ACS 5.3 AD integration issues

Hi all

We have two devices ACS 5.3 in mode synchro with some local users, groups, devices, etc. I need to join the ACS service to Active Directory. I have a few questions, you can help me please?

(1) we have a Parent domain and three child domians, I need customer of all areas of three children to be able to authenticate on ACS, should I become a member of the ACS in the parent domain, or is it possible to connect a GBA to three child domains?

(2) will join ACS announcement affect the current configuration (local), somehow local users will lose access to certain devices or devices will disappear? What is a safe procedure?

(3) another small question, I can access the WEB user interface, but can't SSH (putty) by using the same credentials, I'm doing something wrong?

Thank you!

1) join the parent domain and you can authenticate you of parent and child.

-The parent and the child have default two-way trust, which is what is needed.

(2) No, and that's for sure.

(3) SSH creds differ from those of the web GUI.

This is usually set when you install the ACS software.

If you have forgotten it, perform a recovery password by using the DVD.

Rate if useful :)

Knowledge sharing makes you immortal.

Kind regards

Ed

Tags: Cisco Security

Similar Questions

  • ACS 4.1 - LDAP integration

    We want to use ACS as raduis server and use it to authenticate the VPN users

    Remote access VPN user--->---> ACS v4.1---> LDAP ASA5510

    ASA is already configured for the VPN, I'm a newbie with ACS. Can someone explain how to configure ACS as radius server and integrate it with LDAP.

    When a user enters his user name and password, the SAA should send that ACS and ACS should compare to LDAP.

    Thank you

    How to configure ASA to Radius configuration and VPN authentication

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808c18ff.shtml#CLI

    How to configure the ASA on ACS as a radius client:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808c18ff.shtml#ACS

    Check the authentication Test between ASA and ACS

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808c18ff.shtml#Veri

    ACS and the LDAP integration database

    After that set the host name (such as the LDAP server's IP), Port 389 and Admin username and password.

    Kind regards

    Jousset

    The rate of useful messages-

  • Updated VM of ACS 5.4 a space issue warnings

    Updated to 5.4 last night and ran into several caveats regarding the storage space.  Here are the specific message:

    Warning: [acsDiskSizeCheckUtil.sh] Patch of 1079 M size exceeds the quota allowed 1000 M. it will not prohibit hotfix installation process as long as there's enough disk space. Please note that this indicates that you should consider moving ACS to a superior machine of disk space

    I note also that records 5.5 upgrade to do you have 500GB or more available for the upgrade.

    The virtual machine was thin supplied with 512 GB drive and shows only 84 GB actually used, so a few questions.

    1. Is the underlying operating system used by ACS smart enough for me to simply increase the underlying capacity of the virtual disk and do recognizes this new capacity?
    2. Are there of the CLI commands in ACS that will allow me to see/manage the underlying disk capacity?
    3. The documentation says to increase the ability to be either "redefining" the virtual machine or install a completely new instance and restore the backup of the original.  What exactly does Cisco means "re-Imaging"?  They refer to storage vMotion, where can I change the disk during a migration?

    Thank you for all time.

    My comments:

     Is the underlying OS used by ACS smart enough for me to simply expand the capacity of the underlying virtual disk and have it recognize this new larger capacity

    -Unfortunately, the answer is 'No' I tried to increase the capacity of a disc in ISE and ACS with root privileges and both times have been a complete failure. Now maybe it was because of my low Linux skills but... in any case, the answer is really 'no' If you want that more disk space you must re-create the VM of the CSA and then restore/re-build your config

     Are there any CLI commands in ACS that will let me view/manage the underlying disk capacity?

    -Have you tried to display the records

     The documentation says to increase the capacity be either "re-imaging" the vm or installing a totally new instance and restoring the backup from the original. What exactly does Cisco mean by "re-imaging" ? Are they referring to storage vMotion where I can change the disk during a migration?

    -Related to the #1 issue. Basically, you blow the current VM and build a new one. Then you restore your configs.

    Thank you for evaluating useful messages!

