ACS 5.8: Using AD vs LDAP

Hello world

I'm migration between 4.2 and I'm interested to know what are the benefits of joining the field rather than simply perform LDAP queries on a research base.

(1) it is especially a problem for RADIUS authentication, and not for GANYMEDE +, and if so is it at all useful for deployment GANYMEDE + only?

(2) is there a significant performance difference, and if yes, then which is the best?

(3) are there any pitfalls to join the domain rather than using LDAP?

Thanks for your thoughts!

HoD,

We use a performance wise there is not as such difference and decide which database to use depends on the type of authentication. A protocol like mschap is not supported by LDAP snack so you wireless authentication using PEAP, AD Protocol will work.

Here is the table of compatibility of Protocol,

http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/cisco_secure_access_contro...

Kind regards

~ JG

Note the useful messages

Tags: Cisco Security

Similar Questions

  • is it possible to use two external LDAP and authentication of external Table?

    Hi, is it possible to use both external LDAP and authentication of the external table?

    they all need two initialization blocks to access a session system variable, USER?

    Thank you

    Hello
    I don't think it's possible to impliment the LDAP authentication both extenal together. The reasons are,
    1. we cannot define two sources (LDAP and Extenal DB) in the same blocks of justine initialization user information.
    2. If two different (one for LDAP) initialization blocks and one for extenal DB are used, we cannot use variable USER twice it's a defined system variable.

    Thank you
    Swami

  • ACS 5.3 use LDAP. for one SSID and use IS HOST. for a different SSID

    I have 2 SSID on WLCs

    I wish I had 1 point SSID to the radius of the acs using LDAP store and the 2nd point SSID to the radius of the acs using identity store of the host for mac filtering.

    both scenarios are working, but not all.

    If I set the order of the rule I can get an SSID, but then the other fails.

    Authentication failed                                                                                 :

    22056 object was not found in the identity of the point of sale.

    Access matched Service selection rule:

    Rule-1

    Comparative political identity rule:

    Rule-1

    Some identity stores:

    RBLDAP

    Evaluate the politics of identity

    15004 Matched rule

    15013 selected identity store-

    24031 sending request to the primary LDAP server

    24017 Looking up host in LDAP - 04-xx-xx-xx-xx-xx Server

    24009 host not found in the LDAP server

    22056 object was not found in the identity of the point of sale.

    22058 advanced option that is configured for a unknown user is used.

    22061 the option 'Refuse' Advanced is set in the case of a request for authentication has failed.

    11003 returned RADIUS Access-Reject

    If I move the mac add rule before the rule of ldap, but then the ldap authentication fails

    Request for access received RADIUS 11001

    11017 RADIUS creates a new session

    11027 detected host Lookup UseCase (Service-Type = check call (10))

    Assess Service selection strategy

    15004 Matched rule

    Access to Selected 15012 - MAC filter network access service

    Evaluate the politics of identity

    15004 Matched rule

    15013 selected identity Store - internal hosts

    24209 Looking internal host IDStore host - 04-xx-xx-xx-xx-xx

    24211 found internal host IDStore host

    Authentication 22037 spent

    I tried to install the following without result.

    It seems to me that there should be a simple process to do what happens. I thought that if the rule does not match it would be to move on to the next rule etc...

    I might be able to live with the first ldap control and if it does not pass to the db of the local host, but seemingly ineffective.

    https://supportforums.Cisco.com/thread/2133704

    You can create a sequence of identity store so that if the end point is not present in the ldap database, then it can check its database of the local host.

    Or you can create a condition in your selection of service such as if rule called-station-id ends with (AIDS) then you can have it match the rule that uses the appropriate rule pointing to ldap, another rule when called-station-id ends with (ssidB) match the rule that points to the rule that uses the database of the local host.

    Here is the section on the configuration of the sequence of identity store, don't forget to select continue if user not found.

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_sys...

    Thank you

    Sent by Cisco Support technique iPad App

  • ACS 4.2 RSA Authentication and LDAP group mapping

    Hello

    I have a firewall, PaloAlto, with overall protection enabled (SSL - VPN) feature

    I use Cisco Secure ACS as a proxy for the RSA SecurID authentication.

    After authentication is try to map ad through LDAP query groups.

