ACS 4.2 and Active Directory
I'm putting in place our new ACS 4.2 server. This is version 4.2 Build 124, running on a Windows 2003 server. I'm having some trouble with the enumeration of the groups and just may not know what Miss me. We have 7 different areas, and I can only list one of them groups. We do not run ACS on one of our domain controllers, but the server is a member of the domain controllers. I even added a service account is a domain administrator and services run as account but I still cannot enumerate groups. Any help would be greatly appreciated.
Hello
I know that you have a domain administrator account that is running the services ACS. But I'd like to as go you through the steps listed below again.
------------------------------------------
-You should have a user on AD.
-To make it difficult to hack, give him a very complicated password for a long time.
-Make the user member of the Domain Admins group.
-Make the user member of the Administrators group.
-Make the user member of the Enterprise Administrators group.
On to Windows 2000/2003 server running ACS:
-Add the new user to the appropriate local group.
-Open "Administrative Tools" in the control panel.
-Open "Computer management".
-Open 'Local users and groups' and then 'groups '.
-Double-click the group "Administrators".
-Click on 'Add '.
-Choose the domain in the box "search in".
-Double-click the user created above to add it.
-Click OK.
-Give special rights to the new user on the ACS server.
-Open "Administrative Tools" in the control panel.
-Open "local security policy".
-Open "local policies".
-Open "User rights assignment."
-Double-click "Act as part of operating system"
-Click on 'Add '.
-Choose the domain in the box "search in".
-Double-click the user created above to add it.
-Click OK.
-Double click on "Log on as a service."
-Click on 'Add '.
-Choose the domain in the box "search in".
-Double-click the user created above to add it.
-Click OK.
-Set the ACS services to run as long as the user created.
-Open "Administrative Tools" in the control panel.
-Open "Services".
-Double-click the CSADMIN entry.
-Click the 'connection '.
-Click on "This account", and then on the button 'Browse '.
-Choose the field, double-click the user created previously.
-Click 'OK '.
-Repeat for the rest of the CS services.
-Wait for Windows to apply the security policy changes, or restart the server.
-If you restarted the server, skip the rest of these instructions.
-Stop and then start the CSADMIN service.
-Open the GUI of the ACS.
-Click on System Configuration.
-Click on the Service order.
-Click "restart."
Note If domain security policy is set to override settings for "Act as part of operating system" and "Log on as a service" rights, rights of user changes listed above will also be to do here.
If you log on several areas, a full two-way trust must exist between the domains, the user (ACS account) must be created and given the high access in each domainbto be questioned and FULL domain each domain must be listed as a DNS suffix in the properties of the IP Address of the server on which the ACS is installed (restart netlogon service after adding the FULL domain name).
HTH
JK
Please help the rate of messages-
Tags: Cisco Security
Similar Questions
-
/ * Style definitions * / table. MsoNormalTable {mso-style-name: "Table Normal" "; mso-knew-rowband-size: 0; mso-knew-colband-size: 0; mso-style - noshow:yes; mso-style-priority: 99; mso-style - qformat:yes; mso-style-parent:" ";" mso-padding-alt: 0 cm 0 cm 5.4pt 5.4pt; mso-para-margin: 0 cm; mso-para-margin-bottom: .0001pt; mso-pagination: widow-orphan; font-size: 11.0pt; font family: 'Calibri', 'sans-serif"; mso-ascii-font-family: Calibri; mso-ascii-theme-make: minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-make: minor-fareast; mso-hansi-font-family: Calibri; mso-hansi-theme-make: minor-latin ;}"}
Hello
I'm deploying an ACS connected to an RSA AuthManager (that is connected to an Active Directory domain)
I create several groups within the Active Directory server, I try to give to users for their groups different access rights.
I tried to define an access policy "NetOp/NetAdm" and two authorization rules:
Rule-1 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETOP 'Auth for net operators' 0
Rule 2 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETADM 'Auth net admin' 0
Default: refuse
In the identity, I have configured the RSA identity source, so that users get authenticated by the RSA Authentication Manager.
But I still refuse to get access, RSA authentication is successful, but the group membership, active directory does not work, even with the unix attributes or group principal defined for the user.
My question is this valid configuration scenario? Is there another way to define several profiles according to the Group of users of external source?
