NAC Active Directory Single Sign-on

Description
Configure NAC Active Directory Single Sign-on

Objective
The goal is to configure AD-SSO and set the default Role. This allows administrators to setup a single
authentication method for users when deploying NAC. Before the user connects to the network the NAC Server has to determine if the user is a valid one against the AD infrastructure. This also allows better user experience and does not prompt the user for more than one authentication on a network.

Steps
Select the Authentication tab and the Windows Auth sub-tab. This will bring you to the Active Directory SSO screen where you can complete the fields using the data shown below. Note that items are case sensitive. Also, do not check the Enable box yet! We will return to this screen later to enable SSO. Active Directory Server (FQDN): win2k3-server.ciscosec.com

Active Directory Domain: CISCOSEC.COM Account Name for CAS: ssksso

Account Password for CAS: cisco123 Active Directory SSO Auth Server: adsso Click Update.

Kerberos is sensitive to clock and skew cannot be greater than five minutes. Prior to moving on, ensure that time on the NAC Server is synchronized with the Time Server. Select the Misc tab and Time sub-tab. Click Sync Current Time. The Virtual machines should sync their time from the Domain Controller X.X.X.X If you are having trouble then manually set the time.

Build AD-SSO Account on Windows and authorize it for Kerberos using the ktpass command In order for the NAC Server to check with the AD Server to see if a Kerberos ticket is valid, the ID we created in the above section, nacsso, needs to be created in AD and given Kerberos rights with the ktpass command. This command is part of the additional support tools for Windows Servers.

Select Active Directory Users and Computers on the desktop and add the ssksso user with a password of cisco123. Right click on the Users folder and select New > User.

Enter ssksso in the First name, Full name, and User logon name fields and click Next. Enter a password of cisco123, uncheck the box User must change password at next logon, and check the box for Password never expires. Click Next and then Finish to create the user.

Kerberos is sensitive to clock and skew cannot be greater than five minutes. To achieve the same with the windows server open a command prompt and type the following commands. net stop w32time net start w32time

Configure XP Client to pull time from the DC so that all components are in sync. To do so, open a command prompt on XP Client and type net time /domain /set /yes.

Note: This will complete successfully if XP Client is still on the certified devices list. Later in the lab, we will implement policies for the unauthenticated role to allow ntp through before XP Client is authenticated. With the ssksso userid added to AD and time synchronized, the next step is to run the ktpass command to grant the ssksso user access to check Kerberos tickets. Open a command prompt and enter the ktpass command. This command is case sensitive and it is critical to enter it correctly. In order to improve accuracy, we have the command in a text file from which you can cut and paste. Select the SSK File folder on the desktop or navigate to C:\SSK. Open the ADSSO folder and the ktpass.txt file. Select all the text (Ctrl-A) and copy (Ctrl-C) it to the clipboard. Paste the text into the command prompt window and wait for the command to execute.

The ktpass command is described in detail in the configuration guides and Microsoft tech articles. One important item to document is the output from the command. A best practice is the save the exact command you ran and the output to a text file and keep it for possible engagement with Cisco TAC. Here is the command as entered in our lab: ktpass.exe -princ ssksso/win2k3server.ciscosec.com@CISCOSEC.COM -mapuser ssksso -pass cisco123 -out c:\ssksso.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly Return to the NAC Manager on Mgmt-PC and enable AD-SSO. Select CAA Servers under Device Management and click the Manage button for the OOB Corporation Data Center NAC Server. Next, select the Authentication > Windows Auth sub-tab. From the Active Directory SSO screen, check the box to Enable Agent-Based Windows Single Signon and click Update.

After clicking update, wait for the changes to be applied. Then, select the Status tab and verify the Active Directory SSO Service is now started. If Active Directory SSO is not started, follow these troubleshooting steps: - Verify all configuration requirements in the lab. - Verify that you ran the correct ktpass command. If not, delete the active directory account, create a new account and run ktpass again. - Make sure Active Directory Domain is in CAPS and NAC Server can resolve FQDN in DNS. - Review the Configuring Active Directory Single Sign-On (AD SSO) section in the NAC Server admin guide from cisco.com. From the Device Management pane on the NAC Manager, select Clean Access. If XP Client is in the certified Device list, select the Clear Certified button. On XP Client issue an ipconfig /release && ipconfig /renew from the command prompt. XP Client will receive an IP in the 192.168.7.0/24 subnet and the agent will launch. The Kerberos ticket will be shared and XP Client will be logged into NAC without entering his credentials. After successfully completing posture assessment, XP Client will be granted full network access and receive an IP in the access vlan.