    The question I've found, is that the user I get with user authentication has no field:

    Show user ip-user-mapping all | mbm60380 game

    10.240.1.24 vsys1 UIA 2388 2388 domain\mbm60380

    10.240.1.1 vsys1 UIA 2101 2101 domain\mbm60380

    10.240.250.1 mbm60380 2590859 2590859 vsys2 GP

    But the list of users that I receive from the LDAP query includes the domain prefix:

    See the user group name domain\group1 property

    short name: domain\group1

    [1] domain\aag60368

    [2] domain\ced61081

    [3] domain\jas61669

    [4] domain\mbm60380

    [5] domain\pmc61693

    [6] domain\vcm60984

    I would like to create the user with the area of GBA but it must delete the domain before querying the RSA server, as it does not support field stripping.

    I tried to fix this on the Palo Alto firewall without success.

    I'm trying to run Cisco Secure ACS 4.2 changing, but it did not work either:

    RSA servers are configured as an external database.  They are not defined in the groups of network devices.

    Can I set up domain stripping for queries servers RSA?

    Thank you

    Hello

    I think it should work, but it is a bit awkward:

    Create an entry in the Distribution of Proxy in the Network Configuration.

    DOMAIN\\USER *.

    Prefix

    Before returning to the AAA server, from there to authenticate to the server RSA without the domain prefix.

    Make sense?

    Thank you

    Chris

  • vpn ACS 5.8 using AD and external server OTP authentication

    Hello

    is it possible to authenticate a user by using Active Directory, the internal database and server OTP for password?

    what I want to achieve is:

    -If the VPN user belongs to a specific group of our communication... to search for the user in this group and if the user exist that apply to an external server (activeidentity) password OTP

    -If the user belongs to the internal ACS group, authenticate internally.

    until now, I've been able to authenticate users with just the OUTER (active identity) but search AD server is not performed.

    Thank you.

    Yes!

    Go to the access policies > Access default network > identity > select an option button "rule basis of selection of result. Here, you can use more storage of identity based on the State that you have.

    It will be useful. -Jousset

  • MAC filter via ACS for SSID using WPA2 PSK

    I HAV a SSID using WPA2/PSK for the safety of the L2. I would like to add filters mac via an external radius server. I just finished the configuration of the mac via external RADIUS Filter, but it does not work. PSK is supported with an external filter MAC? I am running the latest 6.X on the controller

    I came across this problem on a controller of 5508 using v6.0 - something (6.0.182 I think). Turns out be a fixed a bug (CSCta53985) in 6.0.188. Updated to 6.0.188 and used successfully ACS 5.1 for MAC filter with WPA2 PSK SSID.

    See the 6.0.188 release notes http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn6_0_188.html#wp605409

  • ACS HOW TO USE ADINFO

    Hello

    I need to see what domain controllers which communicate with the ACS. I tried;

    XXXACS02 / admin # acs troubleshooting adinfo - Server
    This command is only for advanced troubleshooting and could suffer a lot of network traffic

    Do you want to continue?  (yes/no) Yes
    Server1.domain.no

    The server1.domain.no is a server located in another place, so I don't think it's the primary server that is in talks with the ACS. Other commands that give out?

    The location of the server wouldn't matter if we use ACS AD configurations and default AD. Unless something has changed, ACS uses DNS to resolve all the available domain controllers. You can use the following command to list all the domain controllers that ACS is the question:

     acs troubleshoot adinfo --test

    Then, you can use this command to see that an ACS is currently connected to:

     admin# acs troubleshoot adinfo -a

    This command will also give you the output of the "favorite Site". You can use this field in your AD environment to control that uses ACS domain controllers. For more information, see this link:

    http://blog.priveonlabs.com/sec_blog.php?title=ACS-V5-should-be-able-to-query-only-desired-domain-controllers-Active-Directory-DNS-workaround&more=1&c=1&TB=1&pb=1

    This link also contains a reference to a default (CSCte92062) Association which provides some associated ACS confgs that you can use to restrict who uses ACS domain controllers.

    I hope this helps!

    Thank you for evaluating useful messages!

  • ACS appliance multiple use of interface

    Is it possible for me to use both interfaces are available in the 1113 box? I want to connect these two interfaces to two separate network segments. I did find something specific in the Cosole except the fixed ip that would be only an interface unique config.

    Thank you

    You can use only one.

    Your system of 1113 Cisco integrated 10/100/1000 megabits - per second (Mbps) Ethernet connectors. ACS SE takes care of the operation of an Ethernet connector, but not the two connectors.

    For more check here

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.1/installation/guide/solution_engine/ovrvuap.html#wp1054065

  • ACS 5.1 using Active Directory to manage the strategy of network device Admin

    Hi guys, we have configured an ACS 5.1 and integrated with active directory Win2K3, we created two AD groups to manage devices network for administrators and one for operators (read-only), so we have configured a device admin strategy and the two groups work very well, but now we are facing a little problem any user that exists in the AD can connect (user exec mode) network devices and we want to cancel the connection with politics, but we do not know how.

