ACS SE - domains Windows AD
Can I use groups of network devices ACS to have one device acting as authenticator ACS two Windows domains to 802. 1 x for a single switch?
Hope the question makes sense but to put it a little more meat on the issue:
I have a single ACS device that I try to use for authentication of 802. 1 x on a switch. The problem is that I want to have the part of allocation of VLAN implementation allocated through the ACS server on the control dependant users with an account domain, but we have two domains without trust between them. the remote agent in ACS to should not be installed on servers in different domains and that two agents available are for resiliance only, so does not fit this unfortunatley.
That's why I finished watching with several groups of devices.
someone at - it ideas if this will work or if there is another way to make this work.
Hello
ACS cannot authenticate 'natively' in 2 different domains that do not have a defined relationship. If this is not possible, then you must make 2 ACS servers, one in each area. Configure the ACS 'primary' to the 'secondary' server proxy queries based on the provided field.
This would require a second server ACS be set upwards (you will probably pay an additional fee for the second ACS server). You do not want to configure a proxy distribution table. This would require the user explicitly indicate the domain name with their user name.
Kind regards
~ JG
Please evaluate the useful messages
Tags: Cisco Security
Similar Questions
-
ACS 3.0 Windows, VPN, remote access and external databases
I'm trying to implement a VPN solution, and most are very good.
We have a VPN concentrator, which authenticates with CSACS and who, in turn, back off the coast of authentication with a Windows domain. Unknown user policy allows new users themselves create dynamically.
The VPN uses the Cisco VPN client. The hub is visible on the internet, and the bit works fine.
Bit difficult, but we are also trying to set up the access line by using a phone company for users who do not have their own internet access.
I have problems which to authenticate to the Windows domain.
If I manually create a user and add a chap password, this user can authenticate OK. If I manually add a password of chap user can authenticate.
If the user does not exist I get "user CS unknown', if I did not add a password manually, but the user is I get"Invalid password CS CHAP", so it seems that the problem is is interrupting this authentication against the field, but I don't see why.
The telephone company radius server in my network as a aaa client configuration and is almost the same configured as VPN concentrators (the difference is the Conc VPN is configured as 'RADIUS (Cisco VPN 3000)' and as 'RADIUS (IETF)' radius server)
Any thoughts?
You cannot use CHAP to authenticate a domain Windows, the way THAT CHAP requires the password must be stored is incompatible with the Windows passwords. You need to configure each connection Dial-Up Networking to dial-up users to use MSCHAP or PAP.
-
Cisco Secure ACS 4.2 Windows authentication of different domain
Hello
I have a Cisco Secure ACS for Windows Server 4.2. The server belongs to a domain and the domain, the users belonging to a certain group are authenticated.
Now, I have to change the configuration of the server and reassign it to another area. There is no trust relationship between two domains and I would like to know if users can always be authenticated against the previous domain.
Hello
First of all, take backup (by measure of precaution in order to restore config if something goes wrong) then continue witht the following:
-Remove the configuration of the windows domain (group... mapping etc) from the server before changing the field.
-Change the domain membership, and then restart.
-follow the missions post-disiez for ACS (see this link): http://tiny.cc/zr6huw.
-Configure the external database again on GBA (group mapping, strategy unknown user... etc).
You should note that if the new domain controller is Windows Server 2008 R2, which is not supported by ACS 4.x.
HTH
Amjad
Rating of useful answers is more useful to say "thank you".
-
Authenticate users in the other domain Windows
Hello
I'm trying to authenticate users in a different Windows domain. The correct version of the Remote Agent is installed on the domain controller. Director of company "runs" the service.
I discovered that the group nesting is not working in version 3.3.3. Is this correct?
I also have a universal and domain local group. In this group, I put some users in the domain, the trust.
Authentication will not work: error on ACS: external DB account restriction.
Also, I tried to do a group directly mapping in the trusted domain. When I click on 'Add Group Mapping', this is the error: "unable to enumerate windows... groups."
