Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance

231

232

233

234

235

236

237

238

239

240

7-6

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 7 User Management: Configuring Authentication Servers

Adding an Authentication Provider

While running Windows 2008 AD Server at 2003 Server functional level, if you face issues, try the

following:

Run KTPass to allow multiple algorithms for new service account.

ktpass –princ newadsso/[adserver.]domain.com@DOMAIN.COM -mapuser newadsso –pass

PasswordText –out c:\newadsso.keytab –ptype KRB5_NT_PRINCIPAL

Note Before performing the following step, Cisco strongly recommends making a backup copy of

the CAM’s /perfigo/control/tomcat/conf/krb.txt file.

After running the ktpass command above, manually modify two files on the CAM as follows:

–

In the CAM CLI, navigate to /perfigo/control/tomcat/conf/krb.txt and add the following lines:

[libdefaults]

kdc_timeout = 20000

default_tkt_enctypes = RC4-HMAC

default_tgs_enctypes = RC4-HMAC

permitted_enctypes = RC4-HMAC

–

Navigate to /perfigo/control/bin/starttomcat.

Search for

CATALINA_OPTS.

Add

-DKRB_OVERRIDE=true to the value of CATALINA_OPTS.

For example:

Old value: CATALINA_OPTS="-server ..."

New Value: CATALINA_OPTS="-server ... -DKRB_OVERRIDE=true"

Note If you are applying this change to an existing HA pair, you must perform the above update on

both the HA-Primary and HA-Secondary CAM just as you would upgrade a pair of HA-enabled

CAMs. For more information, see the corresponding Release Notes for Cisco NAC Appliance.

Restart the CAM by entering the

service perfigo stop and service perfigo start commands. See

also Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.9(x) for complete

details.

RADIUS

The RADIUS authentication client in the Clean Access Manager can support failover between two

RADIUS servers. This allows the CAM to attempt to authenticate against a pair of RADIUS servers,

trying the primary server first and then failing over to the secondary server if it is unable to communicate

with the primary server. See the Enable Failover and Failover Peer IP field descriptions below for

details.

Note To configure an IPSec tunnel required to connect Cisco NAC Appliance with an external RADIUS

server, refer to Add a FIPS 140-2 Compliant RADIUS Auth Provider Using an ACS Server, page 7-8.

This configuration procedure specifies what you need to set up to connect the CAM with an ACS server

to perform RADIUS authentication in a FIPS 140-2 compliant network deployment.

Step 1 Go to User Management > Auth Servers > New.