The stages of monitoring:
Measures
Request for access received RADIUS 11001
11017 RADIUS creates a new session
Assess Service selection strategy
15004 Matched rule
Access to Selected 15012 - NetOp/NetAdm service policy
Evaluate the politics of identity
15004 Matched rule
15013 selected identity Store - server RSA
24500 Authenticating user on the server's RSA SecurID.
24501 a session is established with the server's RSA SecurID.
24506 check successful operation code
24505 user authentication succeeded.
24553 user record has been cached
24502 with RSA SecurID Server session is closed
Authentication 22037 spent
22023 proceed to the recovery of the attribute
24628 user cache not enabled in the configuration of the RADIUS identity token store.
Identity sequence 22016 completed an iteration of the IDStores
Evaluate the strategy of group mapping
15006 set default mapping rule
Authorization of emergency policy assessment
15042 no rule has been balanced
Evaluation of authorization policy
15006 set default mapping rule
15016 selected the authorization - DenyAccess profile
15039 selected authorization profile is DenyAccess
11003 returned RADIUS Access-Reject
Thank you
Christophe
I think you need to do is to create a sequence of identity with RSA as a selection in
Authentication and recovery research list of attributes and AD in the additional attribute list recovery research. Then select this sequence as a result of the politics of identity for the service
-
WLC4402, SSC 4.0, EAP FAST with ACS 4.1.23 and Active Directory
Hi all
I have a problem where my client software SSC (Cisco Secure Services)-wireless on laptops don't will authenticate the windows domain users if they enter the user name and passwords manually. The unique signature feature will not work. I am using EAP-FAST. It is an ACS appliance based server that I restored from the recovery CD.
When I look at the failure of authentication request I can see that she is trying to send [email protected] / * / during an attempt to SSO on. The log shows that it is a bad user name or password. Note that the end of the domain name is missing.
I can see the authentication attempt in the log of the remote agent (CSWINagent.log) on the domain controller, so I don't know that it sends the connection request to the domain controller. The Remote Agent is the same version as the ACS server. When I authenticate successfully (manually) it sends not the domain part of the user.
This is a new installation. Initially, I had 2 remote agents, both on the service domain controllers has been run under an account with sufficient privileges windows domain administrator. After a planned turn off weekend windows authentication has stopped working completely. I found a post in this forum that says to use the local system to start the remote agent service. This led windows authentication to life, but now I have this problem. I don't know that until I changed it the manual connection is also required in domain (IE user domain\username). I can't be sure that this is the case!
Can anyone help me to get windows AD to accept these credentials, because they are sent to the client connection? Otherwise if I can make it work with the user account, he worked with initially then that would be great.
Thank you very much
As you mentioned that SSC transmits the username "[email protected] / * /" in SSO.
Is what I think for the moment, to use the feature of Distribution of Proxy on ACS.
that is, demand to come as it is "[email protected] / * /', let's make ACS Stip off"@domaine"and"username"to RA for AD verification."
After stripping '@domaine' send the request back to the ACS it itself, i.e. in the column forward to, ensure that we have input of the ACS.
And let me know if it works for you?
Kind regards
Prem
-
ACS 5.1 using Active Directory to manage the strategy of network device Admin
Hi guys, we have configured an ACS 5.1 and integrated with active directory Win2K3, we created two AD groups to manage devices network for administrators and one for operators (read-only), so we have configured a device admin strategy and the two groups work very well, but now we are facing a little problem any user that exists in the AD can connect (user exec mode) network devices and we want to cancel the connection with politics, but we do not know how.
Is there a way to get a user authenticated against acs internal or external group, but at the user level, everything as you can make it to GBA 4.X?
Thanks for your help!
Best regards
Oscar
Yes, you can change that, it's a profile of shell by default. You must create a new one with privilege level "not in use" and select the new profile of the shell (no Directors or Operartors) under Default Device Admin > authorization profile > edit and make changes.
I hope this helps.
-
Is there another solution to integrate NAC Appliance and Active Directory on Windows 2008 64 bit
I'm trying to integrate a device of the NAC solution in a network where all domian servers and application servers are Windows 2008 64-bit.
Could someone help me to confirm if Active Directory (AD) on Windows 2008 is not taken in charge and tell me what alternatives exist to authenticate users who consider that it is not possible to make any changes on the server. They will continue to be Windows 2008 64 bit.
