ACS 5.1 - AD authentication LDAP VS

Similar Questions

• Authentication LDAP BI publisher

  Hello
  
  I try to activate the AD for BI publisher authentication. I tried most of the possible LDAP configuration settings. But when I try to connect, it throws the following error.
  
  The server cannot be used because of a configuration error, please contact the administrator. If you are the administrator, please see the BI Publisher user guide for the correct configuration.
  Detail of the error
  
  Previous
  
  oracle.apps.xdo.security.ValidateException
  
  Should I create the roles of BI Publisher in the LDAP server for authentication LDAP for BI publisher.
  
  Kindly let me know if anyone have solution for the same.
  
  Thank you and best regards,
  Rajesh J
  
  Edited by: sj_rajesh may 18, 2010 16:49

  Here is an example of an LDAP with ADSI integration:
  http://gerardnico.com/wiki/dat/BIP/ldap_adsi

  And Yes, you must create the group in the LDAP directory. They are imported when the Beeping starts.

  See you soon
  Nico

• Change the role of the user once authenticated LDAP authentication

  Hi forum,
  
  I do know that if it is possible, I have not found a solution so far
  
  I have a simple web application with LDAP authentication. We would like to use LDAP for authentication and store the information of user roles in the database. After authentication, LDAP assigns the role of "guest" to the user and the home page (the only page available for this role) is displayed.
  
  In this home page, the user must select a profile (the same user can have multiple profiles) in a list retrieved from the database. The profile of each user has an associated role. After selection, we want to change the role of the user "guest" to the role associated with the selected profile.
  
  I don't think that implementation of a custom plug-in fits my needs because the role assignment requires the participation of the user.
  
  Any suggestions?
  
  Thanks in advance,
  
  Tatiana.

  Hello

  Well, the problem is that you need to change the subject of the user authenticated, who's a JAAS thing to do. The only way this can work is indeed use a custom LoginModule and then access the user object to add a security principal that represents the role you want to add.

  Frank

• ACS 4.2 RSA Authentication and LDAP group mapping

  Hello

  I have a firewall, PaloAlto, with overall protection enabled (SSL - VPN) feature

  I use Cisco Secure ACS as a proxy for the RSA SecurID authentication.

  After authentication is try to map ad through LDAP query groups.

  The question I've found, is that the user I get with user authentication has no field:

  Show user ip-user-mapping all | mbm60380 game

  10.240.1.24 vsys1 UIA 2388 2388 domain\mbm60380

  10.240.1.1 vsys1 UIA 2101 2101 domain\mbm60380

  10.240.250.1 mbm60380 2590859 2590859 vsys2 GP

  But the list of users that I receive from the LDAP query includes the domain prefix:

  See the user group name domain\group1 property

  short name: domain\group1

  [1] domain\aag60368

  [2] domain\ced61081

  [3] domain\jas61669

  [4] domain\mbm60380

  [5] domain\pmc61693

  [6] domain\vcm60984

  I would like to create the user with the area of GBA but it must delete the domain before querying the RSA server, as it does not support field stripping.

  I tried to fix this on the Palo Alto firewall without success.

  I'm trying to run Cisco Secure ACS 4.2 changing, but it did not work either:

  RSA servers are configured as an external database.  They are not defined in the groups of network devices.

  Can I set up domain stripping for queries servers RSA?

  Thank you

  Hello

  I think it should work, but it is a bit awkward:

  Create an entry in the Distribution of Proxy in the Network Configuration.

  DOMAIN\\USER *.

  Prefix

  Before returning to the AAA server, from there to authenticate to the server RSA without the domain prefix.

  Make sense?

  Thank you

  Chris

• ACS, WCS, PEAP, Machine Authentication

  We are building a new wireless network with a new unit of ACS 5.2 and new controllers LAN with WCS.  We want to create a SSID encrypted/secure ONLY the machines managed by our care who can access the LAN with.  We are looking for the best solution with a minimum of complexity.  After that several internal discussions, we seek to use authentication PEAP (testing with a self-signed certificate), and then create a strategy to access the ACS to validate the machine is a member of Active Directory.  Unfortunately I can't find the way to validate membership of the machine.  I don't know if I'm missing something or if this is even possible.  If anyone has any suggestions for that to happen, or a better way to handle this, I would appreciate the help.

  What you need is the authentication of the computer. The machine will first authenticate with its letters of nobility (AD account) and then the user authenticates too. This option is available in the windows client.

  Then, you can also set the ACS to only allow a user to authenticate if the machien was authenticated before.

