> Date: Wed, 29 Oct 2008 14:14:11 -0500
> From: Jeff Stewart <[log in to unmask]>
> Subject: AD SSO
>
> I feel like I have followed all of the directions for setting up AD
SSO
> but I can't get the service to start on the CAS. Anyone out there
have
> similar trouble?
>
> Thanks,
>
> Jeff
>
> --
> Jeffrey Stewart
>
> Network Engineer
> Network Computing & Support
> Western Kentucky University
>
> "better than a sharp stick in the eye"
>
> ------------------------------
If you are running a virtual gateway, and your managed LAN has the same
address space as your AD DCs have, you may want to add a /32 route to
each of your AD DC servers indicating that the traffic should leave on
the secure interface, not the interface facing the managed LAN. In our
case we had a flat LAN like that and had the same issue.
Also, check all the Cisco suggested culprits, especially time. Kerberos
hates clock drift. Also make sure you have a traffic policy that
supports AD authentication from your unauthenticated LAN to the LAN your
servers are on. I think the NAC should automatically proxy this
authentication traffic, but since they don't you have to open at least
one DC to the unauthenticated clients on a lot of bad ports, to support
authentication, which kind of begs the whole NAC question.
My policy currently allows TCP ports as follows,
67,DHCP,88-kerberos,135-rpc,137,138-NETBIOS, 389-ldap,
445-SMB,1025-rpc,1026-rpc
UDP ports 53-DNS 67-BOOTP 68 DHCP 88-kerberos 389-ldap 636-ldap with SSL
I had to re-run KTPASS a few times before everybody got on the same
page, I don't know why exactly.
Finally, have you tried starting it manually by toggling the enable
check box on and off? Occasionally, SSO just won't start. That's not
supposed to happen but it does. It even happened in my CANAC Cisco
sanctioned classroom lab.
If you still don't resolve this, could you provide a bit more specifics
about your config? If you already have, I apologize, I don't always read
the list as diligently as I should.
Cheers,
Daniel Sichel, CCNP, MCSE,MCSA,MCTS (Windows 2008)
Network Engineer
Ponderosa Telephone (559) 868-6367
|