of 17
7/28/2019 Integration NAC With Active Directory
1/17
1
NAC Active Directory SingleSign-on
DescriptionConfigure NAC Active Directory Single Sign-on
ObjectiveThe goal is to configure AD-SSO and set the default Role. This allows administrators to setup a single
authentication method for users when deploying NAC. Before the user connects to the network the NAC
Server has to determine if the user is a valid one against the AD infrastructure. This also allows better
user experience and does not prompt the user formore than one authentication on a network.
StepsSelect the Authentication tab and the Windows Auth sub-tab. This will bring you to the
Active Directory SSO screen where you can complete the fields using the data shown below. Note
that items are case sensitive. Also, do not check the Enable box yet! We will return to this screen later
to enable SSO.
Active Directory Server (FQDN): win2k3-server.ciscosec.com
Active Directory Domain: CISCOSEC.COM
Account Name for CAS: ssksso
Account Password for CAS: cisco123
Active Directory SSO Auth Server: adsso
Click Update.
7/28/2019 Integration NAC With Active Directory
2/17
2
Kerberos is sensitive to clock and skew cannot be greater than five minutes. Prior to moving on,
ensure that time on the NAC Server is synchronized with the Time Server. Select the Misc tab
and Time sub-tab. Click Sync Current Time. The Virtual machines should sync their time from
the Domain Controller X.X.X.X If you are having trouble then manually set the time.
Build AD-SSO Account on Windows and authorize it for Kerberos using the ktpass
command
In order for the NAC Server to check with the AD Server to see if a Kerberos ticket is valid, the ID
we created in the above section, nacsso, needs to be created in AD and given Kerberos rights with
the ktpass command. This command is part of the additional support tools forWindows Servers.
7/28/2019 Integration NAC With Active Directory
3/17
3
Select Active Directory Users and Computers on the desktop and add the ssksso user with a
password of cisco123. Right click on the Users folder and select New > User.
Enterssksso in the First name, Full name, and User logon name fields and click Next.
Enter a password ofcisco123, uncheck the box User must change password at next
logon, and check the box forPassword never expires. Click Next and then Finish to create the
user.
7/28/2019 Integration NAC With Active Directory
4/17
4
Kerberos is sensitive to clock and skew cannot be greater than five minutes. To achieve the
same with the windows server open a command prompt and type the following commands.
net stop w32time
net start w32time
Configure XP Client to pull time from the DC so that all components are in sync. To do so, open
a command prompt on XP Client and type net time /domain /set/yes.
Note: This will complete successfully if XP Client is still on the certified devices list. Later in the
lab, we will implement policies for the unauthenticated role to allow ntp through before XP Client
is authenticated.
With the ssksso userid added to AD and time synchronized, the next step is to run the ktpass
command to grant the ssksso user access to check Kerberos tickets. Open a command prompt
and enter the ktpass command. This command is case sensitive and it is critical to enter it
correctly. In order to improve accuracy, we have the command in a text file from which you can
cut and paste.
Select the SSK File folder on the desktop or navigate to C:\SSK. Open the ADSSO folder and thektpass.txt file. Select all the text (Ctrl-A) and copy (Ctrl-C) it to the clipboard. Paste the text into
the command prompt window and wait for the command to execute.
7/28/2019 Integration NAC With Active Directory
5/17
5
The ktpass command is described in detail in the configuration guides and Microsoft tech articles.
One important item to document is the output from the command. A best practice is the save the
exact command you ran and the output to a text file and keep it for possible engagement with
Cisco TAC.
Here is the command as entered in our lab: ktpass.exe -princ ssksso/[email protected] -mapuser ssksso -pass cisco123 -out
c:\ssksso.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly
Return to the NAC Manager on Mgmt-PC and enable AD-SSO. Select CAA Servers under
Device Management and click the Manage button for the OOB Corporation Data Center
NAC Server. Next, select the Authentication > Windows Auth sub-tab. From the
Active Directory SSO screen, check the box to Enable Agent-Based Windows Single Sign-
on and click Update.
mailto:[email protected]:[email protected]:[email protected]:[email protected]7/28/2019 Integration NAC With Active Directory
6/17
6
After clicking update, wait for the changes to be applied. Then, select the Status tab and verify
the Active Directory SSO Service is now started.
If Active Directory SSO is not started, follow these troubleshooting steps:
- Verify all configuration requirements in the lab.
- Verify that you ran the correct ktpass command. If not, delete the active directory account,
create a new account and run ktpass again.
- Make sure Active Directory Domain is in CAPS and NAC Server can resolve FQDN in DNS.
- Review the Configuring Active Directory Single Sign-On (AD SSO) section in the NAC Server
admin guide from cisco.com.
From the Device Management pane on the NAC Manager, select Clean Access. If XP Client is
in the certified Device list, select the Clear Certified button.
On XP Client issue an ipconfig /release && ipconfig /renew from the command prompt. XP Client
will receive an IP in the 192.168.7.0/24 subnet and the agent will launch. The Kerberos ticket will
be shared and XP Client will be logged into NAC without entering his credentials. After
successfully completing posture assessment, XP Client will be granted full network access and
receive an IP in the access vlan.
7/28/2019 Integration NAC With Active Directory
7/17
7
If AD SSO is not successful, follow these troubleshooting steps. If you make any changes,
complete the TEST steps to determine if AD SSO is working.
- Verify all configuration requirements in the lab.
- Make sure the user is logged in with the domain account and not a local account.