    Is there a way to get a user authenticated against acs internal or external group, but at the user level, everything as you can make it to GBA 4.X?

    Thanks for your help!

    Best regards

    Oscar

    Yes, you can change that, it's a profile of shell by default. You must create a new one with privilege level "not in use" and select the new profile of the shell (no Directors or Operartors) under Default Device Admin > authorization profile > edit and make changes.

    I hope this helps.

  • ANyConnect Client certificate authentication and verify the Client against the Microsoft AD using DAP via LDAP domain membership

    Hello

    as described in the title one want to connect with AnyConnect Secure Mobility Client 3.0.2052 ASA 5540 Version 8.4 and licence Premium SSL.

    Customers using Maschine certificate to authenticate to ASA. It works very well.

    Now, I want to install a DAP to check the customer against the Microsoft AD using LDAP. I have configured the LDAP server in see ASA:

    AAA-Server LDAP protocol ldap
    AAA-Server LDAP (inside) host ldap.com
    LDAP-base-dn DC = x DC = x, DC = x DC = com
    LDAP-scope subtree
    LDAP-login-password *.
    LDAP-connection-dn *.
    microsoft server type

    I see that it works if I test via the testbotton server in ASDM and I also see in CLI "debugging ldap 255". But if I configure in DAP: AAA attribute ID:memberOf = Membre_domaine I can't see any request to the LDAP server as I try to connect with the Client und does not correspond to the DAP.

    No idea where the problem lies?

    Thanks in advance

    Hi Klaus,

    DAP will not make any call LDAP itself, it will only act based on the attributes received LDAP via the LDAP authentication or authorization.

    So you will need to enable the LDAP authorization in the tunnel - or connect to groups.

    Once you have, you can either use DAP or a map attribute LDAP for accept/deny access, see the example of these two methods.

    HTH

    Herbert

  • How to extract the users email address if you use AD as LDAP

    LDAP used in my environment is Active Directory.

    I want to send e-mail messages to multiple users. But I do not know how to retrieve the emailAddress for all the Active Directory user name.

    Help, please.

    Hello.

    I got it working... and sharing code.

    private String getIndividualUserEmail (String userId) {}

    String emailAddress = "";

    try {}

    JpsContextFactory ctxf = JpsContextFactory.getContextFactory ();

    JpsContext ctx = ctxf.getContext ();

    IdentityStoreService = storeService

    ctx.getServiceInstance (IdentityStoreService.class);

    IdentityStore idStore = storeService.getIdmStore ();

    SimpleFilter = SimpleSearchFilter

    idStore.getSimpleSearchFilter (UserProfile.USER_NAME,

    SimpleSearchFilter.TYPE_EQUAL,

    userId);

    SearchParameters params =

    new SearchParameters (simpleFilter, SearchParameters.SEARCH_USERS_ONLY);

    SearchResponse sr = idStore.searchProfiles (params);

    System.out.println (SR.getResultCount ());

    While (sr.hasNext ()) {}

    Identity ID = sr.next ();

    Profile UserProfile = id (UserProfile);

    emailAddress = profile.getBusinessEmail ();

    System.out.println ("Email:-" + profile.getBusinessEmail ());

    }

    } catch (JpsException e) {}

    System.out.println ("getIndividualUserEmail: JpsException occurred");

    } catch (IMException e) {}

    System.out.println ("getIndividualUserEmail: IMException occurred");

    }

    return emailAddress;

    }

    Thank you

  • Developer SQL 4.0 ai2 - cannot use OpenLDAP with LDAP connect option

    Hello


    I have OpenLDAP installation to work with my Oracle customers to use the TNS connection, instead of having scattered files tnsnames.ora strings about hundreds of servers.


    It works very well with 10g / 11g, customers complete and instantaneous, no problem.


    Now, I am trying configure SQL Developer 4.0 ai2 working with her, as well.


    When I try to do, I am able to select the 'LDAP' option in 'Connection Type', and the drop-down list "LDAP server" is correctly filled with my LDAP server of ldap.ora.