  You must enable auth on the ACS server machine (users and identity stores--> external Identiry stores--> Active Directory, check the box to turn on computer authentication)?

  Also - under Access--> Access Services policies, tab protocols allowed, you enable the option "host Lookup process.

  Create an access policy, activate the search for PEAP-MSCHAPv2/process host, set the conditions by using the identity group and has been authenticated Machine that looks like:

  (1) if Identitty group to the computer group, then allow access

  (2) if Identtity group to the Group of users and the Machine has been authenticated, then allow access

  (3) deny access by default

  More details in discussions like https://supportforums.cisco.com/thread/2014145

  I hope this helps.

  Nicolas

  ===

  Remember responses of the rate that you find useful

• How to set up authentication LDAP remote VPN access method?

  In most lab scenarios, documents only show us how to configure credentials local (AAA) or RADIUS to authenticate for VPN remote access.

  Could someone kindly post some documentation or lines of command on the configuration of the LDAP authentication (for example advertising server)?

  Appreciate any help from you...

  Hello

  You can check out:https://supportforums.cisco.com/document/139241/remote-access-vpn-asa-au...

  HTH

  Averroès.

• With Cisco Secure ACS for Windows GANYMEDE +, authentication fails with AD

  I'll put up a Cisco Secure ACS 4.2 server to act as a RADIUS server for switches and routers I use Windows 2003 server for the candidate countries.
  and an Active Directory of Windows 2003 server.  The ad server is very good, it is used for many other things.

  I've implemented ACS as defined nit it installation guide, including all the steps in the "Member Server" section of the installation guide
  When you use AD as an external database (e.g. setting up services to run with a domain administrator account, set up a machine called "CISCO"
  on the field, etc.).

  I've set the unknown user policy to use the database of Windows, if the internal database does not contain the details of the user.

  If I add a user to the internal database, authentication goes through fine, with an entry in the journal "Authentication," spent

  02-24-2010, 05:07:03, authentic failed, eXXXX, Network Administrators (NDG), X.X.X.X, (default), internal error, (get the internal error error message)

  I scoured google etc and just cannot come up with any reason why this should be the case.
  I followed all of the installation to the letter guides.  I need to get this up and running as soon as possible,
  so am eager to know if someone can help me with this one!

  Thanks and greetings

  Sharan

  George,

  Internal error is fairly generic, but a common situation, we see this error is when ACS is installed on a

  64-bit computer.  ACS would not work with the active Manager when it is installed on the 64-bit before machines

  ACS 4.2.1.

  -Jesse

• [ACS 5.4] PEAPv1 authentication with MAC filtering

  Hello

  Our WiFi use the PEAPv1 authentication.

  It works very well with different devices (computer, tablets, smartphones).

  Now, I want to filter the devices of the company. We have all the MAC addresses of these devices.

  Is it possible to activate authentication PEAPv1 combined with MAC filtering in Cisco ACS?

  I don't want to filter addresses MAC on WLC...

  Thank you

  Patrick

  Hi Patrick,

  See if this helps:

  http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a008084f13b.shtml

  https://supportforums.Cisco.com/thread/2163123

  Agentless network access:

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/common_scenarios.html#wp1053005

  Ed

• 5.2 ACS with different RADIUS authentication servers

  Hello

  I want to migrate from ACS ACS 5.2 4.1. I have already configured authentication GANYMEDE +, but now I've stuck to the RADIUS authentication for remote access WebVPN configuration. Please see the following diagram:

  

  I want to configure ACS to use Server Token WBS first. If authentication fails or the user is not found, ACS must use IAS in Windows Server. If this server fails also ACS must use internal DB. Additional attributes as belonging to a group or ACL downloadable should be taken from internal ACS DB.

  Is it possible to configure ACS like that? ACS 4.1 it is very easy to configure by selecting the per user authentication method.

  Thanks for your help!

  There is an option in the Advanced tab of definition 'RADIUS Identity server' th:

  This storage of identity differentiates between 'authentication failed' and 'user not found' when an authentication attempt is rejected. Among the options below, select how a rejection of authentication of the identity store must be interpreted by FAC for the politics of identity of treatment and reports.
  Releases to treat as 'authentication failed' treat dismisses them as "user not found".

  In order to continue in the sequence, I think you have to select the option "user not found".

• Cisco ACS. Two-factor authentication.

  Hello.

  We intend to use the connection diagram: cisco asa + cisco acs 5.4 + rsa securid.
  We use two groups on Cisco ACS. Group "A" must use two-factor authentication, and the 'B' group don't.
  How to create this rule?

