Dave, I've got it working here.
On my DCs I have the following ports open: TCP 88,135,139,389,445,1025,3268 UDP :88,137,138,389 This allows SSO to work. Currently, the machine cannot be reliably joined to the domain through my system. Also, the user should login to the laptop first without Clean Access. I haven't had time to troubleshoot these issues. Bruce Osborne Liberty University -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[EMAIL PROTECTED] On Behalf Of Stempien, Dave Sent: Tuesday, May 20, 2008 12:48 PM To: [email protected] Subject: Re: [CLEANACCESS] AD SSO - required open ports? Not that I am aware of... On 5/20/08 12:42 PM, "Jay Patel" <[EMAIL PROTECTED]> wrote: > It truly is a beast. Are you using roaming profiles? > > ---- > -----Original Message----- > From: Cisco Clean Access Users and Administrators > [mailto:[EMAIL PROTECTED] On Behalf Of Stempien, Dave > Sent: Tuesday, May 20, 2008 12:29 PM > To: [email protected] > Subject: AD SSO - required open ports? > > Does anyone have a definitive list of the ports required to be open in the > unauthenticated role for AD SSO to work? I've opened the following ports to > our DCs per the suggestion of the Cisco documentation: > > TCP 88 - Kerberos > TCP 135 - RPC > TCP 389 - LDAP > TCP 1025 - RPC > TCP 1026 - RPC > > After doing some sniffing, I discovered that our DCs are also using UDP for > kerberos and LDAP, so I opened the following: > > UDP 88 - UDP-Kerberos > UDP 389 - UDP-LDAP > > Also, per a previous suggestion by Cisco TAC, I also opened: > > TCP 445 - SMB > > Finally, ICMP and DNS is also allowed. > > Currently, my test machine won't even completely log into the domain let > alone perform SSO. It's stuck at "Applying computer settings..." If I > completely disable my unauthenticated policy (except for ICMP and DNS), I > can log into my test machine using cached credentials. > > Has anyone else beaten this beast and care to share your experiences? > > Thanks! > > -- > Dave Stempien, Network Security Engineer > University of Rochester Medical Center > Information Systems Division > (585) 784-2427