How can I fix these problems?
Thank you
Remco
Hi Remco
Looking at the release notes under known issues in Cisco Secure ACS for Windows Server 3.3
The EAP - TLS authentication to the trusted domain controller failed
Authentication succeeded only when the customer the EAP - TLS to authenticate to the domain controller which connected directly to GBA, but when the user is in the ms trust (only in the ms trust) that linked to the first domain controller, the authentication has failed and has been the message of attempts fail: 'External account DB Restriction'.
Same message is produced if the activation of the field stripping in database settings outside of Windows or not.
Report of failed attempts for statement is not clear enough
When the user validation fails for some reason any (external server is down, the right SSL certificate or key shift with NAS), attempts to csv report failed indicates that the failure of the authentication code is "restriction of account external db" or "CS password invalid.
Workaround: this issue is cosmetic. No work around.
Cordially MJ
-
Cisco ACS secure 5.3 allowing foreigners on ACS local domain server domain accounts
All the
My company has recently acquired another company
Each company has its own domain and controllers
The problem:
Executives of the absorbed company sometimes come to the main site for meetings using their own laptops
configured for their own areas. This caused problems of authentication wireless with Windows 7 machines.
The domain account when you connect is forcing the dispatch of the password, the name of domain user and the foreign domain
The need:
We need to somehow add foreign domain as the source of authentication on the local ACS authentication attempt with our wireless controllers is allowed.Give advice on how this could be achieved.
Hello Steve,.
Concerning the behavior that you experience with ACS to be able to authenticate users against the foreign domain is completely expected and you will only be able to authenticate by entering the user name and domain name.
The only option to join the ACS for a foreign domain is LDAP configuration and in this way, you will be able to join the AEC directly with this area, however, there are several limitations on the supported protocols when you use LDAP as you can see from the following link, then you want to see if he would be available as an option for you or not depending on the Protocol that you use (which I suppose is it PEAP / MSchapv2) as you mentioned that users will type the identifying information, so it does it does not for you):
http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/cisco_secure_access_contro...
Excerpt from the link:
Authentication Protocol EAP no B-4-table and user database compatibility
Identity storePAP/ASCIIMSCHAPv1/MSCHAPv2CHAPACS
Yes
Yes
Yes
Windows AD
Yes
Yes
NO.
LDAP
Yes
NO.
NO.
RSA identity store
Yes
NO.
NO.
Identity of DEPARTMENT store
Yes
NO.
NO.
Table B-5specifies the EAP authentication protocol support.
Authentication Protocol EAP compatibility of database user and table B-5
Identity storeEAP - MD5PEAP-EAP-MSCHAPv2EAP-FAST MSCHAPv2PEAP-GTCEAP-FAST-GTCACS
Yes
Yes3
Yes
Yes
Yes
Yes
Yes
Windows AD
NO.
Yes
Yes
Yes
Yes
Yes
Yes
LDAP
NO.
Yes
Yes
NO.
NO.
Yes
Yes
RSA identity store
NO.
NO.
NO.
NO.
NO.
Yes
Yes
Identity of DEPARTMENT store
NO.
NO.
NO.
NO.
NO.
Yes
Yes
Note: Please mark it as answered as appropriate.
-
We have a Dell laptop with the encryption used by the principal of our school at work and at home. At the office, it connects to the network via Ethernet. Yesterday, when he returned home, he received a message that it could not connect to a server approved. His credentials have been cached in the past and still allowed him to open a session with the same user name and password.
Now, when the laptop is not connected to the network, I can't log on to the laptop computer as a domain administrator, it cannot open a session with his account and the local administrator account cannot log on (localadmin\laptopname). When I tried to add a new local user by using user accounts in Control Panel, I get a message that the domain is not available. This field is the name of the computer. Manage user--> Add--> domain accounts--> go--> locations<-- the="" only="" option="" is="" entire="" directory="" (my="" domain). ="" actually,="" this="" is="" all="" i="" see="" on="" my="" work="" computer="" too. ="" when="" did="" this="" change? ="" i've="" added="" local="" users="" in="" the="">
The rest of Windows seems to work.