- Ensure that the clocks on XP Client, the NAC Manager, NAC Server, and AD Server are within
five minutes of each other. To verify the time is correct on the NAC Manager browse to
Administration > CCA Manager > System Time. To verify the time is correct on the NAC
Server, browse to Device Management > CCA Servers and select the manage icon for the Out-
of-Band Virtual Gateway. Select the Misc tab and the Time sub-tab. Ensure that the Date &
Time match the time on XP Client and the AD Server. If not, select Sync Current Time. Ifthe
time is not correct on XP Client issue a net time /set from a command prompt and reboot the PC.
- Verify that XP Client has the correct Service Ticket by selecting kerbtray from the Windows
Programs folder. Then right click the icon in the system try and select List Tickets. The ticket you
are looking for is ssksso/win2k3-server.ciscosec.com. If XP Client does not have this ticket, there
is likely a communication error for XP Client in the Unauthenticated Role. Troubleshoot and close
the NAC Agent manual authentication window on to XP Client to obtain the correct ticket from the
DC.
- Confirm the Traffic Control Policies for the Unauthenticated Role. Test AD SSO with anAllow
All Traffic policy in the Unauthenticated Role. If this is successful, it is likely that you are missing
a required port in the access policy.
- Review the Configuring Active Directory Single Sign-On (AD SSO) section in the NAC Server
admin guide from cisco.com.
7/28/2019 Integration NAC With Active Directory
8/17
8
*TEST: Follow the steps below to determine if AD SSO is working.
- Issue an ipconfig /release from a command prompt on XP Client
Clear Certified on the NAC Manager
Purge Tickets on XP Client
Issue an ipconfig /renew from a command prompt on XP Client
7/28/2019 Integration NAC With Active Directory
9/17
9
Wait for the agent to launch and for NAC AD SSO to complete.
Verify XP Client is on the Certified Device List
Congratu la t ions AD-SSO is nowoperat ional
7/28/2019 Integration NAC With Active Directory
10/17
10
Assignment with Active Directory
DescriptionThe LDAP lookup server is needed if you want to configure mapping rules so that users are
placed into roles based on AD attributes after AD SSO.
ObjectiveThe goal is to define a lookup server and create a mapping based on an LDAP attribute. This
mapping is tied to a user role and the subsequent vlan will be assigned to the userwhich is
defined in an AD group.
Steps
The LDAP lookup server is only needed if you want to configure mapping rules so that users are
placed into roles based on AD attributes after AD SSO. This is a requirement for the Corporationdeployment and the first step is to configure settings in the NAC Manager. You will need to define a
lookup server and create a mapping based on an LDAP attribute. Access the NAC Manager from
Mgmt-PC and select Auth Servers under the User Management pane. Select the Lookup Servers
and then the New sub-tab.
The fields below are case sensitive. Fill them in very carefully and then click Add.
Provider Name: ldap1
Server URL: ldap://192.168.3.10:389
Search Base Context: CN=Users,DC=CISCOSEC,DC=COM
Search Filter: sAMAccountName=$user$
Search(Admin) Full DN: CN=NAC lookup,CN=Users,dc=ciscosec,dc=com
Search(Admin) Password: cisco123
7/28/2019 Integration NAC With Active Directory
11/17
11
The next step is to edit the previously configured adsso provider. Select the Auth Servers tab and
then the Edit button associated with the adsso server.
Select Unauthenticated Role in the Default Role drop-down box and ldap1 in the LDAP Lookup
Serverdrop-down box and click Update. Now users accessing this Auth Server will be placed in the
Unauthenticated Role unless the LDAP lookup server can map them to the appropriate role.
7/28/2019 Integration NAC With Active Directory
12/17
12
Select the Mapping Rules tab and click the Add Mapping Rule link.
Start with the lower half of the window and set the fields per the details below. Click the Add
Condition button not Add Mapping when complete.
Condition Type: Attribute
Operator: contains
Attribute Name: memberOf (upper caseo )
Attribute Value: Defender (an exist ing A D Group that con ta in XPClient )
In the upper part of this window, select defender from the Role Name drop-down box and click
Add Mapping
7/28/2019 Integration NAC With Active Directory
13/17
13
Add the Windows Userid that NAC Manager will use to do LDAP lookups on the AD Server.
Return to the DC and access Active Directory Users and Computers. Right click on the Users folder
and select New > User.
7/28/2019 Integration NAC With Active Directory
14/17
14
Complete the two screens with the details below. It is very important that the full name match the
settings you just added for the mapping server above.
First name: NAC
Last name: lookup
Full Name: NAC lookup
User logon name: naclookup
Password: cisco123
Check Password Never Expires box
Uncheck User must change password at next logon box
Double-click on the user you just created, NAC lookup, and select the MemberOf tab.
7/28/2019 Integration NAC With Active Directory
15/17
15
Click Add and enterDomain admins in the object names field and click Check Names. The DC
should successfully resolve this to Domain Admins. If so click OK & OK to close the open windows.
Test AD-SSO with the Role mappings and simulate a workstation reboot:
On the NAC Manager select Clean Access in the Device Management pane. Click ClearCertified
to remove XP Client from the certified Device list.
7/28/2019 Integration NAC With Active Directory
16/17
16
On XP Client, open a command prompt and issue an ipconfig /release && ipconfig /renew.
Once XP Client is on the network, return to the NAC Manager and verify that he is in the
defenderrole. To do so, select Clean Access in the Device Management pane.
7/28/2019 Integration NAC With Active Directory
17/17
17
If XP Client is in the Unauthenticated role troubleshoot your configuration. NAC has a built in
Auth Test that you can leverage instead of clearing the certified devices and requesting a new IP
on XP Client. To utilize this, select Auth Servers in the User Management pane and then select
the Auth Test tab. On this screen enterXP Client in the User Name field, select adsso in the
Providerdrop-down box, and click Submit. Use the information here to help troubleshoot your
configuration.