    However, when I select it, I get the following error:

    Status: Failed-[LDAP: error 32 - No Such Object code]


    Now, I did some research and I followed the slapd.log file, which shows me the following:

    Sep 18 02:43:35 slapd einstein [2779]: conn = ACCEPT 1034 fd = 16 = 192.168.125.1:63781 (IP = 0.0.0.0:389) IP address

    Sep 18 02:43:35 slapd einstein [2779]: conn = 1034 op = 0 BIND dn = "" method = 128 "

    Sep 18 02:43:35 slapd einstein [2779]: conn = 1034 op = 0 RESULT tag = 97 err = 0 text =

    "Sep 18 02:43:35 slapd einstein [2779]: conn = 1034 op = base SRCH = 1" "scope = 2 deref = 0"(objectClass=orclContext) = filter. "

    Sep 18 02:43:35 slapd einstein [2779]: conn = 1034 op = 1 tag = 101 err = 32 nentries SEARCH RESULTS = 0 text =

    Sep 18 02:43:35 slapd einstein [2779]: conn = 1034 op = 2 UNBIND

    Sep 18 02:43:35 slapd einstein [2779]: conn = 1034 fd = 16 closed

    That is a lot more detail, but reflects the corresponding error code (32 - No Such Object).

    After doing some tests with ldapsearch, I was able to reproduce this only developer SQL is done and get the same exact error.

    The ldapsearch command is:

    ldapsearch einstein Pei 389 - c - x d h "" b "" "(objectClass=orclContext)" "

    Research in the slapd.log file, I find a mistake similar to what is produced from SQL Developer.

    In addition, the query SQL Developer wants can be done successfully with the following ldapsearch:

    ldapsearch h einstein Pei 389 - c - x d ' "b"dc = proquest, dc = com""(objectClass=orclContext) ""

    Thus, it seems that the problem is the fact that the SQL Developer does not provide a research base.

    I'm not expert LDAP, and I really don't know where to turn next.

    Is there a SQL Developer option that allows me to put this basic research?  Is there a setting I'm missing on the LDAP server configuration?

    Thank you

    -Mark

    Well, that didn't take long.  I managed to find a solution to the problem.

    It boils down to the fact that the SQL Developer does not provide a research base, and my LDAP server had a defined default search base.

    When I edited slapd.conf (OpenLDAP configuration file) and add a parameter "defaultsearchbase" and bounced the LDAP, everything started working.

    I now have a working with OpenLDAP and Developer SQL configuration.

    I'll mark this discussion as closed.

    -Mark

  • ACS 5.2 assignment of authorization with nested groups in LDAP

    I have a Cisco Secure ACS 5.2 on a virtual machine. We use it for administrative access to our equipment Cisco GANYMEDE +. I use LDAP to authenticate with acitive directory. I currently run when a user is directly in the group that is assigned.  I change the way in which assign us group permissions and have created nested groups.

    For example:

    -User1 is a member of group1

    g -roup1 is a member of the "Group 2".

    I have card group2 to have access to my devices. However, User1 is not get mapped to the Group of law and access is denied.

    When I go to the monitoring, reporting and authentication GANYMEDE + details, under other attributes where it shows the outside groups the user is a member, I don't see group2, only group1.

    However when User1 is a member of group2 directly, the user is able to log on.

    GBA 5.2 not does support permissions allow this how to use nested groups?

    Mapping of nested groups is not supported by LDAP (because users containing that attribute memberOf groups just above them, are not nested). It is a behavior deafult when we use nested with LDAP groups. You must add subgroups for GBA and both respective authorization rules.

    Kind regards

    Jousset

    The rate of useful messages-

  • Impossible to authenticate the user to ACS 5.1 with LDAP as identity outdoor store

    Hi, I have a server and Open-LDAP running ACS on my corporate network.
    Now, I'll set up a new linksys WAP - 54G and select WPA2-Enterprise with ACS as radius server.
    the first thing first, I created new internal user to ACS and trying to join the network wireless from my computer. I did it...

    then I move on an external entity (LDAP server). I set up the sequence of configuration and the LDAP identity, also select the access service.  but when I tried to authenticate from my computer, an error has occurred. I received:
    the following error 22056 object was not found in the store identities applicable (s)

    Ask me ' bout this thing, I implemented a cisco router 1841 to become customer of AAA. and surprise... it works!
    Yes, there is problems to authenticate to the windows of ACS (pointing to LDAP) platform?
    any suggestion?
    Thank you

    Hello

    Looks like you haven't mschap authentication is enabled on the ldap server. You can use eap - gtc instead, but need you:

    1 enable eap - gtc under protocols allowed on your ACS access policy

    2. install an eap - gtc "supplicant" on the windows box - if you have a wireless network card intel, the intel proset client supports eap - gtc

    This could mean a fair bit of work according to the number/type of wireless clients you have - could be useful on the LDAP mschap authentication activation.

