ACS integration with Microsoft Active Directory Services
Hi all
I was responsible for developing the integration of GBA with MS AD. What I want to know is below assuming I have a software ACS or ACS device and the authentication protocol's RADIUS
-What is the criterion of the announcement to integrate with ACS to device software
-Should that AD hosted on the domain controller or not?
-Otherwise, on what (DC, tree, forest, branch, flower, Fruit) the announcement must be hosted on?
-What should I do to authenticate users logging into Cisco ACS Security Manager integrated with AD?
-Are there other dependencies that I'll have to speak categorically in my description?
Thank you
Rishi
First of all, I love the flower fruit one keep it up.
If ACS is for windows, it can be installed on the domain controller or member server. For detailed information about installation tasks post must have full integration, please see the following link that contains fancy things you are looking for:
If ACS is soultion engine then you need piece of software called remote agent to be installed either on the domain controller or member server, also check the following link for more details on how to integrate it with AD:
I hope this was informative for you.
-----------------------------------------------------------------------------
Please ensure good answers to rate
Tags: Cisco Security
Similar Questions
-
Integration of EBS 11i with Microsoft Active Directory
Hi all
Please suggest how can I integrate EBS 11i with Microsoft Active Directory (LDAP), since we have regiterd SSO.
Thank you.Please see these documents.
Integration of Oracle E-Business Suite Release 11i with Oracle Internet Directory and Oracle Single Sign-On [261914.1 ID]
Installation of Oracle Application Server 10 g with Oracle E-Business Suite Release 11i [ID 233436.1]
Oracle Application Server with Oracle E-Business Suite Release 11i FAQ [ID 186981.1]
Oracle Application Server 10g with Oracle E-Business Suite Release 11i troubleshooting [ID 295606.1]Thank you
Hussein -
Using Oracle with Microsoft Active Directory database
Hello
Because of too many nodes, we have in our company communicate each other (using the old files tnsnames.ora), we are now in the time to find a central location to store our net service names.
I know that we can use for this OID to store the names of Service Net, but my question is it possible to use Microsoft AD, because our infrastructure using Microsoft AD as a central point.
I have read the documentation oracle Oracle® Database Platform Guide (Chapter 12 Using Oracle Database with Microsoft Active Directory), but the problem is what happens if my database is not on the Windows operating system (such as Unix/Linux, we have number of it).
I also read the document Oracle® Database Net Services Administrator's Guide (Chapter 3 Configuration Management Concepts) where you will find statement on the end of the chapter:
Oracle supports Microsoft Active Directory only on Windows operating systems. Therefore, the client computers and the database server must also run on the Windows operating systems to access or create entries in Microsoft Active Directory.
From this text, it looks like that my only option in this different environment with multiple operating systems is the OID (I wish it isn't true).
Thank youDragan,
Sorry for the late reply. Since once it has clearly mentioned in the white paper that IO is a must; If you want to use MS AD, because 'oracle white paper' means 'documentation' refined and very authenticated.
Enter the information useful/correct and close the debate.
Concerning
Girish Sharma -
Replication of ACS and integration with the Active directory database
Hi all
I have to configure two ACS SE with the internal database replication. I have also a server active directory that must integrate with ACS. My doubt is that I need to configure the IP address of the ACS during installation of the remote agent on active directory or only the primary ACS
No need to give the IP of two ACS. Give the primary IP of ACS.
Kind regards
~ JG
Note the useful messages
-
Content question Pack Microsoft Active Directory
So I installed the pack content for Microsoft Active Directory, and it works well for what it was designed for.
Would it not possible to add another article for the surveillance of the integrity of the file? It is a requirement for PCI compliance and would be a great addition to this content back dashboard!
Thought I would ask here before you request a feature, to see if it could possibly be just added to the fly ;-)
OK, the content of Windows pack has been updated to include the auditing of objects! Please take a look and reply back with any feedback. If this answers your question could you please mark it as answered? Thanks for the comments!
