ACS authentication with Active Directory based on ad groups

Hello

I'm trying to integrate Cisco ACS 5.4.0.46 with AD and I connected successfully GBA to AD and I used as a successful AD authentication for network devices but my problem now is that anyone with an AD account can connect to network devices that compromises security. I created a group in AD that I would use and I added the group under users and identity stores > external identity stores > Active Directory > groups directory. I also chose source of identity for Default Device Admin as AD1 and under the authorization, an authorization policy that uses a compound condition that uses AD1 and the custom group. However after you have set all that I am still able to connect to the switch with a user not in the custom group. Based on what I have explained to you can someone tell me if Miss me a step?

Thank you

Derek Velez

Thanks for the update and the fence wire. Set default default rules to deny access when user legimitate if does not match a rule set by the administration of the CSA he should get denied access. In your case, it has been updated a permit so that both type of users access (members and non-members of ad groups).

The best way to resolve these issues is to look at the monitoring and troubleshooting > attempt user > magnifying glass. You will see how this user has been allowed access.

~ BR
Jatin kone

* Does the rate of useful messages *.

Tags: Cisco Security

Version of Cisco ACS 5.1.0.44.3 integrate with active directory Microsoft windows 2012 R2 server?

Unfortunately, it does not support R2 2012

5.1 ACS supports all editions of:

Windows Active Directory (AD) 2000

Windows AD 2003

Windows AD 2003 R2

Windows AD 2008

Source

Windows AD 2012 R2 is supported after ACS 5.5 patch 1 and following.

Source

Please find below the steps to go from 5.1 to 5.5 hotfix 1:

STEP	FILE	COMMAND
Apply the 5.1 patch 6	5-1-0-44 - 6.tar.gpg	ACS patch install repository 5-1-0-44 - 6.tar.gpg ftp_repository_name
Apply 5.3	ACS_5.3.0.40.tar.gz	application upgrade ACS_5.3.0.40.tar.gz ftp_repository_name
Apply the patch 5.3 8	5-3-0-40 - 8.tar.gpg	ACS patch install repository 5-3-0-40 - 8.tar.gpg ftp_repository_name
Apply the sharp Patch	Pointed-PreUpgrade-CSCum04132-5-3-0-40.tar.gpg	ACS patch installs Pointed-PreUpgrade -CSCum04132- 5-3-0 - 40.tar.gpg repository ftp_repository_name
Apply 5.5	ACS_5.5.0.46.tar.gz	application upgrade ACS_5.5.0.46.tar.gz ftp_repository_name
Apply the patch 5.5 1	5-5-0-46 - 1.tar.gpg	ACS patch install repository 5-5-0-46 - 1.tar.gpg ftp_repository_name

Best regards ~ jousset

Is it possible to implement an entitled server that authenticates with active directory?

We are holders of business accounts, and we are trying to establish the right for our customers. Does anyone know if there is a way to put up an entitled server that authenticates with ActiveDirectory?

Portico of MEI supports authentication to Active Directory through LDAP or SAML interface. Feel free to reach out if you want to learn more.

Brett

bkizner (at) maned.com

OEDQ integration with Active Directory - disable SSL

Hi mates,
I just installed OEDQ (latest version) on a Unix machine (deployed on WebLogic Server 10.3.6) but I have a few concerns:
- SSL communications -> is mandatory? I mean, I tried to expose dndirector via a Server Web Apache OHS admin page. I am able to access the page from admin in raw mode, but every time I try to access a specific feature (dashboard, user management, server configuration, etc.) I am redirected to https://< web-server-hostname >: < wls-server-ssl-port > / dndirector, if this is not what I expect. What's wrong? Moreover, if SSL is required, is there a way to expose the console via apache (avoiding any redirect)?
- OEDQ with Active Directory -> documentation- OEDQ integration with Active Directory - covers just Single Sign-on configuration (on the two Windows/Unix os). What about a simple configuration pointing to an external ldap? The documentation States the following statement:
It is also possible to configure OEDQ to work with servers of different directory for authentication of users and the identification of the user. For more information on the alternative configurations, "see"contact us" "
So, how can I achieve this?
Pointers?
Thanks in advance,
Marco

Marco

Here is an example configuration that can be used to integrate with AD. Create a folder called Security in your Disqualification configuration directory, and save the file in this folder as login.properties. There are a few supporinting of documentation online this process in aid of the Disqualification.

Here is the file, I'll add a few notes below:
```
realms                        = internal, adgss                           = false

ad.realm                      = EXAMPLE.COMad.auth                       = ldapad.auth.bindmethod            = digest-md5ad.auth.binddn                = search: sAMAccountNamead.ldap.server                = dc.example.comad.ldap.auth                  = simplead.ldap.user                  = [email protected]                    = testad.ldap.profile               = adsldapad.ldap.prof.defaultusergroup = testgroupad.ldap.prof.useprimarygroup  = false
```
The kingdoms line indicates that the 'internal' (Disqualification internal users such as dnadmin) Kingdom and the Kingdom of AD should be used. Once you are satisfied with the integration of ads you can remove the internal domain and use AD exclusively. The domain property sets the name of the field AD - here I used EXAMPLE.COM.