    HTH

    Andy

  • ACS 5.1 - AD authentication LDAP VS

    Any help on this would be great

    I can manage to get my account record in the thinking of Active Directory configuring cisco switch in the external identity stores but not my setup LDAP here are a few successful newspapers, log in and unsuccessful newspaper with ldap.

    AD-SETUP

    Selected identity store - AD1
    Current identity store does not support the authentication method; He jumps.
    GANYMEDE + will use the global configuration GANYMEDE password +.
    Returned GANYMEDE + authentication response
    Received authentication GANYMEDE + CONTINUE application
    Using the previously selected Access Service
    Political identity was assessed before; Sequence identity continues
    Authentication of user in Active Directory
    Recovery of the Active Directory user groups succeeded
    Active Directory user authentication succeeded
    After authentication
    Access policy
    Access service:
    		 Default device Admin
    Identity store:
    CDs
    Shell selected profile:
    Privilege mode
    Active Directory domain:
    Blah.com/results.htm
    Group membership:
    Access matched Service selection rule:
    Rule-2
    Comparative political identity rule:
    By default
    Some identity stores:
    CDs
    Application identity stores:
    The selected application identity stores:
    Mapping of matching rule group strategy:
    Matching rule permission policy:
    Rule-1

    The only problem with this configuration is that I can only add the domain blah.com/results.htm example and I get massive latency since the authentication process will over State to other domain instead of the local controllers.

    I can tell by the STATUS of the AAA in track because of dashboard that latency is about 8000ms and the slow, log on to the switch.

    LDAP-SETUP

    In my LDAP configuration I have a primary host name and secondary closer to home to avoid latency I do a test of bind that returns successfully on both hosts. Configure my Orgainzation tab directory and do a test configuration to get a return of the Group > 100 > 100 topic.

    I have reset my indenities to instead of AD LDAP stores and try again, but for some reason that I get 22056 object not found error! I can't just that work on here are the details

    Corresponding rule
    Selected Access Service - Admin default device
    Evaluate the politics of identity
    By default matching rule
    Selected - identity store
    Current identity store does not support the authentication method; He jumps.
    GANYMEDE + will use the global configuration GANYMEDE password +.
    Returned GANYMEDE + authentication response
    Received authentication GANYMEDE + CONTINUE application
    Using the previously selected Access Service
    Political identity was assessed before; Sequence identity continues
    Send the request to the primary LDAP server
    User authentication against the LDAP server
    The user's search ended with an error
    Main server failover. Switching to the secondary server
    Send the request to the secondary LDAP server
    User authentication against the LDAP server
    User not found in the LDAP server
    Object was not found in the identity of the point of sale.
    The advanced option is configured for a unknown user is used.
    The option 'Refuse' Advanced is set in the case of a request for authentication has failed.
    Returned GANYMEDE + authentication response

    Are there ideas, I can try so that it can find my account as the structure of the AD did? ideas please?

    see you soon

    HI Ed,

    Try using a standard LDAP browser (www.ldapbrowser.com ) to view LDAP structure.  Verify base DN used for searches matches
    
structure.
    

    Regards,
    
~JG
    

    Do rate helpful posts

Maybe you are looking for

  • My ethernet does not work. Is this due to a recent security update?

    I've seen complaints (reddit, macrumor.com...) that recent security Update "031-51913 Kernel Extension incompatible data setting 3.28.1" has 'broken' my on my iMac ethernet connection 2015 later. I decided to buy this machine later the 2/26 because m

  • To the Bionic review

    I had the bike Bionic since February 2012 for a replacement of brand with permission, for the HTC ThunderBolt. Today, Saturday, August 18, 2012, I called Verizon to demand a resolution for a Bionic that injects data constantly, not only locally, but

  • OfficeJet 5742: copy

    When I ask the machine to copy from the glass, it gives me the spinning wheel of catherine and must switch off the coast and then turn it back on and will then copy OK.

  • Windows Server 2003 Enterprise Edition x 86 - Server starts fine with 8 GB of memory but runs slowly

    I have a client with a Windows Server 2003 Enterprise Edition x 86. The server starts fine with 8 GB memory [in any config] but runs super SLOW [like 10 minutes to load slow Windows] with 10 GB of memory. The operating system supports 64 GB of memory

  • Ox80070091 error code

    After you uninstall BearShare some of its program files remain and wouldn't let me change change permissions