Specifications
7-23
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 7 User Management: Configuring Authentication Servers
Adding an Authentication Provider
b. Enter each Windows Domain Controller IP and click Add Server.
See section “Enable Windows NetBIOS SSO” of the Cisco NAC Appliance - Clean Access Server
Configuration Guide, Release 4.9(x) for details.
3. Add IP traffic control policies for the Unauthenticated role to allow users on the untrusted side
access to the domain controllers on the trusted network. Typical policies may include allowing TCP,
and UDP traffic for each controller (IP address and 255.255.255.255 mask) for ports 88(Kerberos),
135 (DCE endpoint resolution), 139 (netbios-ssn), 389 (LDAP), 445(smb-tcp). See Chapter 8, “User
Management: Traffic Control, Bandwidth, Schedule.”
Note Because the CAS attempts to authenticate the user by sniffing Windows logon packets on the network,
if the end device does not send such traffic (i.e. authenticates from cache) the CAS cannot authenticate
the user. In order to cause such login traffic to be generated, you can use a login script to establish
network shares/shared printers. You can also login as a different user from the same machine to cause
the machine to communicate to the domain controller (typically a different user’s credentials will not be
cached).
Add Windows NetBIOS SSO Auth Server
1. Go to User Management > Auth Servers > New Server.
2. From the Authentication Type dropdown menu, choose Windows NetBIOS SSO.
Figure 7-14 Add Windows NetBIOS SSO Auth Server
3. Provider Name—The Provider Name value defaults to ntlm.
4. Default Role—Choose the user role assigned to users authenticated by this provider. This default
role is used if not overridden by a role assignment based on MAC address or IP address.
5. Description—Enter an optional description of this auth server for reference.
6. Click Add Server.