The original idea was to use AD SSO to authenticate users, but I read that it is not supported on Windows 2008 64 bit.
I'd appreciate any help or suggestions.
Concerning
Arturo Monroy
Arturo,
You can use LDAP. Configure an LDAP authentication provider and have your customers to provide their credentials.
It will not however a single code access scenario. They would have to enter their credentials again on the NAC agent.
Support for 64 - bit is on its way and will be out in the new versions soon.
HTH,
Faisal
-
ISE personas and Active directory
Hello everyone,
just a question...
Which character has need of more bandwidth with Active Directory?
Assuming that I have admin / - fire guard - political service monitor
wich side place AD? (cause of firewall bandwidth limits)?
Thanks in advance for your answer
The node primary admin and the political service nodes. All nodes join the AD, but when you create groups in AD and build your policies which is made from the node of the main admin, PSN nodes are responsible for enforcing those policies. It is my personal opinion.
Thank you
Tarik Admani
* Please note the useful messages *. -
DMVPN and active directory (logon)
Hi all
We have a DMVPN configuration between a few sites and everything seems fine, except that the logons through the VPN for a new domain active directory are very slow (10-15 minutes). I believe that the problem may be with the fragmentation of tunnel and packages such as AD is configured correctly.
I am looking for some recommendations or advice on the MTU and TCP MSS settings see if it solves the problem.
both the hub and the spokes are currently with the following settings MTU and MSS (ive removed some irrelevant information) Tunnel0 was originally a mtu of 1440 but if whatever it is 1400 is even worse.
Thank you
interface Tunnel0
IP 1400 MTU
IP nat inside
authentication of the PNDH IP SP1
dynamic multicast of IP PNDH map
PNDH network IP-1 id
IP virtual-reassembly in
No cutting of the ip horizon
source of Dialer0 tunnel
multipoint gre tunnel mode
0 button on tunnel
Profile of ipsec protection tunnel 1
interface Dialer0
MTU 1492
the negotiated IP address
NAT outside IP
IP virtual-reassembly in
encapsulation ppp
IP tcp adjust-mss 1452
Dialer pool 1
Dialer-Group 1
Darren,
In general the prolem is due to Kerberos on UDP traffic.
There are several ways you can solve the problem:
(1) transition to Kerberos over TCP. (suggested)
(2) setting the MSS on the interface of tunnel not on telephone transmitter (recommended)
(3) allowing the PMTUD tunnel (strongly recommended).
M.
-
VSphere 5.5 and active directory
Hello
I'm having a problem trying to set up a new device Center 5.5 use AD permissions. My ad is 2012, I gave the host in which the vc unit sits on a COMPLETE domain name and it is joined to the domain, then, I'm going to the VC unit and join it to AD that she is successful. When I go to add permissions the ad domain is here not only local and sphere.local appears.
When I look in the AD, I noticed that the host and the VC have not computer accounts even if they seem to be joined to the domain successfully.
Any ideas would be appreciated.
Paul
Hello
Please lookinto this link, hope this helps you:
http://wahlnetwork.com/2013/09/09/using-Active-Directory-integrated-Windows-authentication-SSO-5-5/
-
Problems of ESXi 5.5 and Active Directory
Something has clearly changed in the behavior of default Active Directory for ESXi 5.5
I can successfully join a freshly installed ISO standalone ESXi 5.5 (1331820) to my domain name by using the vSphere Client. Time is correct on the host computer and the domain controller, so it isn't that. I also see the default group esx ^ admins is automatically configured as an administrator on the host authorization tab (because this group is configured in AD since approximately 2009).
Unfortunately, connect to ESXi with the vSphere client "use Windows logon credentials" is uneven at best - it seems to have worked once or twice - and logging in the shell or SSH using the windows credentials (we tried [email protected] and mon_domaine\compte) does not work.
We thought we were crazy, so we went back and installed 5.1 all over again - and it worked fine. We compared the: / etc/hosts and files /etc/krb5.conf on both machines and could not find any differences.
Does anyone have an idea?
THX
Simple solution:
Reboot the host or execute: /usr/sbin/services.sh restart
This was not necessary because the directory-based authentication was supported in the GUI, but it is now. After a re-start AD works as it should.