-
Active Directory Service disabled
Hello
I just installed Windows Server 2012. After you have added the DNS and Active Directory functions/roles on the server, I noticed that the Active Directory service is not running, but it is disabled. When I try to start the service, I get the error - The Active Directory Domain Services service on Local computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.
Any ideas what could cause this?
Hello
To improve assistance regarding this issue, it would be better to post in the Microsoft TechNet forum.
https://social.technet.Microsoft.com/forums/en-us/home
Thank you
Legaede
-
authentication Microsoft Active Directory iDRAC 7
Hello
I installed Microsoft Active Directory on iDRAC 7 with some very basic options (no certificate, no Single Sign-On, not Kerberos Keytab, the Standard schema). Everything works fine.
The problem is that we have 2 forests with full trust configured between them and iDRAC is not able to authenticate the users of both of them.
Basically, we have the single domain on 1 security group and pair the users of these two forests (1 and foret2). If I add domain (DC) IPs for two areas-forest controllers, authentication fails on the first domain controller, if the user is a different domain (check does not reach the second DC IP to verify the user). The error I get:
ERROR: failed to bind: Invalid credentials, 80090308: LdapErr: IDDM-0C0903A9, comment: AcceptSecurityContext error, 52nd data, v1db0: [email protected] host = 192.168.0.1.
[email protected] - 1 user
192.168.0.1 - foret2 DC IPDoes IDARC support AD authentication for users of forest separated couple?
Thank you
iDRAC do not support authentication Active Directory for the domain of the unique forest.
-
Cannot access creative cloud bookstores after switching to Microsoft Active Directory
Recently IT Department flies over the entire company to Microsoft Active Directory computers. After the computers in the design team were made too, we could no longer access the library of creative cloud or download anything creative market.
The Panel for the library displays a cloud with a x and this message: ' something went wrong initialization of the cloud creative libraries ' with a link to "More information" leading to this error page - Adobe - error page
Very annoying. I really need access to libraries for my work.
If anyone else has experienced this problem and has a solution for this? Is this a known issue? I searched and have not been able to find something that helped.
Using windows 7
Please check the steps mentioned in: need help with this message: 'something went wrong initialization library of creative cloud'
-
Oracle Forms and Microsoft Active Directory
Application server = 10.1.2.2.0
Database server = 10.2.0.3.0
We have a connection to a database (for example abcd/abcd@abcd). The login is in the formsweb.cfg file.
Users click a URL that opens the first form (10g), where they must enter their username and password. The "When-new-form-Instance" trigger will use the data entered to check the username and password is correct on a users Table. It will also recover the level of security for members of the staff.
If authentication fails, a message in a form and they can not go further.
If authentication is successful then the first form of the system is displayed. The level of security is used to decide what forms/States are available for this user and the data that is displayed. The user ID is used throughout the system to save the changes made by the user.
We went to Microsoft Active Directory and I have a requirement to allow a user to simply click on a link and the application opens with the data and access. I also need the user ID in the application.
Is it possible to either from the Microsoft Active Directory for the Oracle Forms user ID or is there a way to recover it from in Oracle Forms.
Thanks in advance
MichaelI seem to remember that we did in an installation of web Forms6i a few years ago.
We used the ONE LOGON trigger to invoke the DBMS_LDAP package to interact with the microsoft server active dir.
There are several ways to do it now with SSO also.
Tony
-
Can OBIEE on UNIX OS - we use LDAP using Microsoft Active Directory for UNIX OS?
We are looking at options to run OBIEE 11 g on a UNIX server.
Can we use authentication using Microsoft Active Directory LDAP for authentication OBIEE?
Short answer: Yes.
Longer answer: Yes you can. Operating system has no influence on that. All you need is the ability to connect to LDAP, and it's pure networking.
