Troubleshooting Cisco NAC AD SSO

NetCraftsmen®

When deploying Cisco NAC for desktop computers, it is imperative minimize the impact to the end user experience as much as possible.  This helps to ensure that the NAC deployment does not get derailed by user complaints.  One way to minimize the impact is to implement Active Directory Single Sign-On (AD SSO).  With AD SSO, the user just has to complete their Microsoft logon.  The NAC Appliance uses Kerberos to verify the user’s authenticity instead of prompting for a NAC logon.  The NAC setup of AD SSO is easy to configure incorrectly even with the detailed steps in the Cisco NAC Server Configuration Guide.  The basic steps are listed below.

  1. Configure an AD SSO authentication server on the NAC Manager (NAM)
  2. Configure the specific parameters in the NAC Server portion of the NAM Web GUI
  3. Configure a user in the Microsoft active directory domain with basic user rights
  4. Configure the domain controller with the ktpass command using the user created above
  5. Enable AD SSO in the NAC Server portion of the NAM Web GUI

Please read the configuration information, at that link, to get a more detailed understanding on how to configure AD SSO.  I’d like to run through a number of basic problems explained in the configuration guide with extra information from my experiences.

Most of the issues revolve around the use of the ktpass command, on the Microsoft Domain Controllers.  Microsoft Active Directory logon uses Kerberos as its authentication mechanism.  The default encryption is RC4-HMAC.  DES-CBC-CRC and DES-CBC-MD5 are also supported, but require manual configuration using the ktpass command, which is included in the Microsoft Support Tools.  This application is required because the NAC Server, which implements the AD SSO, can only use DES.  Additionally, ktpass must be run on every domain controller that authenticates users.  There are separate toolsets for Windows 2003 SP1 and Windows 2003 SP2.  In the Windows 2003 SP2 link, they provide the following details that should be followed

 

Note If you have an earlier version of these support tools installed on your computer, you must remove this version before you install the updated support tools for Windows Server 2003 SP2.

With ktpass properly installed, it’s also important to know where to look to troubleshoot AD SSO issues.  There is one setting to change and three places to look for messages.

The setting to change is the log level on the NAC Server.  Access the NAC Server webpage.  Make sure the URL ends with “admin”.  For example https://192.168.6.10/admin.  If this is not done, the NAC login page will be displayed.  Next, click on “Monitoring > Support Logs”.  On the page that is displayed, turn on trace logging for the “Active Directory Communication Logging” line.  Once logging is set, the NAC Server webpage can be closed

 

The first, and best place, to look for logs is the NAC server log files.  Since the NAC server is doing the actual checks, it will provide the most detailed logs.  These logs are located in the /perfigo/access/tomcat/logs/nac_server.log file on the NAC server.

The second place to look for logs is the NAC manager log file.  This is located at /perfigo/control/tomcat/logs/nac_manager.log file on the NAC Manager.

The third place to look for logs is the Event logs on the NAC Manager GUI.  This is located in “Monitoring > Event Logs” on the NAC Manager web GUI.

 

Now, let’s get into some troubleshooting scenarios

Improper ktpass version

As stated in the support information, ktpass version 5.2.3790.0 is required for Windows 2003 and ktpass version 6.0.6001.18000 is required for Windows 2008.  Using an earlier version of ktpass will usually end up in a failed AD SSO setup.

Time not synchronized

In order for Kerberos to work, the time on the NAC Server and domain controller must be synchronized to within 5 minutes.

Configuring User for ktpass

When using ktpass, part of the configuration is assigning service instance account to a user.  There are two problems, associated with this user account, that I’ve run into.

If the nac_manager.log file contains a log entry with “encrypt type not supported (14)”, check the Event Viewer logs on the domain controller.  There may be messages stating that the key has been corrupted.  The solution is to create a new password for the user.

A problem will arise if ktpass is run twice on the same domain controller.  This could happen if you are using ktpass for a specific domain controller entry and, a more general, domain entry.  If the same user account is used for both the entries will cease to work.  The solution is to remove the account and create a new account for just one type of entry.

Configuring ktpass for Windows 2008

When configuring ktpass for Windows Server 2008, it is important to read the support information for details on the minimum ktpass version required and the minimum operating system version required.

Ktpass version:  6.0.6001.18000

Windows 2008 Server Enterprise SP1

Single Domain AD SSO is supported

Hotfix KB951191 is required

Not adding Hotfix KB951191 will result in error messages in the NAS.  The error message contains “Client not found in Kerberos database (6)”.

Leave a Reply

 

Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.

 

Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.

 

John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.