating vrealize Automation 6.2 to 7.2

Active Directory 2000 Plugin Installation for Cisco CallManager

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

Dell EMC Unity Family

SAML-Based SSO Configuration

Unity Connection Version 10.5 SAML SSO Configuration Example

US FEDERAL: Enabling Kerberos for Smartcard Authentication to Apache.

Identity Firewall. About the Identity Firewall

Configuring Kerberos based SSO in Weblogic Application server Environment

LDAP Directory Integration

User Management: Configuring User Roles and Local Users

Secure ACS for Windows v3.2 With EAP TLS Machine Authentication

PCoIP Connection Manager for Amazon WorkSpaces

Cisco Expressway Authenticating Accounts Using LDAP

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

vcenter Server Appliance Configuration Update 1 Modified on 04 OCT 2017 VMware vsphere 6.5 VMware ESXi 6.5 vcenter Server 6.5

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications

Integrating a directory server

WebView and IIS Connection Timeouts

Novell Access Manager

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

Authenticating Devices

HP Operations Orchestration Software

Remote Support Security Provider Integration: RADIUS Server

Click Studios. Passwordstate. Password Discovery, Reset and Validation. Requirements

Administering the CAM

Security Provider Integration: Kerberos Server

PCoIP Connection Manager for Amazon WorkSpaces

NAT Support for Multiple Pools Using Route Maps

IBM i Version 7.2. Networking IBM i NetServer IBM

Integrating AirWatch and VMware Identity Manager

Novell Access Manager

Contents. Platform Compatibility. Directory Connector SonicWALL Directory Services Connector 3.1.7

Manage SAML Single Sign-On

Okta Integration Guide for Web Access Management with F5 BIG-IP

Realms and Identity Policies

Install Certificate on the Cisco Secure ACS Appliance for PEAP Clients

IVE Quick Startup Guide - OS 4.0

Cisco Terminal Services (TS) Agent Guide, Version 1.1

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

Hollins University VPN

User ID Service. How to integrate Forcepoint User ID Service with other Forcepoint products 1.1. Revision A

CRS Historical Reports Schedule and Session Establishment

Troubleshooting IMAP Clients and ViewMail for Outlook

VMware Skyline Collector User Guide. VMware Skyline 1.4

Cisco Terminal Services (TS) Agent Guide, Version 1.0

VMware Horizon View Deployment

How to Configure Authentication and Access Control (AAA)

Cisco Terminal Services (TS) Agent Guide, Version 1.1

AppScaler SSO Active Directory Guide

Troubleshooting Cisco DCNM

Cisco Secure ACS for Windows v3.2 With PEAP MS CHAPv2 Machine Authentication

202 Lab Introduction Connecting to the Lab Environment

Active Directory as a Probe and a Provider

OpenAM Single Sign-On

TMS Agent Troubleshooting procedures for Cisco TelePresence VCS and TMS

Avaya Contact Centre Control Manager Release 7.0 Service Pack 1 (ACCCM 7.0 SP1 or ACCCM 7.0.1)

Aventail README ASAP Platform version 8.0

Click Studios. Passwordstate. Password Discovery, Reset and Validation. Requirements

Security Provider Integration RADIUS Server

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Transcription:

NAC Appliance (CCA): Configure and Troubleshoot the Active Directory Windows Single Sign On (SSO) Document ID: 97251 Contents Introduction Prerequisites Requirements Components Used Conventions Configure Windows SSO Set up the AD SSO Provider Run KTPass on the DC Configure SSO on the CAS Verify the SSO Service is Started Open Ports to the DC Client Sees Agent Performing SSO SSO Completed SSO User Seen on the Online User List Troubleshoot Windows SSO Error: Could not start the SSO service. Please check the configuration. Client Authentication does not Work Unable to run SSO on windows 7 PC Unable to configure linux client support for a user in NAC environment SSO Service is Started, but Client does not Perform SSO Kerbtray CAS Logs Cannot Start SSO Service Known Issues Related Information Introduction This document describes how to use Microsoft Windows Active Directory (AD) Single Sign On (SSO) in order to configure and troubleshoot the Cisco Network Admission Control (NAC) Appliance, formerly known as Cisco Clean Access (CCA). Prerequisites Requirements Ensure that you meet these requirements before you attempt this configuration: Make sure the DC runs Windows 2000 SP4 or Windows 2003 (Standard or Enterprise) SP1 or Windows 2003 R2. Windows 2003 without SP1 is not supported. Make sure Windows SSO is supported in an AD environment only. Windows NT environment is not supported. Clean Access Agent is required. Set up the Clean Access Server (CAS) account as described in Cisco NAC Appliance Clean Access

