Integration NAC With Active Directory

7/28/2019 Integration NAC With Active Directory

1/17

1

NAC Active Directory SingleSign-on

DescriptionConfigure NAC Active Directory Single Sign-on

ObjectiveThe goal is to configure AD-SSO and set the default Role. This allows administrators to setup a single

authentication method for users when deploying NAC. Before the user connects to the network the NAC

Server has to determine if the user is a valid one against the AD infrastructure. This also allows better

user experience and does not prompt the user formore than one authentication on a network.

StepsSelect the Authentication tab and the Windows Auth sub-tab. This will bring you to the

Active Directory SSO screen where you can complete the fields using the data shown below. Note

that items are case sensitive. Also, do not check the Enable box yet! We will return to this screen later

to enable SSO.

Active Directory Server (FQDN): win2k3-server.ciscosec.com

Active Directory Domain: CISCOSEC.COM

Account Name for CAS: ssksso

Account Password for CAS: cisco123

Active Directory SSO Auth Server: adsso

Click Update.


2/17

2

Kerberos is sensitive to clock and skew cannot be greater than five minutes. Prior to moving on,

ensure that time on the NAC Server is synchronized with the Time Server. Select the Misc tab

and Time sub-tab. Click Sync Current Time. The Virtual machines should sync their time from

the Domain Controller X.X.X.X If you are having trouble then manually set the time.

Build AD-SSO Account on Windows and authorize it for Kerberos using the ktpass

command

In order for the NAC Server to check with the AD Server to see if a Kerberos ticket is valid, the ID

we created in the above section, nacsso, needs to be created in AD and given Kerberos rights with

the ktpass command. This command is part of the additional support tools forWindows Servers.


3/17

3

Select Active Directory Users and Computers on the desktop and add the ssksso user with a

password of cisco123. Right click on the Users folder and select New > User.

Enterssksso in the First name, Full name, and User logon name fields and click Next.

Enter a password ofcisco123, uncheck the box User must change password at next

logon, and check the box forPassword never expires. Click Next and then Finish to create the

user.


4/17

4

Kerberos is sensitive to clock and skew cannot be greater than five minutes. To achieve the

same with the windows server open a command prompt and type the following commands.

net stop w32time

net start w32time

Configure XP Client to pull time from the DC so that all components are in sync. To do so, open

a command prompt on XP Client and type net time /domain /set/yes.

Note: This will complete successfully if XP Client is still on the certified devices list. Later in the

lab, we will implement policies for the unauthenticated role to allow ntp through before XP Client

is authenticated.

With the ssksso userid added to AD and time synchronized, the next step is to run the ktpass

command to grant the ssksso user access to check Kerberos tickets. Open a command prompt

and enter the ktpass command. This command is case sensitive and it is critical to enter it

correctly. In order to improve accuracy, we have the command in a text file from which you can

cut and paste.

Select the SSK File folder on the desktop or navigate to C:\SSK. Open the ADSSO folder and thektpass.txt file. Select all the text (Ctrl-A) and copy (Ctrl-C) it to the clipboard. Paste the text into

the command prompt window and wait for the command to execute.


5/17

5

The ktpass command is described in detail in the configuration guides and Microsoft tech articles.

One important item to document is the output from the command. A best practice is the save the

exact command you ran and the output to a text file and keep it for possible engagement with

Cisco TAC.

Here is the command as entered in our lab: ktpass.exe -princ ssksso/[email protected] -mapuser ssksso -pass cisco123 -out

c:\ssksso.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly

Return to the NAC Manager on Mgmt-PC and enable AD-SSO. Select CAA Servers under

Device Management and click the Manage button for the OOB Corporation Data Center

NAC Server. Next, select the Authentication > Windows Auth sub-tab. From the

Active Directory SSO screen, check the box to Enable Agent-Based Windows Single Sign-

on and click Update.
mailto:[email protected]:[email protected]:[email protected]:[email protected]


6/17

6

After clicking update, wait for the changes to be applied. Then, select the Status tab and verify

the Active Directory SSO Service is now started.

If Active Directory SSO is not started, follow these troubleshooting steps:

- Verify all configuration requirements in the lab.

- Verify that you ran the correct ktpass command. If not, delete the active directory account,

create a new account and run ktpass again.

- Make sure Active Directory Domain is in CAPS and NAC Server can resolve FQDN in DNS.

- Review the Configuring Active Directory Single Sign-On (AD SSO) section in the NAC Server

admin guide from cisco.com.

From the Device Management pane on the NAC Manager, select Clean Access. If XP Client is

in the certified Device list, select the Clear Certified button.

On XP Client issue an ipconfig /release && ipconfig /renew from the command prompt. XP Client

will receive an IP in the 192.168.7.0/24 subnet and the agent will launch. The Kerberos ticket will

be shared and XP Client will be logged into NAC without entering his credentials. After

successfully completing posture assessment, XP Client will be granted full network access and

receive an IP in the access vlan.


7/17

7

If AD SSO is not successful, follow these troubleshooting steps. If you make any changes,

complete the TEST steps to determine if AD SSO is working.

- Verify all configuration requirements in the lab.

- Make sure the user is logged in with the domain account and not a local account.