  • OAM and Oracle Portal integration issue

    I have Oracle portal (OAS 10.2.0.3) installed and it worked fine with OAS SSO. I was able to log users in Oracle Internet DIrectory. I also installed Oracle Access manager (10.1.4.0) with Oracle Internet directory. Then I followed Oracle for example "integrating Oracle Access Manager with Oracle signs on and Oracle Portal" (http://www.oracle.com/technology/obe/fusion_middleware/im1014/oam-osso-portal/oam-osso-portal.htm) to integrate the OAM and Oracle Portal.

    In the last step, after I typed http:// < server.domain >: 7778/pls/portal and click on the login link, I saw the box of challenge based on LDAP (which was good). But after that I have provided the user name and an OID userand password clicked OK, the portal page has not changed at all. It seemed that I logged in, but I couldn't see Builder or portal, or the logout link admin tab. So I couldn't even log on the portal because the logout link was not displayed.

    could someone help me on this issue?

    Thank you
    Georges Nicks

    Hi Georges Nicks.

    I think that the OSSO plugin does not receive user name information correctly. You can add debugging statements in the SSOOblixAuth.java and recompile / redeploy to see if the value is received.

    In addition, the OBE article directs you to add the attribute back to ossouser (with the uid of the user as a value) on the success of the authentication. Can you try to add the same action Expression of authorization on the success of default permission?

    -Vinod

  • VSS of LabVIEW integration issue

    Hello

    I'm trying to simulate jointly VSS and Labview by running a simple example of the AWRDE example file. I get the error message that I need license of integration (see the attached screenshot) in order to use the LabVIEW block in VSS. I'm under LabVIEW 2013 Professional Edition and have the next version of AWR:

    10.02R build 5983 Rev (78833). I have Windows 7 on my computer.

    Can someone please tell me what is license integration and how to get it. We have the license for LabVIEW, as well as software AWRDE. Thank you.

    Kind regards

    Kathar

    Hi, Kathar, the best way to fix this is to upgrade to AWRDE v11.01 (available from the download link at www.awrcorp.com).

  • Mathematical integration issue

    Hi all

    Here's a VI I'm working... it's a Powermeter instrument that measures power through photodiode sensors. The unit is used to measure the power to 1 wavelength. I did the VI for example a range of whole wavelengths, with some time and that integrate all the values of the measured power. This way I can include the component wavelengts visible in the final value of the power measured.

    However, when measuring, after integration, I get different values depending on the stage of sampling. This may not be true, since I'm able to the same wavelength understood and changing step (measures for each 10 or 50 nanometers) should not affect the final result. I think the problem is in the method of integration. A person with knowledge of mathematical integration, or the integration of screws in the version complete LabVIEW? Can anyone suggest me perhaps another VI integration? Or maybe another method. I'll be very grateful!

    Best regards

    G.

    The simplest method of numerical integration is the rectangle rule. The following figure should explain it.

    In your case, 'h' is the stage of sampling (in nanometers), as well as the input dt.

    If you have a point each 10 nm and f (x) = 2 constant function. The area of a rectangle is so 10 * 2 = 20. Your dt should also be 10. However, if you set the dt to 0.1, the formula calculates 0, 1 * 2 = 0, 2, which is a false result. To get the correct value, you would need to have a sample of each 0.1 nanometers, so on a 10 nm range the area would be 0, 1 * 2 * 100 = 20. Another way keep the sampling on 10 nm and by multiplying the value of f (x) of 10/0, 1 = 100, so that there is 0, 1 * 200 = 20.

    If you are unsure, simply generate a const waveform and play with the settings. It is easy to determine the constant elementary functionst integral and on the other, such as the sine or cosine. If you manage to get the correct value on these features, you should be able to use the same settings on your signals custom, because she has the same stage of the sample.

    I hope it's clearer now

    Kind regards

    Adam

  • ACS 5.4 implementation (integration with AD)

    All Hei

    someone already installed ACS 5.4? I installed but I have a problem when setting up my own server,

    I joined AD on the server, but to access policies > access services > Identity cannot see any ad on identity source. I followed all the steps.

    Is there a problem on my server?

    When I click OK I have this error

    Can someone help me?

    Post edited by: koufrs

    Supported browsers and Web Client

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.4/release/notes/acs_54_rn.html#wp222016

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • ACS 5.1 and integration of advertisements

    I just installed ACS 5.1 as a virtual machine instance to provide GANYMEDE AAA.  So far, things are working properly with local authentication and now I want my users to authenticate via AD.  Looking at the user guide at page 8-39, looks like I need to create an AD identity store and join the ACS server to the domain.  Is this correct? and the username AD password required a time thing to join the ACS server to the domain or a special account to be established for the Ad Server?

    Thank you!

    Bob

    Yes, that's correct.

    Join the ACS to an AD domain
    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1140906

    ACS 5.1 must be configured with a valid NTP server for the time synchronization, preferably from where the domain controller is its time synchronization. Another is a valid DNS server that can resolve internal names.

    Two of them will be configured in the CLI:
    http://www.Cisco.com/en/us/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_use.html#wp1096003

    IP-name server
    http://www.Cisco.com/en/us/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_app_a.html#wp1729536

    NTP server
    http://www.Cisco.com/en/us/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_app_a.html#wp1013780

    And Yes, the name of user and password admin you use would be a time. It might be an admin account existing, make sure just some admin credentials you use GBA to integrate with AD must have privileges to add the computer on the domain.

    We will never recommend allows you to delete the admin account after integrate ACS with AD.

    HTH

    JK

    The rate of useful messages-

  • ISE AD integration issues

    G ' Day all,

    I'm trying to ad my node primary admin to RFA, but I am receving the following error message in the ISE graphical user interface.

    using the writable domain controller: addc01.abc.com

    Computer update DnsName failed.

    The user doesn't have privileges to update the DNSHostName attribute.

    Error: Either user [email protected] / * / do not have enough permissions to be

    Domain Abc.com, Zone Null

    Or this computer already has an account in the domain.

    To join, you must have domain administrator privileges.

    Join to the domain Abc.com, Null area has no

    The detailed test passes fine. I do not see errors NTP and DNS is completely resolved at both ends.

    Any help is greatly appreciated guys.

    James

    I had a similar problem.

    I received the following error message:

    The domain controller using: paprowdc.domain.corp writable = true
    Computer update dnsName failed.
    The user doesn't have privileges to update the dNSHostName attribute.

    Error: Either user [email protected] / * / doesn't have sufficient permissions to join
    field domain.corp, null zone
    or this computer already has an account in the domain.
    To join, you must have domain administrator privileges.

    Domain join 'domain.corp', 'null' area failed.

    The problem has been resolved, adding the privilege to add machine object on the announcement to the user_ad user.

    Kind regards

  • 2960 - S FlexStack - stack integration issue?

    I have a client with two features of WS-C2960S-24PD-L, both devices have Flexstack modules and run a software C2960S (C2960S-UNIVERSALK9-M), Version 12.2 (55) SE2, VERSION of the IOS SOFTWARE (fc1).

    The first switch is for use with a running-config on it and because of migration the customer asks me to add the new switch to the existing switch to make a single stack (CoXYZStack).

    I dug around on Cisco's Web site and am not able to find the following Guide Flexstack;

    http://www.Cisco.com/en/us/prod/collateral/switches/ps5718/ps6406/white_paper_c11-578928.html

    Unfortunately, this document is not really detail the configuration that I need a switch? Someone got the configuration Cisco Flexstack experience, if so can you give me some advice on the system requirements on the two switches.

    Basically what is happening, is that both switches act as independent 'stacks' in their own name and I am unable to get them to recognize each other or operate together in one set.

    1 supply ws-c2960s-24pd-l switch
    switch 2 supply ws-c2960s-24pd-l

    I tried the 'x' provision "xyz" switch line configuration on CoXYZSw1, and as you can see when you do a 'detail of switch sho' it shows as provisioned but on the CoXYZSw2 nothing ports battery or battery come off the power ring?

    CoXYZSw1 #sho switch retail
    Switch/battery Mac address: c8ba.bf77.1234
    Current H/W
    Switch # Mac address priority Version State role
    ----------------------------------------------------------
    * 1 master c8ba.bf77.1234 14 1 Ready< you="" will="" see="" i="" also="" tried="" altering="" coxyzsw1="" priority="" to="" 14="" to="" ensure="" it="" came="" up="" as="">
    2 Member 0000.0000.0000 0 1 put into service

    CoXYZSw1 #sho switch stack-ring speed

    Speed ring battery: 10G
    Configuration of the stack ring: down
    The ring protocol stack: FlexStack

    CoXYZSw1 battery-ports of the switch #sho
    # Port 1 Port 2 Switch
    --------    ------       ------
    1 down Down

    And as you know the switch does not see or recognize his neighbor? I tried the two possible Flexstack wiring configuratione i.e. battery 1 battery 1 / Stack 2 to 2 and 1 battery battery battery 2 / 1 battery battery 2

    CoXYZSw1 #sho neighboring switch
    # Port 1 Port 2 Switch
    --------    ------       ------
    1 none none

    Anyone has any ideas or a configuration example would be greatly appreciated.

    PS: Also had a trial with this config "stackmaker", but that doesn't seem to help much either? "stackmaker name CoXYZStack.

    You need a minimum of a battery cable is connected.

    Make sure that the 2nd switch DO NOT HAVE any configuration in there.

    And Yes, turn off the switch member of battery 2, connect a cable from the console and it lights up.  After the generated output.

  • Void / navigation Menu / integration issue of the e-commerce of the BC, please help!

    Hello

    sarahcosmetics.com is an e-commerce site, that I've developed by muse and British Colombia.

    I sectioned off sub categories form of pages which make correctly however my client recently asked me to add a submenu for navigating these pages at the top of the site.

    I currently have a link to the following pages: "Lips" 'eyes' and 'face' through hypertext links which I have incorporated into my muse projects 'page' products I was able to locate the appropriate links to my store via BC categories after setting up the shopping cart.

    It was to find work but my clients asked me to incorporate a dropdown under linking products to, 'Lips' "eyes" and "deal with" via the navigation menu.

    I thought it would be child's play I use a widget of grid of muse for the navigation menu that works very well on the other sites, however in this case, when I publish it links to these pages, it connects to my muse model pages for "Lips" 'eyes' and 'face' (who seem to have a different hyperlink) so no products are returned.

    I'm really need help to know what the difference is and how to get around this problem to properly set up the sub menu of navigation.

    Currently, the hypertext links this page works fine, http://www.sarahcosmetics.com/products.html

    So I guess you deleted the navigation sub under products menu.

    Includes pages 'Lips', 'Eyes' and 'Face' {tag_pagecontent} then they will appear under models when the site is published in British Colombia. In case you use the content of the tag, try to remove and insert content directly on the pages and then include in menu to main menu navigation link, it should work.

    If you still need help, then I suggest you to publish the site as a place to test new with all the links of the menu SUP to the title of the item in main menu of products, so that we can check on our end.

    Thank you

    Sanjit

  • Navigation glossary integration issues

    Here's my situation. I'm building a course in version 5.5. I have a slide opening and then a glossary placed as slide 2 slide. This slide should be accessible when the user clicks a button on the glossary on each slide. A back on the Glossary button will return to the previous slide visited users. I am also using the standard playback bar. I need to keep the glossary blade hidden until users click the button of the glossary. As it is now, the slide is visible when moving forwards and backwards using the playback bar. What is the best way to keep the hidden during the navigation slide? I'm not very familiar with advanced actions and am very new to using the program. Thank you.

    Here is a brief overview of what you need to do:

    1. Create a variable named, say, varAllowGlossaryand set its initial value to 0. (Use of the project > Variables menu to create the variable).
    2. Create a conditional advanced action named, say, SkipOrShowGlossary to run this logic:
      • If varAllowGlossary is 0, go to the next slide, ELSE continue
    3. Set the action 'on input"of your glossary to Execute advanced Actions of slide > SkipOrShowGlossary
    4. Define the action of "On the exit" of your slide Glossary to assign varAllowGlossary to 0 (although this action will not be executed if the user click the back button on the slide instead).
    5. Create a standard tip Action named, say, ReturnFromGlossary, with two actions as follows:
      • Assign the varAllowGlossary with 0
      • Go to last visited slide
    6. Set ReturnFromGlossary as the action of 'Success' of the BACKSPACE on the slide of glossary.
    7. Create an advanced standard action named, say, GoToGlossary with two actions as follows:
      • Assign the varAllowGlossary with 1
      • Go to slide {your slide glossary}
    8. Set GoToGlossary as the action of 'Success' of any button that is intended to keep the user in the glossary.

    Hope that helps!

    Trevor

  • ACS 5.1 integration with WLC

    Hello

    can someone help me find a document for ACS 5.1 appliance, integration GANYMEDE + (configuration) with my WLC. configuration of RADIUS also for clients.

    all configuration of wireless controller shows only acs 4.x integration.

    Thanks in advance

    Hello

    There is unfortunately no official configuration example for this right now.
    Haowever, you can view these screenshots I took an example of laboratory, to set up the profile of shell and pass it back due to the authorization rule.

    Hope this helps,

    Fede

    --
    If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

  • Impossible to browse Active Directory to an ACS 5.1

    Hello

    We joined our ACS 5.1 in our Active Directory 2003, the system seems properly attached on the ACS we like connectivity status: joined and if we try with the test button we get "connection succeeded", on the AD tool, we notice that you have created a computer for our ACS account.

    We wanted to created the group directory but the navigation tool is empty and no request does not give any output.

    The ACS is joined, but we are not able to browse Active Directory.

    Any suggestions that could be the problem?

    Thank you.

    It is a matter of course due to defect mentioned below.

    CSCtf39158 - failed to retrieve ad groups in a single forest with multiple trees scenarios

    You must apply the Patch 3 for this problem

    file name: 5-1-0-44-3

    Download of: CEC / Support / download http://www.cisco.com/public/sw-center/index.shtml

    Letter: Security / identity management / Cisco Secure Access Control System / Cisco Secure Access Control System 5.1 / 5.1.0.44

    ##Steps to create the repository.

    This FAC CLI mode

    Create a repository (it's basically FTP server definition)
    AAA/admin (config) # repository FTP---> (can be any name)
    AAA/admin(config-Repository) # url ftp: / /
    AAA/admin(config-Repository) # password ordinary user

    ===============================
    Steps to install the ACS 5.1 patch:
    ===============================

    Issue the command patch GBA following in EXEC mode to install the fix of the ACS:

    ACS, install patch patch - repository name.tar.gpg repository-name

    Rgds.

    JK

    The rate of useful messages-

  • Problems with patching: ACS 5.0 to 5.1 upgrade

    I'm following the instructions to upgrade ACS 5.0 to 5.1

    But I can't get past the first step:

    Step 1 Install the ACS 5.0 patch:

    Issue the following command from the patch CSA in EXEC mode to install the fix for the ACS:

    Install patch ACS patch-name. tar.GPG repository repository-name

    Here is my result:

    / Admin # acs patch install repository 5-0-0-21 - 9.tar.gpg mytftp
    chmod: cannot access at the "* .sh ': no such file or directory".
    Error: Could not open the patch 5-0-0-21 - 9.tar.gpg

    It download the patch via TFTP ok, but cannot install it.

    Can anyone help?

    Thank you

    There are problems in 5.0 with using tftp for file transfers that exceed 32 MB. There may be problems with the ftp servers that exceed this limit.

    I recommend to start using the alternative repository type. For example, ftp or a local repository on the server.

Maybe you are looking for