Server Installation and Configuration Guide, Release 4.1(2). Components Used The information in this document is based on the NAC Appliance software version 4.x or later. The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Conventions Refer to Cisco Technical Tips Conventions for more information on document conventions. Configure Windows SSO The information in this section describes how to configure the features presented in this document. Set up the AD SSO Provider You cannot perform an authentication test to an AD SSO provider or a VPN SSO. The LDAP lookup server is needed only if the users want to do mapping rules for the AD SSO, so that after AD SSO, the users will be placed in roles based on AD attributes. This is not needed to get the basic SSO working (without role mapping). Run KTPass on the DC KTPass is a tool available as a part of Windows 2000/2003 support tools. Refer to Cisco NAC Appliance Clean Access Server Installation and Configuration Guide, Release 4.1(2) for more information. When you run KTPass, it is important to note that the computer name that always falls between the / and the @ matches the name of the DC as it would appear under Control Panel > System > Computer Name > Full Computer Name on the DC. Also, make sure that the realm name that appears after @ highlighted is always in upper case letters. C:\Program Files\Support Tools>ktpass princ prem vm 2003.win2k3.local@WIN2K3.LOCAL ccasso/ mapuser ccasso pass Cisco123 out c:\test.keytab ptype KRB5_NT_PRINCIPAL +DesOnly Using legacy password setting method //confirms ccasso acct is mapped Successfully mapped ccasso/prem vm 2003.win2k3.local to ccasso. Key created. Output keytab to c:\test.keytab Keytab version: 0x502 keysize 80 ccasso/prem vm 2003.win2k3.local@WIN2K3.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4 HMAC) keylength 16 (0xf2e787d376cbf6d6dd3600132e9c215d) Account ccasso has been set for DES only encryption.

In order to support Windows 7, you must run KTPASS as shown in this example: C:\Program Files\Support Tools>KTPASS.EXE princ newadsso/[adserver.]domain.com@domain.com mapuser newadsso pass PasswordText out c:\newadsso.keytab ptype KRB5_NT_PRINCIPAL Also, make sure that the realm name that appears after @ highlighted is always in upper case letters. Configure SSO on the CAS Choose CCA Servers > Manage > Authentication > Windows Auth > Active Directory SSO in order to open the AD window, and verify these items: Active Directory Domain: Kerberos realm name = Needs to be upper case. Active Directory Server (FQDN): Make sure that the CAS can resolve this name via DNS. This field cannot be an IP address. Using the values in this example, you can log on to the CAS via Secure Shell (SSH), and perform nslookup prem vm 2003.win2k3.local. Then, make sure it resolves successfully. Make sure FQDN matches the name of the AD server (DC) exactly as it appears under Control Panel > System > Computer Name Full computer name on the AD server machine (DC). Verify the SSO Service is Started Complete these steps: 1. Go to CCA Servers > Manage > Status in order to verify that the SSO service is started.