The server property sets the DNS name of the AD server. If omitted, it is looked up in the DNS.

The lines of the user and pw are used to connect to AD Disqualification.

The defaultusergroup line is the name of a LDAP group that contains all users who will use the Disqualification. The default value for this is domain users that contains usually much too many users.

Once it is setup and working, you can go to Setup user Disqualification and see a link to external groups that attach ad with Disqualification groups groups to assign permissions to users.

I hope this helps.

Richard

BI Publisher with Active Directory - slow connection

Hello, I was wondering if anyone had to set up BI Publisher with Active directory. We are on 11.1.1.1.7 OBIEE - integrated with Active Directory. It takes about 40-50 seconds to connect on:
http://bnrbidevapp1.es.gwu.edu:9704 / xmlpserver

We have a different BEEP workigng insanance, they are also connected to the same ad and the connection is instant. What I can adjust? Checked memory and RAM on the system, doubled the RAM, so its double the system that has instant access. What else can I check? Thank you!

This followed and it is resolved:

http://www.peakindicators.com/files/document/33/Oracle%20bi%2011g%20-%20active%20directory%20authentication.PDF

Integration with Active Directory OraHome92?

Let me first say that I have absolutely zero knowledge of all Oracle products, I don't know if I'm posting in the right forum, but I'm here, if I need to ask another forum please let me know.
Question:
We are Microsoft System administrators. We have a client that is running a very old application to the database on a Windows 2003 server. Currently they use a new database (Oracle, not), but the oracle database must accessible for research in history.
The application works very well.
We plan to migrate the domain existing (Active Directory) to a couple of servers R2 2012.
The 2003 with oracle server is also a domain controller, and we do not want in our field of 2012R2 2003 domain controllers.
Our question is can demote us this domain controller and Orahome92 will work after the demotion?
Server 2003 is not the FSMO, the FSMO is a Windows Server 2008.
In other words, how Orahome92 integrates with Active Directory? Or isn't there any Active Directory integration and may us just demote the server and leave it to run as a member of the domain server?
Maybe you need more information about oracle, all I can say that the following services are running:
OracleMTSRecoveryService
OracleOraHome92TNListener
OracleServiceORCL
Oracle installed, but NOT running services:
OracleOraHome92Agent
OracleOraHome92ClientCache
OracleOraHome92HTTPServer
OracleOraHome92PAgingServer
OracleOraHome92SNMPPeerEncapsulator
OracleOraHome92SNMPPeerMasterAgent

I hope sombody can give treatment of this or point us in the right direction.

I would not be protected by an export created like this. It is not a full export, is an export of the only pattern and you may need more than that if it is necessary to rebuild the database. In addition, it is not a coherent export which may make it unnecessary. I was running export something like this:

exp.exe System/sys@oracle_w3 complete file=d:\directory\\file.dmp = compliance = y

You may think it's all pretty awkward. The problem is that it is generally considered bad practice to install Oracle on a domain controller, unless you install as a member of the domain administrators group. I guess just like you do not have that, you can be able to downgrade the machine without affecting the database. But I don't really know, Windows security is a mystery to me.

Autenticateing Oracle with Active Directory database
I installed Oracle database 11.2.0.3.0 on Windows 2008 Server R2 64 bit. The company uses Microsoft Active Directory and I need to set up access to the Oracle database for users that are stored in Active Directory. Do I need another product in addition to the database to do? If so, what version of the product would need?
To bind the user to Oracle database for users that are stored in Active Directory, and you must create the Oracle schema objects and an Oracle context.

You can see the chapter on "Requirements for using Oracle with Active Directory database"
http://docs.Oracle.com/CD/B28359_01/win.111/b32010/active_dir.htm#CDECHCBC

Robo 9 plays nice with Active DIrectory?

Hello, just try to make a business case for RoboHelp 9 and 9 RoboServer and trying to find any info on how it integrates with Active Directory. Can use info in AD to manage localized content or require a maintenance of a separate user database to control access to the help output?
Thank you

This has been answered on the forum HATT.

http://groups.Yahoo.com/group/Hatt/message/78026

Also consider using dynamic centred on the user content if you want different users to see different areas of assistance.

See www.grainge.org for creating tips and RoboHelp

@petergrainge

View the authentication information active directory with PowerCLI

How can I get a list of all the hosts that don't use active directory for authentication local environment using powerCLI?

Try like this

Get-VMHost | Get-VMHostAuthentication |

where {$_.} Area - eq $null} |

Select @{N = "Name"; E={$_. VMHost.Name}}

ACS in the Active Directory environment

Salvation of the forumers

Ask,

question 1. in the typical active directory environment and make wireless/wired authentication of 802. 1 x on the endpoints, GBA should join as a domain computer?

question 2. for the endpoint of the domain (domain computer) join, in this case is that endpoint will approve (also computer domain) GBA?

question 3. What happens if there is a GPO policy to install the certificate rootCA to endpoints. In this case, the ACS should deliver CSR and let the domain CA signed the certificate of identity? Am I wrong?