If AD SSO is not successful, follow these troubleshooting steps. If you make any changes, complete the TEST steps to determine if AD SSO is working. - Verify all configuration requirements in the lab. - Make sure the user is logged in with the domain account and not a local account. - Ensure that the clocks on XP Client, the NAC Manager, NAC Server, and AD Server are within five minutes of each other. To verify the time is correct on the NAC Manager browse to Administration > CCA Manager > System Time. To verify the time is correct on the NAC Server, browse to Device Management > CCA Servers and select the manage icon for the Outof-Band Virtual Gateway. Select the Misc tab and the Time sub-tab. Ensure that the Date & Time match the time on XP Client and the AD Server. If not, select Sync Current Time. If the time is not correct on XP Client issue a net time /set from a command prompt and reboot the PC.

- Verify that XP Client has the correct Service Ticket by selecting kerbtray from the Windows Programs folder. Then right click the icon in the system try and select List Tickets. The ticket you are looking for is ssksso/win2k3-server.ciscosec.com. If XP Client does not have this ticket, there is likely a communication error for XP Client in the Unauthenticated Role. Troubleshoot and close the NAC Agent manual authentication window on to XP Client to obtain the correct ticket from the DC.

- Confirm the Traffic Control Policies for the Unauthenticated Role. Test AD SSO with an Allow All Traffic policy in the Unauthenticated Role. If this is successful, it is likely that you are missing a required port in the access policy. - Review the Configuring Active Directory Single Sign-On (AD SSO) section in the NAC Server admin guide from cisco.com.

*TEST: Follow the steps below to determine if AD SSO is working. - Issue an ipconfig /release from a command prompt on XP Client

Clear Certified on the NAC Manager

Purge Tickets on XP Client

Issue an ipconfig /renew from a command prompt on XP Client

Wait for the agent to launch and for NAC AD SSO to complete.

Verify XP Client is on the Certified Device List

Congratulations AD-SSO is now operational

Assignment with Active Directory

Description
The LDAP lookup server is needed if you want to configure mapping rules so that users are placed into roles based on AD attributes after AD SSO.

Objective
The goal is to define a lookup server and create a mapping based on an LDAP attribute. This
mapping is tied to a user role and the subsequent vlan will be assigned to the user which is defined in an AD group.

Steps
The LDAP lookup server is only needed if you want to configure mapping rules so that users are placed into roles based on AD attributes after AD SSO. This is a requirement for the Corporation deployment and the first step is to configure settings in the NAC Manager. You will need to define a lookup server and create a mapping based on an LDAP attribute. Access the NAC Manager from Mgmt-PC and select Auth Servers under the User Management pane. Select the Lookup Servers and then the New sub-tab.

The fields below are case sensitive. Fill them in very carefully and then click Add.

Provider Name: ldap1 Server URL: ldap://192.168.3.10:389 Search Base Context: CN=Users,DC=CISCOSEC,DC=COM Search Filter: sAMAccountName=$user$ Search(Admin) Full DN: CN=NAC lookup,CN=Users,dc=ciscosec,dc=com Search(Admin) Password: cisco123

10

The next step is to edit the previously configured adsso provider. Select the Auth Servers tab and then the Edit button associated with the adsso server.

Select Unauthenticated Role in the Default Role drop-down box and ldap1 in the LDAP Lookup Server drop-down box and click Update. Now users accessing this Auth Server will be placed in the Unauthenticated Role unless the LDAP lookup server can map them to the appropriate role.

11

Select the Mapping Rules tab and click the Add Mapping Rule link.

Start with the lower half of the window and set the fields per the details below. Click the Add Condition button not Add Mapping when complete.

Condition Type: Attribute Operator: contains Attribute Name: memberOf (upper case o) Attribute Value: Defender (an existing AD Group that contain XP Client)

In the upper part of this window, select defender from the Role Name drop-down box and click Add Mapping

12

Add the Windows Userid that NAC Manager will use to do LDAP lookups on the AD Server. Return to the DC and access Active Directory Users and Computers. Right click on the Users folder and select New > User.

13

Complete the two screens with the details below. It is very important that the full name match the settings you just added for the mapping server above. First name: Last name: Full Name: NAC lookup NAC lookup

User logon name: naclookup Password: cisco123 Check Password Never Expires box Uncheck User must change password at next logon box

Double-click on the user you just created, NAC lookup, and select the MemberOf tab.

14

Click Add and enter Domain admins in the object names field and click Check Names. The DC should successfully resolve this to Domain Admins. If so click OK & OK to close the open windows.

Test AD-SSO with the Role mappings and simulate a workstation reboot: On the NAC Manager select Clean Access in the Device Management pane. Click Clear Certified to remove XP Client from the certified Device list.

15

On XP Client, open a command prompt and issue an ipconfig /release && ipconfig /renew. Once XP Client is on the network, return to the NAC Manager and verify that he is in the defender role. To do so, select Clean Access in the Device Management pane.

16

If XP Client is in the Unauthenticated role troubleshoot your configuration. NAC has a built in Auth Test that you can leverage instead of clearing the certified devices and requesting a new IP on XP Client. To utilize this, select Auth Servers in the User Management pane and then select the Auth Test tab. On this screen enter XP Client in the User Name field, select adsso in the Provider drop-down box, and click Submit. Use the information here to help troubleshoot your configuration.

17