  Perform the rule base identity selection with dap-tunnel-group-name as a selector.

  ASA will send auth request name of the tunnel group.

  Attached example.

• Cisco ACS taccas + problem with authentication

  I'm having a problem authenticating to a switch using taccas + my ACS 5.2 server. I can actually do a 'test of aaa group taccas + username password inheritance' and returns a successful user authentication. When I try to use this same account to authenticate the switch, it is unsuccessful, and I'm not even that attempt to hit GBA.

  Most likely, is a configuration of Miss of the AAA command on the switch.

  Sent by Cisco Support technique iPad App

• ACS with AD-with authentication of twins

  Hi gurus

  I want to integrate my 5.1 ACS with AD, my request is to check first for the machine authentication. If the machine authentication passes the customer name to username/password must be validated and customer should be in VLAN X. If the computer authentication fails, the user/password customer name must be validated. If authentication is successful the customer should be put into VLAN Y

  Let me know if this is possible

  Thank you

  NikhiL

  Nikhil,

  You can set a condition in your authorization policy and check whether the machine authentication has been made and your result out of this basic requirement.

  Here's a guide that corresponds to your questions:

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1235978

  Thank you

  Tarik Admani

• the ACS 5.1 stopped authentication logs after restart!

  Hi all

  I recorded the configuration running on first startup and restarted the ACS 5.1. Since then he stopped authentication logs, if I can connect to network devices using Ganymede connection, but I get no logs of authentication Ganymede? Your prompt response will be appreciated

  Rgds

  HK

  Hello

  Can you please access the ACS CLI through SSH or Console and run "display the acs application state? Are all ACS services running or some hang on the State "Initializing" or "not tested"?

  If so, you might want to try a restart of services ACS with 'stop acs', then 'start acs '.

  If the reports are not displayed on the follow-up and reports it is generally considered a problem with ACS View services.

  I hope this helps.

  Kind regards.

• Cisco Secure ACS 4.2 Windows authentication of different domain

  Hello

  I have a Cisco Secure ACS for Windows Server 4.2. The server belongs to a domain and the domain, the users belonging to a certain group are authenticated.

  Now, I have to change the configuration of the server and reassign it to another area. There is no trust relationship between two domains and I would like to know if users can always be authenticated against the previous domain.

  Hello

  First of all, take backup (by measure of precaution in order to restore config if something goes wrong) then continue witht the following:

  -Remove the configuration of the windows domain (group... mapping etc) from the server before changing the field.

  -Change the domain membership, and then restart.

  -follow the missions post-disiez for ACS (see this link): http://tiny.cc/zr6huw.

  -Configure the external database again on GBA (group mapping, strategy unknown user... etc).

  You should note that if the new domain controller is Windows Server 2008 R2, which is not supported by ACS 4.x.

  HTH

  Amjad

  Rating of useful answers is more useful to say "thank you".

• ASA5510 authentication LDAP on W2K3 AD domains

  LDAP authentication works in all of the domains Active Directory W2K3 and several ASA5510 firewall? Or do I need to configure other authentication type? If I use another type of authentication should I specific portals with special bookmarks based on logins?

  The ASA can, via the LDAP protocol, multi-field search using Active Directory Global Catalog Server(AD-GCS) in a single AD forest.

  For more information about server Catlog Global features and configuration, please consult the Microsoft documentation.

  AD - GCS uses a special port 3268 for unsafe operations and port 3269 for sure (LDAP-S).

  The ASA CLI configuration:

  With CLI configure a server for AD - BSC AAA on the platform of the ASA/PIX.

  ASA # display running aaa-Server GC

  AAA-server protocol ldap GC

  AAA-server host 10.10.1.1 GC

  Server-port 3268

  LDAP-base-dn DC = MyDomain, DC = com

  LDAP-scope subtree

  LDAP-naming-attribute userPrincipalName

  LDAP-login-password *.

  LDAP-connection-dn CN = ldap-reader, OU = employees, DC = MyDomain, DC = com

  microsoft server type

  Note 1: The customer must have an attribute that is unique and simple in the ad so that it can be used for LDAP searches. UserPrincipalName or sAMAccountName are usually unique attributes that can be used.

  In this example, based on the name = userPrincipalName attribute, then the VPN user to connect with [email protected] / * / .

  Note2: mode in the Global catalog, not all LDAP attributes are returned (for example: memberOf) to allow the ASA to make policy decisions say through access policies Dynamics https://supportforums.cisco.com/docs/DOC-1369 .