What is less obvious is how the "User Pages" affect single sign on (SSO) scenarios. With NAC Appliance, there are two widely used single sign methods. The first SSO method is VPN SSO. This is used mostly with remote VPN access where the VPN device sends the NAC Server a RADIUS accounting packet after successful authentication. This allows the NAC Server to accept sessions from the user as successfully authenticated. The second SSO method is AD SSO. This is used mostly for campus deployments. In this method, a user's AD login is recognized by the NAC Server using Kerberos tickets.
In both SSO methods, the login page is never displayed because authentication is handled by SSO. With this in mind, configuring the User Pages is not an intuitive step in the configuration process. In actuality, the User Pages are very important in the configuration of SSO. The "User Pages" still define which operating systems are allowed through the NAC Server. This means that, even if a user successfully completes SSO, they will not be allowed access, through the NAC Server, if their operating system is not defined in "User Pages". Thinking of it another way, this is still the recommended method of blocking unwanted operating systems even when using SSO.