-
Passwords enable ISE device Administration (ACS) integrating with Active Directory
I'm working on a standalone application ISE and running into a problem where the password to enable for a device is not shoot properly. I have the original connection related AD and I policy conditions/results/sets all as they should be working. My test run is a 2960 S. I tried to set up ' group aaa authentication enable default
Activate ', but the only way I could do a login enabled with which was if the user has configured locally in ISE identity management > identity > users. Is there something that I missed that tie will enable passwords for a group active directory as I work for the initial logon? I see just a mistake with your failure to enable aaa authentication enable. You must specify the Group of Ganymede.
Right now, I don't have access to my lab with ISE.
Here's my config for switches used with ACS.
AAA authentication login GANYMEDE-SRV Group Ganymede + local
local authentication AAA Console connection
Group AAA dot1x default authentication RADIUS
AAA authorization exec GANYMEDE-SRV Group Ganymede + local
AAA authorization commands 15 GANYMEDE-SRV Group Ganymede + local
Group AAA authorization network default RADIUS
AAA accounting exec GANYMEDE-SRV arrhythmic group Ganymede +.
orders accounting AAA 15 GANYMEDE-SRV arrhythmic group Ganymede +.If you give me all out maybe we can understand why your GANYMEDE ISE works do not with the AD. I see no reason except a misconfiguration or another issue.
Just to go to the mode, you need more aaa authentication command activate by default enable. This activation mode is pushed to the user if he gets the privilege 15. Your problem should be on the profile or politics. With the approval journal, we can see whether or not ISE pushes politics and why?
-
Microsoft Active Directory Web Services - 2008 R2 edition
Hello
I'm updating the information for the employee on Active Directory (which is on the 2008 R2 version). My research on ADWS, I realized that there are some available in the version 2008 R2 of ADWS web services that are accessible to the public. But I have not any clear documentation confirm us. We try to access any account management Web service via http or soap
NET. TCP: / /
: 9389, ActiveDirectoryWebServices, Windows, AccountManagement via a browser after you connect to the host via the VPN network. But it does not work. What I feel is that this service must be hosted on a Web like IIS server for it to be accessible to the public via the Internet. Like this instead of net.tcp
http://
: 9389, ActiveDirectoryWebServices, Windows, AccountManagement But the client side, host of this service indicates that it is hosted on IIS. Could someone please guide me if something is missing here?
Thanks a bunch!
SN06
Hi SN06.The question you have posted is related to Windows Server 2008 R2, this is why I suggest you to contact the TechNet forums for help.It may be useful -
Cisco Secure ACS groups 5.1 Active Directory and RSA Authentication Manager 7.1 for profiles
/ * Style definitions * / table. MsoNormalTable {mso-style-name: "Table Normal" "; mso-knew-rowband-size: 0; mso-knew-colband-size: 0; mso-style - noshow:yes; mso-style-priority: 99; mso-style - qformat:yes; mso-style-parent:" ";" mso-padding-alt: 0 cm 0 cm 5.4pt 5.4pt; mso-para-margin: 0 cm; mso-para-margin-bottom: .0001pt; mso-pagination: widow-orphan; font-size: 11.0pt; font family: 'Calibri', 'sans-serif"; mso-ascii-font-family: Calibri; mso-ascii-theme-make: minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-make: minor-fareast; mso-hansi-font-family: Calibri; mso-hansi-theme-make: minor-latin ;}"}
Hello
I'm deploying an ACS connected to an RSA AuthManager (that is connected to an Active Directory domain)
I create several groups within the Active Directory server, I try to give to users for their groups different access rights.
I tried to define an access policy "NetOp/NetAdm" and two authorization rules:
Rule-1 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETOP 'Auth for net operators' 0
Rule 2 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETADM 'Auth net admin' 0
Default: refuse
In the identity, I have configured the RSA identity source, so that users get authenticated by the RSA Authentication Manager.
But I still refuse to get access, RSA authentication is successful, but the group membership, active directory does not work, even with the unix attributes or group principal defined for the user.
My question is this valid configuration scenario? Is there another way to define several profiles according to the Group of users of external source?