2. Run this command in order to verify that the CAS now listens on TCP 8910 (used for Windows SSO). Open Ports to the DC [root@cs ccas02 ~]#netstat a grep 8910 tcp 0 0 *:8910 *:* LISTEN In order to open the appropriate ports to the DC, complete these steps: Note: For testing, always open complete access to the DC. Then, once SSO works, you can tie it down to specific ports. 1. Make sure the following ports are allowed in the untrusted role to Active Directory: TCP: 88, 135, 445, 389/636, 1025, 1026 UDP: 88, 389 Note: TCP PORT 445 must be open for Windows Password Reset to work correctly. 2. Ensure that the client runs CCA Agent 4.0.0.1 or later. 3. Log in to the PC with the Windows Domain credentials. Note: Make sure you are logging into the domain and not the local account. Client Sees Agent Performing SSO

SSO Completed SSO User Seen on the Online User List

Troubleshoot Windows SSO Error: Could not start the SSO service. Please check the configuration. Problem You receive this error: Solution In order to resolve this issue, complete these steps: 1. Check to make sure KTPass runs correctly. It is important to check the fields as mentioned in slide X. If KTPass was run incorrectly, delete the account and create a new account on AD and run KTPass again. 2. Make sure time on the CAS is synchronized with the DC. This step can be performed by pointing them both to the same time server. In lab setups, point the CAS to the DC itself for time (DC runs Windows time). Kerberos is sensitive to clock and the skew cannot be greater than 5 minutes (300 secs). Note: When you try to start the AD SSO service of the CAS, an issue might occur with the time syncronization, NTP. If NTP is configured, and clocks are not syncronized, services will not work. Once fixed the services should work. 3. Make sure the Active Directory Domain is in upper case (Realm) and the CAS can resolve FQDN in DNS. For lab setups, you can point to a DC that runs DNS (AD requires at lease one DNS server). 4. Log into CAS directly as https://<cas IP address>/admin. Then, click Support Logs and change

the logging level for the Active Directory Communication Logging to Info. 5. Re create the problem and download the support logs. Client Authentication does not Work Problem AD SSO service is started, but client authentication does not work. Solution UDP ports were not open in the unauthenticated role. After you add these ports to the traffic policies, authentication should work. Unable to run SSO on windows 7 PC Problem SSO is not working for machines that run the Windows 7 operating system. Solution 1 In order to resolve this issue, enable DES encryption on machine that runs the Windows 7 operating system, and then re run the KTPass. Complete these steps in order to enable DES on a Windows 7 PC: 1. Log in to the Windows 7 client machine as an administrator. 2. Go to Start > Control Panel > System and Security > Administrative Tools > Local Security Policy > Local Policies/Security > Options. 3. Choose Network security > Configure encryption types allowed. 4. On the Local Security Settings tab, check the check boxes to enable all options, except the Future encryption types option. Solution 2 In order to resolve this issue, run this command on the Windows 2003 Server (if it needs to support Windows 7 as well): C:\Program Files\Support Tools> ktpass.exe princ casuser/cca eng domain.cisco.com@cca ENG DOMAIN.CISCO.COM mapusercasuser pass Cisco123 out c:\casuser.keytab ptype KRB5_NT_PRINCIPAL For more information, refer to Configure AD SSO in a Windows 7 Environment. Unable to configure linux client support for a user in NAC environment Problem Unable to configure Linux client support for a user in NAC environment.

Solution Web Agent or Agent are not supported on Linux. NAC supports Linux with Web Login only without any posture assessment. Once the machine is authenticated through the Web Login, the user should be assigned to a final user role that you configure. The user will then have access according to the traffic policy of the user role. Refer to the Cisco bug CSCti54517 (registered customers only) for more information. SSO Service is Started, but Client does not Perform SSO This is usually due to some communication issue between the DC/client PC or between the client PC and the CAS. Here are a few things to verify: Client has Kerberos keys. Ports are open to the DC so the client can connect, receive agent logs, and receive logs on the CAS. Time or clock on the client PC is synchronized with the DC. Confirm CAS is listening on port 8910. A sniffer trace on the client PC will also help. CCA Agent is 4.0.0.1 or later. User is actually logged in using the domain account and not using the local account. Kerbtray Kerbtray can be used to confirm that the client has obtained the Kerberos Tickets (TGT and ST). The concern is for the Service Ticket (ST), which is for the CAS account that you created on the DC. Kerbtray is a free tool available from Microsoft Support tools. It can also be used to purge the Kerberos Tickets on a client machine. A green Kerbtray Icon on the system tray indicates that client has active Kerberos Tickets. However, you need to verify that the ticket is correct (valid) for the CAS account.