-
Hello
I have a succession of VMware ESX ESX 3.5 70 servers and I want to be able to manage better the connection, I am familiar with the addition of the accounts of users and groups by VI or by using a command. What I want to do is if possible to create different groups and modify it permissions on each host via a script, and then if possible to add users to the same group in Active Directory and user management centrally via AD. If this is not possible, I would like to script adding user accounts and change the permissions of the user. I like to keep as manageable as possible to control the user accounts and permissions, more than 70 servers may prove to be multitasking.
Thanks in advance
This is the best post I've seen on this task.
http://blog.scottlowe.org/2007/07/10/ESX-Server-ad-integration/
You can also watch Centrify.
-
I just came across trouble cloning a win2003 server in Active Direcory. Once I renamed the cloned that he renamed the initial account of the server in Active Directory, so I could not connect to the source server over.
I've always had to run newsid.exe after a clone or the Configuration Wizard can do?
If you use the feature to customize comments, it will generate a new SID for the clone if you ask.
I misread your post origionally and was about to recoment that you clone servers Active Directory (for example, domain controllers)
-
Continuation with VIO and Active Directory reference error
While deploying the instance OpenStack de VIO, I get the following error message when checking the parameters of authentication source:
Cannot find the specified user (Group). Details: The LDAP search request failed. Further reference
This seems to be a problem, I met several times, where AD would send a reference instead of the response that the client must follow. But I don't see any option to allow removal with Active Directory. Is there a way around this?
Concerning
Gerald
I found a work around for the problem:
The query is successful when you use the ports for the Active Directory Global catalog.
The ports are:
- 3268 (without encryption)
or
- 3269 (with SSL)
Disadvantage: You can't just use your do domain name address all the domain controller, you must specify one with its host name.
-
Authenticate the ACS 5.2 administrators Active Directory?
Is this possible? Rather that of maintainng local accounts is possible to authenticate the admins against AD? I want to talk to the ACS itself to be clear server administrators.
Not that I know, pretty sure it's local only.
The irony of this kills just me, after you unroll the centralized authentication and AAA, you must maintain a local database of admins for the box itself!
Painful!
-
ACS integration with Microsoft Active Directory Services
Hi all
I was responsible for developing the integration of GBA with MS AD. What I want to know is below assuming I have a software ACS or ACS device and the authentication protocol's RADIUS
-What is the criterion of the announcement to integrate with ACS to device software
-Should that AD hosted on the domain controller or not?
-Otherwise, on what (DC, tree, forest, branch, flower, Fruit) the announcement must be hosted on?
-What should I do to authenticate users logging into Cisco ACS Security Manager integrated with AD?
-Are there other dependencies that I'll have to speak categorically in my description?
Thank you
Rishi
First of all, I love the flower fruit one keep it up.
If ACS is for windows, it can be installed on the domain controller or member server. For detailed information about installation tasks post must have full integration, please see the following link that contains fancy things you are looking for:
If ACS is soultion engine then you need piece of software called remote agent to be installed either on the domain controller or member server, also check the following link for more details on how to integrate it with AD:
I hope this was informative for you.
-----------------------------------------------------------------------------
Please ensure good answers to rate
-
Meraki and Active Directory authentication
Hello
I have two remote sites, each with 5 users and pc. Instead of Site2Site VPN, I want to use Meraki, but want to ensure that users always authenticate with my ad.
The domain controller is AWS.
What is the process to put in place what and what is the communicati0n arise when a user enters their cred to ad authentication?
Thanks in advance.
https://Meraki.Cisco.com/blog/2014/11/now-in-the-MX-greater-flexibility-...
Maybe you are looking for
-
At what time the pre-sale iPhone 7 start?
Does anyone know what time on 9 September, the iPhone 7 presale begins? I am in CST.
-
Firefox has suddenly start delay when accessing the secure site
We have an application Java Tomcat 7 on Amazon Web Services EC2 server. The server is configured so that our application is the root application and is accessible from port 80. The application and the Tomcat are configured with SSL, so that whenever
-
How do I know which imported media are in the timeline in the project tree?
I have so many clips, once the media is imported in project, how do I know which media is in the timeline?
-
If you print a document from an e-mail, why is the document different on another computer? The pagination is different, and my boss thought that I modified the document? I have not change the document - I just printed it e-mail, he says than the ve
-
I don't know anything about the technical details, but here's the problem: Since I had been using a laptop computer and an old computer, I hadn't used it and my OS windows at least a year, or even longer. When I returned to it using a couple of month