Share This Post

SCCM & Cisco NAC

I ran into an interesting issue with a SCCM implementation in an environment that utilizes Cisco NAC to protect their system resources from unauthorized devices.  One of the goals of the implementation was to ensure the SCCM clients could still function when no user was logged into Windows, thus NAC agent not being authenticated with the production VLAN.  In order to accomplish this, ports used by SCCM needed to be opened, allowed, and unrestricted to the SCCM servers.

The issue that we found was when the computer was on the “dirty” VLAN, the SCCM client would switch from being an Intranet client to an Internet client.  Furthermore, the client’s LocationServices log showed that it was failing to locate the MP from AD and the SLP from AD.

Using a network monitoring tool called WireShark, we identified that the client was trying to communicate with AD on TCP port 3268.  This is a normal port used by AD for LDAP.  Checking into the configuration of NAC, it was certainly not allowing communication over that port.  As soon as that was allowed, the SCCM client immediately began functioning to download software updates and SWD packages.  Who knows whatever else was fixed through this discovery…

Filed under: SCCM, Troubleshooting

Share This Post

Hello and thanks for reading my blog (! My hope is that information I post is useful to others! If you found that a solution did help you, or if you have questions, feel free to drop a comment on the post. I primarily blog on my IT experiences with ConfigMgr and desktop engineering. I am a 10 year, seasoned professional with ConfigMgr and systems management. I co-facilitate and present for the local user group in Denver, am an active blogger on topics for ConfigMgr and systems management techniques, involved in forums for Microsoft and MyITForum, and have been a speaker for events such as BDNA's SCCM Guru Webcast Series (March 2012), the Microsoft Management Summit (April 2013), and BDNA's Microsoft Master Webcast Series (Jan. 2014).

Leave a Reply