The stages of monitoring:
Measures
Request for access received RADIUS 11001
11017 RADIUS creates a new session
Assess Service selection strategy
15004 Matched rule
Access to Selected 15012 - NetOp/NetAdm service policy
Evaluate the politics of identity
15004 Matched rule
15013 selected identity Store - server RSA
24500 Authenticating user on the server's RSA SecurID.
24501 a session is established with the server's RSA SecurID.
24506 check successful operation code
24505 user authentication succeeded.
24553 user record has been cached
24502 with RSA SecurID Server session is closed
Authentication 22037 spent
22023 proceed to the recovery of the attribute
24628 user cache not enabled in the configuration of the RADIUS identity token store.
Identity sequence 22016 completed an iteration of the IDStores
Evaluate the strategy of group mapping
15006 set default mapping rule
Authorization of emergency policy assessment
15042 no rule has been balanced
Evaluation of authorization policy
15006 set default mapping rule
15016 selected the authorization - DenyAccess profile
15039 selected authorization profile is DenyAccess
11003 returned RADIUS Access-Reject
Thank you
Christophe
I think you need to do is to create a sequence of identity with RSA as a selection in
Authentication and recovery research list of attributes and AD in the additional attribute list recovery research. Then select this sequence as a result of the politics of identity for the service
-
ACS 5.1 using Active Directory to manage the strategy of network device Admin
Hi guys, we have configured an ACS 5.1 and integrated with active directory Win2K3, we created two AD groups to manage devices network for administrators and one for operators (read-only), so we have configured a device admin strategy and the two groups work very well, but now we are facing a little problem any user that exists in the AD can connect (user exec mode) network devices and we want to cancel the connection with politics, but we do not know how.
Is there a way to get a user authenticated against acs internal or external group, but at the user level, everything as you can make it to GBA 4.X?
Thanks for your help!
Best regards
Oscar
Yes, you can change that, it's a profile of shell by default. You must create a new one with privilege level "not in use" and select the new profile of the shell (no Directors or Operartors) under Default Device Admin > authorization profile > edit and make changes.
I hope this helps.
-
By integrating wireless deployment Active Directory User Group
I'm discovering best practices in deploying a WLAN for users in the environment to cooperate, who uses their company active directory integrated mobile to join the WLAN.
I know that this can be done easily using certificates, but I just want to find a way to deploy without certificates and only based on the users AD Group. Maybe a Radius Server + integration solution LDAP server would be great.
Please advice. Thank you.
See you soon
Lal Antony
The best way to deply is with a Microsoft Toolbox, it has everything you need included, manuals, scripts to install and configure components on the server side and it is very easy to use. You can get it here:
It is based on Win2003 Server but I was advised by MS should it be OK on Win2008.
Maybe you are looking for
-
Impossible to get a HD data recovery to set up
Due to my iMac HD dying, and my backup default HD before I could recover, I had to have the backup disk recovered to a (expensive) data recovery service. The HD, they gave me with the backup Time Machine recovered is in the format exFat. In the Termi
-
How to increase the video memory on Portege Z830 - 11 M?
Hello! I have a Toshiba Portege Z830 - 11M. I want to increase the video memory.I don't know if it's possible and how to do it. I tried to open the bios by pressing the F2 key (as in the product specifications, I received with my laptop) and I arrive
-
Activation of the license key of Windows 8 on another laptop
I bought a Lenovo laptop it a few years provided with Windows 8. I plan to buy another laptop, but it comes without a Windows operating system. Can I use my Windows 8 of my old laptop of Lenovo and activate the new license key? What I need to uninsta
-
the automatic check after the pulse camera image
Dear Sir. I made a request to acquire a picture after an external trigger (from the light source) and after a short delay (1ms) I use the Point of the camera gray grasshopper3 gs3-u3-51s5m. The problem is I want to save my images in a folder called '
-
Why I can't receive contacts or sending e-mails, when I mail it gets returned by post master?
When I post, my mail is returned? and get in facebook I go only through star? All my contacts before were 110better why this now? I could do something wrong, but can help you... ??