Thank you

Noel

Noel

Answers

question 1. in the typical active directory environment and make wireless/wired authentication of 802. 1 x on the endpoints, GBA should join as a domain computer?

Yes, since most of the protocols used by the endpoints is peap (eap-mschapv2) this is the only way to get this working, as ldap does not support this Protocol. If you are using eap - tls, you can choose to use AD as an LDAP store.

question 2. for the endpoint of the domain (domain computer) join, in this case is that endpoint will approve (also computer domain) GBA?

Once the authentication is successful (assuming that the authentication of users) the machine will have free access to the junction to the field network, if authentication workhorse of the workstation must be reached already before being put to the dot1x network. The workstation approves only GBA with the certificate for authentication, there no other information and does not know if she is part of the domain.

question 3. What happens if there is a GPO policy to install the certificate rootCA to endpoints. In this case, the ACS should deliver CSR and let the domain CA signed the certificate of identity? Am I wrong?

Group Policy to the endpoints for the CA root should not be a problem, but it would be better to have your sign of CA root REA ACS, if that's what you're asking. You must also enable a GPO to validate the server certificate (but I've not done this before, but I don't know that there is on which root CA trust).

Thank you

Tarik Admani

ACS 5.3 - Active Directory - limiter/DCs use to auth

Hi all

I have a Cisco ACS server deployed for GANYMEDE and RADIUS authentication for end-users.

Everything works fine, it is joined to the domain, most of the time people can auth. However, it seems that the ACS is trying to auth against * ANY * DC in my field.

DNS.findsrv FindSrvFromDns runs and draws from each domain controller to use. Not all of them are accessible or not fo all of them have the same structure of the user.

Is there a way to specify or limit/control which domain controllers are queried?

Hello

Unfortunately at this point there is no way to control which DC should be questioned by the AEC. The ACS will retrieve all the available DC on your AD domain name and contact one of them.

An enhancement request is already listed and developers are working to include the feature on future versions. Here is the information:

http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062

ACS should be able to query only the desired domain controllers

Symptom:
Currently in 5.0 and 5.1, the ACS queries the DNS with the field, in order to get a list of all the domain controllers in the domain and then try to communicate with each other. If the connection to even one domain controller fails, the connection of the CSA to the field is declared as failed. Many clients ask about this behavior change.
It should be possible to define which domain controllers to contact and/or make GBA to interpret the DNS resource records registered by the domain controller Active Directory to facilitate the location of domain controllers. Active Directory uses the service locator, or SRV, records. A SRV record is a new record described in RFC 2782 DNS type and is used to identify the services located on a network of Transmission Control Protocol/Internet Protocol (TCP/IP). Conditionsof :
Domain with multiple domain controllers were some are not accessible from the security constraints given ACS / geographical. Workaround:
Make sure that all domain controllers are upward and accessible of the ACS.

Hope that clarifies it.

Kind regards.

Authentication on Active Directory of Cisco IOS

SCENARIO:

2 cisco Secure ACS are configured to authenticate the connection of the user in Active Directory.

RADIUS servers configured in IOS

radius-server host 10.30.18.24

radius-server host 10.30.18.25

PROBLEM:

When the primary server 10.30.18.24 Ganymede could not validate logon user, we have been disconnected from the router. Then I tried to change the order of the RADIUS servers in the router config that is

radius-server host 10.30.18.25

radius-server host 10.30.18.24

and have gave us access. Can someone explain why 10.30.18.25 did not during the validation of the user in the first place?

Concerning

Simon

Hi Simon,.

Then the reason for this is, there are certain conditions that must be met before the unit tries to contact the second server in the config file.

If you turn on,

Debug aaa authentication

you will get then 3 types of responses.

-PASS

-FAIL

-ERROR

Don't GO-> needs no explanation

FAIL-> authentication server was available but the server has rejected the request of the user for some reason any.

ERROR-> there is no response from the authentication server. No doubt its not accessible.

ERROR is the only requirement when he will try to contact the following server defined in your configuration.

So it's may be the likely reason why he never went pour.25.25 finished second et.24 was first, because que.24 was always accessible and returned FAIL for user authentication.

Kind regards

Prem

Client pix VPN how to authenticate with Active Directory

Hi all, I've just set up my first Client VPN on a Cisco PIX. Everything works very well so that hitting the correct subnet and logon. However, I would like to see how I can get my connection of remote users with there active directory accounts. Right now I use the local connection for the pix for testing purposes. Sounds easy, but I'm missing something

We use:

Cisco Pix 515E version 6.3 (3)

Thank you

Dan

Unfortunately the PIX 6.3.3 version does not support Active Directory authentication. V6.3.3 PIX only supports authentication to the server database, radius, and Ganymede local PIX.

If you want to authenticate to active directory, it is support for PIX v7.x go.

Here are the different types of authentication support for PIX v7.x leave for your reference:

http://www.Cisco.com/en/us/docs/security/ASA/asa70/configuration/guide/AAA.html

Hope that answers your question.

ACS authentication with Active Directory based on ad groups

Similar Questions

Version of Cisco ACS 5.1.0.44.3 integrate with active directory Microsoft windows 2012 R2 server?

Maybe you are looking for