- Ensure that the clocks on XP Client, the NAC Manager, NAC Server, and AD Server are within

five minutes of each other. To verify the time is correct on the NAC Manager browse to

Administration > CCA Manager > System Time. To verify the time is correct on the NAC

Server, browse to Device Management > CCA Servers and select the manage icon for the Out-

of-Band Virtual Gateway. Select the Misc tab and the Time sub-tab. Ensure that the Date &

Time match the time on XP Client and the AD Server. If not, select Sync Current Time. Ifthe

time is not correct on XP Client issue a net time /set from a command prompt and reboot the PC.

- Verify that XP Client has the correct Service Ticket by selecting kerbtray from the Windows

Programs folder. Then right click the icon in the system try and select List Tickets. The ticket you

are looking for is ssksso/win2k3-server.ciscosec.com. If XP Client does not have this ticket, there

is likely a communication error for XP Client in the Unauthenticated Role. Troubleshoot and close

the NAC Agent manual authentication window on to XP Client to obtain the correct ticket from the

DC.

- Confirm the Traffic Control Policies for the Unauthenticated Role. Test AD SSO with anAllow

All Traffic policy in the Unauthenticated Role. If this is successful, it is likely that you are missing

a required port in the access policy.

- Review the Configuring Active Directory Single Sign-On (AD SSO) section in the NAC Server

admin guide from cisco.com.


8/17

8

*TEST: Follow the steps below to determine if AD SSO is working.

- Issue an ipconfig /release from a command prompt on XP Client

Clear Certified on the NAC Manager

Purge Tickets on XP Client

Issue an ipconfig /renew from a command prompt on XP Client


9/17

9

Wait for the agent to launch and for NAC AD SSO to complete.

Verify XP Client is on the Certified Device List

Congratu la t ions AD-SSO is nowoperat ional


10/17

10

Assignment with Active Directory

DescriptionThe LDAP lookup server is needed if you want to configure mapping rules so that users are

placed into roles based on AD attributes after AD SSO.

ObjectiveThe goal is to define a lookup server and create a mapping based on an LDAP attribute. This

mapping is tied to a user role and the subsequent vlan will be assigned to the userwhich is

defined in an AD group.

Steps

The LDAP lookup server is only needed if you want to configure mapping rules so that users are

placed into roles based on AD attributes after AD SSO. This is a requirement for the Corporationdeployment and the first step is to configure settings in the NAC Manager. You will need to define a

lookup server and create a mapping based on an LDAP attribute. Access the NAC Manager from

Mgmt-PC and select Auth Servers under the User Management pane. Select the Lookup Servers

and then the New sub-tab.

The fields below are case sensitive. Fill them in very carefully and then click Add.

Provider Name: ldap1

Server URL: ldap://192.168.3.10:389

Search Base Context: CN=Users,DC=CISCOSEC,DC=COM

Search Filter: sAMAccountName=$user$

Search(Admin) Full DN: CN=NAC lookup,CN=Users,dc=ciscosec,dc=com

Search(Admin) Password: cisco123


11/17

11

The next step is to edit the previously configured adsso provider. Select the Auth Servers tab and

then the Edit button associated with the adsso server.

Select Unauthenticated Role in the Default Role drop-down box and ldap1 in the LDAP Lookup

Serverdrop-down box and click Update. Now users accessing this Auth Server will be placed in the

Unauthenticated Role unless the LDAP lookup server can map them to the appropriate role.


12/17

12

Select the Mapping Rules tab and click the Add Mapping Rule link.

Start with the lower half of the window and set the fields per the details below. Click the Add

Condition button not Add Mapping when complete.

Condition Type: Attribute

Operator: contains

Attribute Name: memberOf (upper caseo )

Attribute Value: Defender (an exist ing A D Group that con ta in XPClient )

In the upper part of this window, select defender from the Role Name drop-down box and click

Add Mapping


13/17

13

Add the Windows Userid that NAC Manager will use to do LDAP lookups on the AD Server.

Return to the DC and access Active Directory Users and Computers. Right click on the Users folder

and select New > User.


14/17

14

Complete the two screens with the details below. It is very important that the full name match the

settings you just added for the mapping server above.

First name: NAC

Last name: lookup

Full Name: NAC lookup

User logon name: naclookup

Password: cisco123

Check Password Never Expires box

Uncheck User must change password at next logon box

Double-click on the user you just created, NAC lookup, and select the MemberOf tab.


15/17

15

Click Add and enterDomain admins in the object names field and click Check Names. The DC

should successfully resolve this to Domain Admins. If so click OK & OK to close the open windows.

Test AD-SSO with the Role mappings and simulate a workstation reboot:

On the NAC Manager select Clean Access in the Device Management pane. Click ClearCertified

to remove XP Client from the certified Device list.


16/17

16

On XP Client, open a command prompt and issue an ipconfig /release && ipconfig /renew.

Once XP Client is on the network, return to the NAC Manager and verify that he is in the

defenderrole. To do so, select Clean Access in the Device Management pane.


17/17

17

If XP Client is in the Unauthenticated role troubleshoot your configuration. NAC has a built in

Auth Test that you can leverage instead of clearing the certified devices and requesting a new IP

on XP Client. To utilize this, select Auth Servers in the User Management pane and then select

the Auth Test tab. On this screen enterXP Client in the User Name field, select adsso in the

Providerdrop-down box, and click Submit. Use the information here to help troubleshoot your

configuration.

Date post:	03-Apr-2018
Category:	Documents
Upload:	gestradag
View:	231 times
Download:	0 times

Integration NAC With Active Directory

Documents