ACS 4.1 - LDAP integration
We want to use ACS as raduis server and use it to authenticate the VPN users
Remote access VPN user--->---> ACS v4.1---> LDAP ASA5510
ASA is already configured for the VPN, I'm a newbie with ACS. Can someone explain how to configure ACS as radius server and integrate it with LDAP.
When a user enters his user name and password, the SAA should send that ACS and ACS should compare to LDAP.
Thank you
How to configure ASA to Radius configuration and VPN authentication
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808c18ff.shtml#CLI
How to configure the ASA on ACS as a radius client:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808c18ff.shtml#ACS
Check the authentication Test between ASA and ACS
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808c18ff.shtml#Veri
ACS and the LDAP integration database
After that set the host name (such as the LDAP server's IP), Port 389 and Admin username and password.
Kind regards
Jousset
The rate of useful messages-
Tags: Cisco Security
Similar Questions
-
Easy VPN with LDAP integration
Hello!
Currently I have an EASY VPN server on a Cisco 2911 with LDAP integration to authenticate the user.
Everything works well except for one aspect. When you try to connect to the VPN (IPSec Client), the user is prompted for the credentials that are in this case their domain credentials. When the user places the identification information is immediately invite you for it again and again for about 1 minute. Then their and the VPN is in place.
When I check the logs, I can't see him connect LDAP ranging down to connect to to the top.
My question is if there is a way to make the LDAP connection, stand or accelerate this process.
Thoughts?
Jason,
I had a long discussion with BU some time previously, if the LDAP protocol is in fact a taken AAA mechanism supported with ezvpn.
To which (at the time) they said 'no '.
We have therefore tabled a documentation bug:
http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCud35798
(which has not yet been resolved).
If it is in fact always a limiting factor, I suggest contacting your system engineer or open evidence of the TAC, so we can check with BU.
M.
-
We create a custom LDAP integration to replace the obsolete in the application. We have all our services to remote containers on a server separate from the slave servers. Must install the custom assemblies on the remote server that contains and if yes which directories? The documentation in the EP said to install only in the directories bin, web applications. Thank you.
Yes, put it in the same directory as the RemotingContainer.exe file.
-
Hello
I configured a WLC to integrate with LDAP, it works fine when I use only one Active Directory server, but I have other users in the other Active Directory server. When I turn on both servers and some users try to log in with the second server WLC triggered for a little while it is impossible to set up the equipment nor the telnet that during that time, and users may not be authenticated more, I have to disable the server and then activate just one of them in the order users can connect again. I also saw this behavior when more than 4 users try to connect to the same access point at a time.
Anyone know why this is happening and how to avoid it?
Thank you very much for your help
Yes, it leads me to believe that your RADIUS is not configured correctly. I should make it clearer, but in order to make 802.1 x, you must have an IAS or ACS that extends from your ad (or LDAP, I suppose, but I am not sure that it is supported). You can't just point your controller to your ad, it does not work.
-
ACS 4.1 LDAP server is NOT accessible.
Hello
We have ACS 4.1 running. Everything seems to be (and is) works very well. But when I want to add a mapping of LDAP group I get message saying of error 'LDAP server is NOT accessible. Please check the configuration. The ldap authentications are working well, I can't add a groupmapping. Where should I start to troubleshoot?
Regards Marco
Marco,
1 have we not many groups in an LDAP or AD structure?
2 what is your Admin DN also right to query database?ACS authentication with a generic LDAP user database
Setting up a generic LDAP external user database
Also, if please download the softerra LDAP browser to fetch the correct information and configure accordingle.
http://www.ldapbrowser.com/download.htm
HTH
JK
The rate of useful messages-
-
vRA7 RHEL 6.6 Blueprint / LDAP integration
Hello
I'm a RHEL 6.6 construction and integration server with my LDAP server. I created a bash script to run automatically once the deployed operating system that will define the specific LDAP groups and add them to/etc/sudoers and/etc/ssh/sshd_config. It is fine to give automatically groups of users access, but what happens if I want to automatically grant an individual user instead. Specifically, what happens if I want to grant the user connected to the vRA, who asked the RHEL Server? I would like to know if its possible to identify the account the user connected to the vRA and requested the RHEL Server LDAP and somehow that pipe in the bash script, so when the script runs, it calls this info and adds the individual user. The bash script is still the way to do this, or is there another mechanism that can achieve this?
The idea is to limit access to the root/ssh to the individual that it has deployed.