CAS Logs Cannot Start SSO Service The log file of interest on the CAS is /perfigo/logs/perfigo redirect log0.log.0. AD SSO Service does not start on CAS is a CAS DC communication issue: 1. SEVERE: startserver SSO Service authentication failed. Clock skew too great (37) Aug 3, 2006 7:52:48 PM com.perfigo.wlan.jmx.admin.gssserver logintokdc This means the clock is not synchronized between the CAS and the domain controller. 2. Aug 21, 2006 3:39:11 PM com.perfigo.wlan.jmx.admin.gssserver logintokdc INFO: GSSServer SPN : [ccass/prem vm 2003.win2k3public.local@WIN2K3PUBLIC.LOCA Aug 21, 2006 3:39:11 PM com.perfigo.wlan.jmx.admin.gssserver logintokdc SEVERE: startserver SSO Service authentication failed. Client not found in Kerberos database (6) Aug 21, 2006 3:39:11 PM com.perfigo.wlan.jmx.admin.gssserver startserver WARNING: GSSServer loginsubject could not be created. This means the username is incorrect. Note the wrong username ccass, error code 6 and the last warning. 3. Aug 21, 2006 3:40:26 PM com.perfigo.wlan.jmx.admin.gssserver logintokdc INFO: GSSServer SPN : [ccasso/prem vm 2003.win2k3public.local@WIN2K3PUBLIC.LOCAL] Aug 21, 2006 3:40:26 PM com.perfigo.wlan.jmx.admin.gssserver logintokdc SEVERE: startserver SSO Service authentication failed. Pre authentication information was invalid (24) Aug 21, 2006 3:40:26 PM com.perfigo.wlan.jmx.admin.gssserver startserver WARNING: GSSServer loginsubject could not be created.

The password is incorrect or realm is invalid (not in upper case?). Bad FQDN? KTPass runs incorrectly? Note the Error 24 and the last warning. Note: Make sure that the KTPass version is 5.2.3790.0. Unless there is a bad version of KTPass that even if the script is run properly, the SSO service will not start. Client CAS Communication Issue: Aug 3, 2006 10:03:05 AM com.perfigo.wlan.jmx.admin.gsshandler run SEVERE: GSS Error: Failure unspecified at GSS API level (Mechanism level: Clock skew too great (37)) This error is seen when the client PC time is not synchronized with the DC. Note: The difference between this error and the one where the CAS time is not synchronized with the DC. Known Issues Cisco bug ID CSCse64395 (registered customers only).0 Agent does not resolve DNS for Windows SSO. This issue is resolved in CCA Agent 4.0.0.1. Cisco bug ID CSCse46141 (registered customers only) SSO fails in case CAS cannot reach the AD server during startup. The workaround is to go to CCA Servers > Manage [CAS_IP] Authentication > Windows Auth > Active Directory SSO, and click Update in order to restart the AD SSO service. Perform a service perfigo restart on the CAS. There is a caching issue when the old credentials are cached on the CAS and it does not use the new one until Tomcat is restarted. You cannot limit single user log in for SSO. This is the normal behavior for SSO because it is a kerberos protocol, and there is no option to limit single user log in a kerberos protocol. Windows 7 and Windows 2008 do not support SSO as SSO uses DES encryption that is not supported by Windows 7 or Windows 2008. Related Information Cisco NAC Appliance (Clean Access) Support Page Technical Support & Documentation Cisco Systems Contacts & Feedback Help Site Map 2014 2015 Cisco Systems, Inc. All rights reserved. Terms & Conditions Privacy Statement Cookie Policy Trademarks of Cisco Systems, Inc. Updated: Dec 01, 2008 Document ID: 97251

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback