ACS 5.4 with AD domains

I read the release notes and the user guide for 5.4 ACS which mentions the ability to reach the nodes of GBA of the same deployment to different areas of the AD.  But each node can be attached to a single AD domain.  My question is this... in a failover situation that it buy me?

Hypothetical:

I have two sites, each with a CBS, and each has its own AD domain.  The ACSS is deployed in a primary/secondary relationship, devices to ACS use A of the Site A site as principal for authentication, devices to site B use of the ACS Site B as principal for authentication.

Scenarios:

  1. The ACS Site A if Site A devices will attempt to join the Site B ACS for authentication.  But if they use different AD Site domains a user cannot authenticate and would be denied access.  Fix?
  2. If a Site B user trying to access a device to A Site, this device attempts to authenticate the user using the Site to ACS.  This will fail because the ACS Site A reference only the AD Site A domain?

I'm missing what advantage I deploy the two SACRED if they cannot use or access the users on the two areas.  Maybe I'm not understanding something here.  Can someone shed light on this or point me to a document that could help?

Thank you...

I second you on that fact, it is not very well documented. In almost every deployment, the role of the secondary server (located on another site) is to provide a total where the failure of the primary ACS server redundancy.

In your case, if you have both the ACS are attached to two different areas, as

Site (ACS1-primary) - domain a.

Site B (ACS2-secondary) - area B

We have to make sure that domain A to trust domain B and vice versa because if the secondary server is configured for replication of the primary, which means that the authorization rules will be same on both GBA. Have full 2-way trust between the two domains would be you can extract the ACS 1 B domain groups and domain from DCC 2 groups.

The ONLY advantage of this feature will come into play during authentication. If the users in the domain B showed up at ACS2 for authentication, group recovery time would be less if it's a direct field instead of across the field.

The purpose of redundancy will fail where there is no possibility of 2-way trust. It is not right to these deployments.

Hope it adds few specifics.

~ BR
Jatin kone

* Does the rate of useful messages *.

Tags: Cisco Security

Similar Questions

  • ACS any Version with Windows Server 2008 R2 64-bit domain controller

    Hi all

    Is there any version of ACS is currently working with Windows Server 2008 R2 domain controllers?

    Our server controls has recently upgraded domain controllers to 2008r2 and off 2003 servers. This did not our ACS 4.1.4 really happy.

    I read now serveral messages about problems with the ACS and Server 2008r2 and hope to find a solution (not to mention that switching to LDAP, yukk).

    Thank you

    Pato

    ACS currently cannot be installed on a server running Windows 2008 R2.

    As an alternative, you can install ACS on a member server.  Authentication

    ACS uses the local machine net API authentication both compared to a 2008

    R2 domain will work.  The Remote Agent can also be installed on a 2008 R2

    Server if you use devices.

    If you install ACS on a member instead server here is how to configure services

    to authenticate properly with the domain:

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/installation/guide/Windows/postin.html#wp1041304

    -Jesse

  • Cisco ACS 5.3 several AD domains

    Hello everyone

    I have a quick question about Cisco ACS 5.3 and multi domain authentication. How exactly is it treated?

    Can I join more than one field with the ACS server? Or do I still need to configure this two-way trust between forests AD relationship (even with GBA 5.3)?

    Thank you

    Markus

    Hello

    You can join only acs to a single domain. Here's a thread that will help you identify the confidence you will need to get this working.

    https://supportforums.Cisco.com/thread/2162234

    Thank you

    Tarik Admani

    Please evaluate the useful messages

    Sent by Cisco Support technique iPad App

  • Integration of ACS 5.2 with AD windows 2000 SP4 advanced

    Hello!

    I'm having a problem when setting up Cisco ACS 5.2 device 1121 to integrate windows 2000 Active Directory as a database of external users.

    I use an account with administrator privileges on AD (can create computer objects).

    AEC is saved successfully to the field, but it is not retrieve ad groups, even when I change the search base and filter.

    This link says that ACS supports AD on Windows 2003, 2008 and 2008R2, but he says not that is not supported in Windows 2000.

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.2/device_support/sdt52.html#wp71115

    If someone can confirm that if AD 2000 is not taken in charge or have the solution I will apreciate your help

    This not is not supported, when ACS try to join the domain, it needs to know which version of the domain controller is in the as well as the functional domain level. Please see this guide on how to solve this problem for you reference and maybe you can try to get this to work on your own, however you will be able to benefit from support based on information you condition.

    https://supportforums.Cisco.com/docs/doc-26787

    Tarik Admani
    * Please note the useful messages *.

  • window of 2008: ' I can't open Group Policy Management "group policy to manage, you must log on to the computer with a domain user account.

    Hi, please advise, I can't open Group on win Server 2008 policy management, it is said
    "To manage Group Policy, you must log on to the computer with a domain user account.

    Hi Cucu KurniaPutra,

    Thanks for asking this question to Microsoft Community!

    The problem occurs in Windows Server 2008 Network, please post your request on the Microsoft TechNet forums to get help.

    Here is the link:

    http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer

    It will be useful. For any other corresponding Windows help, do not hesitate to contact us and we will be happy to help you.

    Kind regards!

  • How to set up multiple LIVE IDS prod certificates on Sharepoint 2010 single server runs several Sharepoint Sites with different domain on port 443?

    Hello

    I integrated LIVE ID with Sharepoint 2010 and got the same compliance.

    In sharepoint server 2010, several sharepoint sites are run under port 443 with different domain names.

    I configured 1 LIVE ID certificate for one of our sharepoint sites would like to know can I use the same certificate for other sites too or I need to install other certificates LIVE ID to access other sites.

    How can I get prod LIVE ID certificates are available for free as nexus offers two certificates INT and PROD (x 509 certificate) or do I need to buy.

    If I need to buy where can I buy it go?

    Hi ppdremsadm,
     

    Your question of Windows is more complex than what is generally answered in the Microsoft Answers forums as it is related to the configuration of Live ID in Sharepoint 2010. It should be better in the Forums of Windows Sharepoint.

    Please ask your question in products and technology SharePoint forums to improve assistance in this regard.

  • I'm trying to change the ownership of directories/files with a domain network environment (using takeown)

    I'm changing the ownership of files/directories with a domain network environment. Using takeown /f \\server\share/r/a/dy. It works fine but when I check the property is actually on my administrative account as the owner. I'll need for administrators to be owner and not mine administrative account. Can you please help?

    Thank you

    RG

    Hello

    Your question of Windows is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for support on Windows Server. Please post your question in the below link: http://social.technet.microsoft.com/Forums/en/category/windowsserver

  • How to configure the Outlook/exchange e-mail to share e-mail with individual domain accounts accounts

    My company has agents working at client locations.  Each customer has their own email.  Now the signs of the agents on Windows by using a local account shared with e-mail configuration to support this particular customer.  Agents are turned in and out a different customer locations.   My goal is to have an individual responsibility, through unique domain accounts, while continuing to support specific e-mail client.   So my question is; How can I configure outlook 2003/Exchange to have a common (based on the physical computer XP) of e-mail account and allow anyone who logs in this computer with a domain account to use the shared e-mail.
    Silvio

    You should ask this question in a forum Outlook as
    http://social.answers.Microsoft.com/forums/en-us/outlookacct/threads
    or and as a forum for Exchange
    http://social.technet.Microsoft.com/forums/en-us/exchangesvrdeploy/threads or
    http://social.technet.Microsoft.com/forums/en-us/exchangesvrgeneral/threads Brian Tillman [MVP-Outlook]

  • How to connect to a Windows 2003 server with a domain from a Win7 pc

    How to connect to a Windows 2003 server with a domain from a Win7 pc

    Hello MikeYoungblood,

    Thank you for visiting the Microsoft answers community.

    The question you have posted is related to Windows Server and would be better suited in the MS TechNet Windows Server Forum. Please visit this link to find a community that will provide the support you want.

  • The network connectivity status appears as only 'Local' error message ' there may be a problem with your domain name server (DNS) configuration "when trying to diagnose the problem.

    Original title: connection internet wireless Sony Vaio problems

    I get connection "local only" and then when I try to diagnose and repair he said: "it may be a problem with your domain name server (DNS) configuration. He said that this problem cannot be fixed automatically and I have no idea what to do.

    How do you connect to the Internet (method/ISP)? What is a stand-alone computer or a corporate work station? What is the status of virus/malware of the machine? Please give us more details so that we can help you.

    Help us help you:

    http://www.elephantboycomputers.com/page2.html#Tech_Support - See the article "how to write a Post.
    http://support.microsoft.com/default.aspx/kb/555375 - how to ask a Question

    Troubleshooting Internet connectivity

    1 answer to the first and second troubleshooting Questions:

    First Question of troubleshooting: If the problem is new, what has changed between the time things worked and the time they do not have?

    The second issue of Windows troubleshooting: what is the status of virus/malware of the machine? If you think it's clean, what programs (and versions) allows you to determine this?

    Make sure that the computer is clean - http://www.elephantboycomputers.com/page2.html#Removing_Malware

    Many variants of malware will allow a proxy server if you are unable to Internet. Go to control panel > Internet Options > connectivity tab > LAN button. If all is selected in the section Server Proxy, uncheck the box, apply/OK outside.

    2. If nothing has changed and that the computer is clean, what antivirus/security programs are you running? Have AVG 8 or Zone Alarm? These two programs have had updates that caused Internet connectivity problems. I don't recommend either of these programs, but if you want to keep check them on the mftrs.' support websites.

    3. If #2 is not applicable:

    a. unplug the router.
    b. disconnect the modem. (If you have a DOCSIS 3 modem with battery backup, press the Reset button to reset the modem so the lights go out).
    c. wait 60 seconds.
    d. plug the modem (or wait until the reboot is completed) and expect that all the lights are on.
    e. plug the router and wait until all lights are on.

    You now have an Internet connection? Otherwise:

    4. connect your computer directly to the cable/DSL modem. You now have an Internet connection? If so, there is a problem with the router. They do not last forever. Replace it.

    If there is no Internet when your computer is connected directly to the cable/DSL modem, call your ISP because something is wrong with the cable/DSL modem or your Internet service.

    MS - MVP - Elephant Boy computers - don't panic!

  • Windows 7 computers lose trust with the domain.

    Windows 7 computers lose trust with the domain.  I need one real trouble other than a work around.  My computer Windows XP are very good.  I have to update my domain controller?

    I have remove the field and re-add-the computers throughout the day.  I have a hospital with an increasing amount of Windows 7 computers and my technicians wasting time doing this?  Anyone has any ideas or can help with this?
    Is there a setting on the domain controller that can be activated for this problem?

    Hi, Koldy,

    Try the solutions proposed here:

    Computer remote windows 7 has lost the trust relationship with the domain

    http://social.technet.Microsoft.com/forums/en-us/winserverDS/thread/2d726215-4B97-4e64-9657-98dc106dffbd

    The trust relationship between this workstation and the primary domain failed - Windows 7 Enterprise joining the 2008 domain, error 5722

    http://social.technet.Microsoft.com/forums/en-us/w7itpronetworking/thread/8155d5ea-a5c2-4306-8d2b-be3464234460

    For more assistance, ask your question to the TechNet Forum

    http://social.technet.Microsoft.com/forums/en-us/w7itpronetworking/threads

  • Issue of operability of the ACS as RADIUS with ASA 5.0?

    Hello

    I'm trying my VPN to get authenticated user with RADIUS (ACS 5.0). and VPN users database is created in AD. Now when I am trying to connect through the Cisco VPN client, I am unable to do so. Infact, I get an error message (through debugging at the level of the SAA for aaa and isakmp) my RADIUS server is DOWN.

    Please let me know is there any compatibility issue with ACS 5.0 on it because everything was working fine on my version 4.2 of the ACS.

    Concerning

    Ritesh

    Ritesh,

    Yes, there is a lack of ACS 5.0 with vpn authentication.

    When you try to connect with the VPN client. you will not see any hits in the follow-up and the views.
    The ASDM logs: you'll see radius server is not accessible.
    Debugs you show RADIUS period.
    This will work with Ganymede.

    Access policy rule was does not. Also, could not use RADIUS as hit CSCsy17858

    http://cdetsweb-PRD.Cisco.com/apps/goto?identifier=CSCsy17858>; Used Ganymede + instead of RADIUS.

    If you want to use the RADIUS then you need to upgrade your version of acs to 5.1

    You can down load patch 9 (5-0-0-21 - 9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg) from the below path:

    Go to Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software 5.0.0.21 >

    Reference: update of the CSA since version 5.0 to 5.1:
    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.html

    HTH

    Kind regards

    JK

    The rate of useful messages-

  • ACS RADIUS timeout with WLC 7.0 5.0

    Hi guys,.

    I'm setting up a device Cisco Secure ACS 1120 running 5.0.0.21 ACS to manage the RADIUS of a Cisco WLC 5508 device query running the 7.0.116.0 version.

    • These devices have open communication on all ports - no firewall or ACL
    • they have successful ping communication

    The following statements illustrate some but not all debugging I did to make sure that each device works properly in isolation.

    • Using the simple windows (radserv2.exe) instead of the Cisco ACS RADIUS server

      • This works and the WLC gets answer my fortune Server RADIUS
    • Using a simple windows EAP client to query the ACS using the RADIUS protocol
      • This works and the FAC processes the RADIUS request and sends a response
    • Placed a customer wireshark on the network to inspect the time-out.
      • Wireshark saves the package to the WLC for GBA using port 1812 but does not see responses to GBA package

    At the moment I have the

    1. WLC accepting wireless client association and
    2. sending the query RADIUS (EAP - TLS, PEAP and EAP-FAST) for GBA,
    3. the WLC receives no answer and generates a timeout message and separates the client.
      1. Note this is not a rejection or a similar message, the simple ACS does not even the package. i.e. There is absolutely nothing in the logs of ACS to suggest that he had even received a package of radius of the WLC.

    In summary the WLC and GBA properly operate independently, but they do not communicate via radius.

    Any help appreciated thanks

    It seems that you use ACS 5.0 without tasks.

    For your information, the version of the product is now up to 5.2 and 5.3 ACS should soon be released

    I recall there was a problem with ACS 5.0 with WLC operations that has been resolved in patch for 5.0

    I'm not sure of the specific CDETS but can be:

    CSCsy17858 Any manipulation of Tunnel-Type & Tunnel-Client-Endpoint uploading incorrect

    ACS 5.0 has a rollup with all the patches being accumulated approach

    My recommendation would be to download the patch 8 for ACS 5.0: 5.0.0.21.8

    Patch can be downloaded from CEC

    To install a patch set a repository on ACS (cumulative patches are larger than 32 MB, you can not use TFTP to it), copy the patch file in the repository, click ACS CLI:

    # acs patch installs repository

  • Cannot connect with active domain Directory, because the local policy of this system does allow you to log on interactively.

    Cannot connect with active domain Directory, because the local policy of this system does allow you to log on interactively.

    You will need to create a new post on the TechNet forum for assistance in the field of related issues:
    http://social.technet.Microsoft.com/forums/en/category/w7itpro/

  • AD Login with the iPad with a domain Inter (Global Forest)

    Hello

    I have a problem with the iPad connection on with authentication AD with VCS. We have a forest with multiple domains. We can identify you with the Movi without problems. We can connect you with the Jabber iPad without problem.

    But if we create a special group with a Global Group with a special domain, you must connect with the movi user: domain\username, password and registration works very well. But if we try with the iPad as user domain\username and password, the ipad could not save. I have thin the Jabber for ipad have a problem with the string user domain\username and password. Could be that the problem with the software Client Jabber or BUG? If I change my ad as without the domain\\user Aboriginal group, the connection on the iPad works great, but I need for the Global AD the domain\\user.

    THX

    Please need a Feedback

    Hello.  Looks like you can be hitting-

    CSCub38436

    The fix is enter the 9.3 and hoping its release targeting some time in April.  I hope this helps.

    VR

    Patrick

Maybe you are looking for

  • 15 - d017cl: Kit of resettlement for laptop

    Hi, while making a rest of the factory my laptop, I have accidentily interrupted operation and now the laptop does not start, saying that I have to reinstall the operating system.  I ordered the recovery Kit and I'm waiting to happen so I can start t

  • MBP 2009 HD dead-ish - what to do next?

    So, apparently, the hard drive in my MacBook Pro mid-2009 is close to death. I had trouble with him the other night and after reboot, I got a kernel panic, basically "cannot find driver for ACPI platform." You can see the full screen tohttp://i.imgur

  • How can I connect computer to tv?

    I hooked my laptop hp56 - 128CA to my TV with a vga cable, he says it's working properly, but nothing is showin up on the TV

  • When I play games of cards installed with Windows I have no sound. Other games have sound

    I don't get any errors of any kind.  My sound is turned on and please, I'm not in computer science and plain English need when or if you answer.  I'd appreciate any help you could give me.

  • What printer uses 21XL/22XL?

    As posted in a different thread, I have a problem with a F2100 printer.  Any ideas what printer which is easily available for purchase and will be used the 21XL 22XL cartridges? Val