Assuming that it is the source of the identity you use to vRA, then you could pipe through the custom property 'ready' in Orchestrator and inject as an argument to your script. I guess you're using the workflow "run a script in the guest operating system" here and not using the agent of comments.
-
I am to evaluate the integration of the OMSS for my business.
In our scenario, the LDAP protocol is OID: according to the installation guide OMSS can be integrated with databases, Microsoft AD, OUD or OAM. What the OID?
Thank you
Luca
Yes - OID is supported Oracle Mobile Security suite which Frédéric Desbiens-Oracle is different from OAMMS!
See - http://www.oracle.com/technetwork/middleware/id-mgmt/omss-technical-wp-2104766.pdf?ssSourceSiteId=ocomen (check text above Figure 5)
Oracle Directory Services for direct access to mobile applications for users based on LDAP directories
for example, Oracle Internet Directory (OID) or unified Oracle Directory (OUD)
Nassima
-
WLC 5508 Active Directory / LDAP integration to authenticate
Hello
I am redundant deployment WLC 5508 with 4 VLANS and 4 SSID matches it, everything works fine, now I have to do the below, then please put your valuable comments and advice.
1. I need all users authenticated with existing Active Directory/LDAP wireless
2. I create accounts invited in my ad and go to the guests, so comments should only Internet access except the company's resources
2. How can I get my VoIP VLAN for wireless phones. I want to only wireless phones to connect to VLANS voice. No internet access on VLan VoIP
Concerning
Dinesh
Hello
1. I need all users authenticated with existing Active Directory/LDAP wireless
2. I create accounts invited in my ad and go to the guests, so comments should only Internet access except the company's resources
YEARS 1 & 2 - the link below provides the example config and also the memorandum of understanding on the conditions depth, please go through the link atleast once...
http://www.Cisco.com/en/us/products/ps6366/products_configuration_example09186a0080a03e09.shtml
2. How can I get my VoIP VLAN for wireless phones. I want to only wireless phones to connect to VLANS voice. No internet access on VLan VoIP
YEARS - you can configure the auth required for WLAN voice and then NAT this interface VLAN so that he won't get out of the internet!
Let me know if that answers your question and please do not forget to rate traore useful messages!
Concerning
Surendra
-
ACS 5.4 implementation (integration with AD)
All Hei
someone already installed ACS 5.4? I installed but I have a problem when setting up my own server,
I joined AD on the server, but to access policies > access services > Identity cannot see any ad on identity source. I followed all the steps.
Is there a problem on my server?
When I click OK I have this error
Can someone help me?
Post edited by: koufrs
Supported browsers and Web Client
~ BR
Jatin kone* Does the rate of useful messages *.
-
ACS 5.1 and integration of advertisements
I just installed ACS 5.1 as a virtual machine instance to provide GANYMEDE AAA. So far, things are working properly with local authentication and now I want my users to authenticate via AD. Looking at the user guide at page 8-39, looks like I need to create an AD identity store and join the ACS server to the domain. Is this correct? and the username AD password required a time thing to join the ACS server to the domain or a special account to be established for the Ad Server?
Thank you!
Bob
Yes, that's correct.
Join the ACS to an AD domain
http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1140906ACS 5.1 must be configured with a valid NTP server for the time synchronization, preferably from where the domain controller is its time synchronization. Another is a valid DNS server that can resolve internal names.
Two of them will be configured in the CLI:
http://www.Cisco.com/en/us/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_use.html#wp1096003IP-name server
http://www.Cisco.com/en/us/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_app_a.html#wp1729536And Yes, the name of user and password admin you use would be a time. It might be an admin account existing, make sure just some admin credentials you use GBA to integrate with AD must have privileges to add the computer on the domain.
We will never recommend allows you to delete the admin account after integrate ACS with AD.
HTH
JK
The rate of useful messages-
-
Hi all
We have two devices ACS 5.3 in mode synchro with some local users, groups, devices, etc. I need to join the ACS service to Active Directory. I have a few questions, you can help me please?
(1) we have a Parent domain and three child domians, I need customer of all areas of three children to be able to authenticate on ACS, should I become a member of the ACS in the parent domain, or is it possible to connect a GBA to three child domains?
(2) will join ACS announcement affect the current configuration (local), somehow local users will lose access to certain devices or devices will disappear? What is a safe procedure?
(3) another small question, I can access the WEB user interface, but can't SSH (putty) by using the same credentials, I'm doing something wrong?
Thank you!
1) join the parent domain and you can authenticate you of parent and child.
-The parent and the child have default two-way trust, which is what is needed.
(2) No, and that's for sure.
(3) SSH creds differ from those of the web GUI.
This is usually set when you install the ACS software.
If you have forgotten it, perform a recovery password by using the DVD.
Rate if useful :)
Knowledge sharing makes you immortal.
Kind regards
Ed
-
Cisco ASA with Microsoft LDAP integration
Hello
I need to integrate a Cisco ASA 5510 version 8.3 with Microsoft LDAP to authenticate IPSEC VPN.
Following the procedures described in the documents below:
http://www.Cisco.com/en/us/customer/docs/security/ASA/asa83/configuration/guide/access_aaa.html
Does not. Turn on debugging ldap 255.
The result was that debugging is attached.
Try to connect using the softerra ldap browser and see if it works or not.
Kind regards
~ JG
-
The Lab Manager Ldap integration
I, ve configured a vSphere/ESX environment of OTA in a subnet of 172.10.1.0/24.
Open ports on our firewall to manage OTA from our direct environment. Online subnet: 10.128.0.0/16
Installed Labmanager 4.0 and add it to the field in the environment of the OTA.
Everything works fine. After you open the port 389, I want to synchronize LDAP.
When I do "Test LDAP settings" I get the following error:
I read that it is not best practice to place a LM server in a domain.
http://blog.aarondelp.com/2010/03/VMware-Lab-Manager-install-notes-and.html
I tried the Ldap synchronization with the server of LM in a working group, but also, it does not work.
Tried with the domain admin user, manually add the ldap port, it was left empty, different DN, nothing worked.
Read also in the article is not to name the server labmanager LM, and that's exactly what I did...
Also the lab Manager folder described in the article was not created in vCenter.
I think uninstall LM, rename the virtual computer and reinstall LM. I don't know if it will solve this problem.
I hope someone has a solution...
Thank you...
the 'test' LDAP settings actually trying to find the account provided credentials. It's like a back loop... I should be able to find me before as I find other people.
If the test account is not in the basic DN path of research, but can locate other accounts then it should.
Best regards
Jon Hemming
-
Announcement for the external database - Secure ACS 5.2 or LDAP
I'm working on the project with Secure ACS 5.2. I'm trying to determine the external database appropriate to use. LDAP or directly to the AD?
In addition, the field in which I connect to a several subdomains. All users are currently in the subdomains, but will move to the root domain later. How do I set up the connection, I have to connect to each subdomain or can I connect just to the root?
Thank you
Hello
If you are using PEAP (mschapv2) [password based authentication] your best bet is to tie ACS to AD, because PEAP-mschapv2 is a hash mechanism that is only supported when you bind to AD, it will not work if you use the ldap integration.
Your best option is to connect ACS for the root domain, so he can use the transitive trust relationships to find the information in its subdomains.
Thank you
Tarik Admani
* Please note the useful messages *. -
We are currently running CUCM 10.5.1 and using all users the. We want to Setup LDAP integration, and I try to understand what services will be performed.
Can someone inform me what services use the database of the CUCM end-user for authentication? I guess it's only administrators who log on to the Web site and the Jabber clients. Is there any other use of these credentials?
Are there any other warnings should I be concerned? A thought is that I do not want to import a bunch of accounts of service or distribution groups, so I need to put some LDAP filters. Are there other traps that I should know about?
If you enable access for end users ccmadmin, they would use their LDAP credentials for this, if you set UCMuser, for this as well. If you use Jabber, too.
There is a filter by default for what to import, documentation of CUCM to LDAP synchronization is, what source directory you use, only users will be imported, you can change it if necessary.
Maybe you are looking for
-
Status bar at the bottom of the screen will not allow
Status bar at the bottom of the screen will not even when I try to activate with display > verified status bar This has happened Each time Firefox opened
-
Any third party RECS to add chapter markers to a MP4 file exported by iMovie 10.1?
-
Android phones file transfer help
Hello! Last week, I had reformatted my windows xp computer. My android phone is a samsung Galaxy. Whenever my phone connects to the desktop computer, it syncs with windows media player. I find the windows media player seems difficult and terrible coo
-
Impossible to install the Bluetooth software
Hi all When I tried to install the latest version of the Bluetooth 12.0.0.3600 for my T430s software, the installation will stop at the end with a Chinese error message. I would like to attach a screenshot of the error message, but can't seem to find
-
Send "multiple" documents photos
LARGE number of photos in the form of documents & I want to send them in an e-mail. Is this possible? I am researching a little and think I need tocompress into one file. Looks like I can do a right-click on the doc, send it to the office and put it