Prior to version 4.7.1 Cisco NAC would only support DES for Kerberos. This affected the Kerberos authentication type and AD SSO authentication type. With version 4.7.1, NAC started supporting negotiation of the encryption authentication that was used with NAC. According to the 4.7.1 release notes, NAC can now “negotiate any of the standard Kerberos encryption protocols (except for AES 256, due to export restrictions)”. This implies that RC4-HMAC and AES128 are now supported.
References
http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/47/471rn.html#wp1013839