Biometrics does not for one of our accounts, but they have in the past.
I might add a local account for him to use only with the following command. At least this allows him to use the laptop at home, but it creates a new profile for him so he will not have access to the files saved under its domain account profile.
net user USERNAME PASSWORD /add net localgroup administrators USERNAME /addAFAIK what has changed is that he was just updates installation before returned home and when he arrived home, things no longer work.
Hello
Please contact the Microsoft community.
I suggest you to send your request in the TechNet forums to get the problem resolved.
Please visit the link below to send your query in the TechNet forums:
https://social.technet.Microsoft.com/forums/Windows/en-us/home?category=w7itpro
Hope this information is useful. Please come back to write to us if you need more help, we will be happy to help you.
-
WLC / ACS / AD - domain and laptops no - domain (802. 1 X / PEAP)
Hi all
I implement a solution based on 4404 WLC, 1113 ACS and Microsoft AD. What I want to achieve is to have two WIFI (SSID), that can be used by users on laptops of the domain, the other can be used by the users in the domain on personal laptops. Field portable computers will have full connectivity, but personal laptops will be restricted.
I created the two SSID using 802. 1 X by ACS / Remote Agent and can authenticate and connection OK.
I thought I should have user auth and auth machine for laptops of area but just user auth for personal laptops.
I have unauthenticated machines go to one group ACS or blocked, but I need to enable them in if they are on the SSID restricted. I can't quite understand how to have two SSID is authenticating with the same ACS / AD - one green and the other.
I'm on the right track?
Anyone done this before or have any bright ideas?
See you soon,.
John
With the use of WLAN access based on the SSID, users can be authenticated based on the SSID they use to connect to the WLAN. The Cisco Secure ACS server is used to authenticate users. Authentication happens in two stages on the Cisco Secure ACS:
1 authentication EAP
2 resulting SSID authentication of network (NARS) on Cisco Secure ACS Access Restrictions
For the new designation and configuraiton following URL can help you:
http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml
-
4.2 ACS running on Windows 2008 Server 32-bit?
I have an old 4.2 ACS running on an old Windows Server 2003. I bring out of the Windows Server 2003 for security reasons. I know that 4.2 is not supported any longer. Unfortunately, I don't have time now to migrate from 4.2 to 5.x - and the 4.2 documentation states that it can not operate on any 64-bit OS.
Did someone knows if ACS 4.2 will be or will not be, running the 32-bit version of Windows Server 2008?
Of the installation guide States that 2008 standard edition is supported.
http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/cisco_secure_access_contro...
Thank you
-
Hello
I installed Windows 7 in my pc organizations whose domain controller is a windows 2003 server. It is my observation that you connect the sick machine whenever a user tent remain for about a minute and then turned to a black screen with a cursor. If the user deletes the network cable, he or she will be able to connect without any problems. I tried to rename the profile name and observed that he or she can connect without any problems, but now in a temporary profile. Another observation is that, if no user login using a profile name or password the problem does not appear.
If you please help me figure out why this happen and how to solve the problem and also why is the selective problem to the user without the privilege of Directors profiles.
Thanks to you allPlease post your request here:
http://social.technet.Microsoft.com/forums/en-us/w7itproinstall/threads
-
Configuring the ACS server on windows server
Hello
I started to prepare my CCNA security and tried to configure AAA using ACS 4.2 on windows server 2003.
I have configured the router to use the AAA authentication with the laboratory of cbtnuggets from ACS server.
I checked the accessibility of the ACS server to client router and vice versa and also configuration.
The problem is I'm not able to authenticate using ACS server, the router uses local authentication and I have no why the router communicates not eith ACS server.
Help PLZ.
Configuration of my router from AAA.
===============================================
AAA new-model
!
!
AAA authentication login default group Ganymede + local
exact AAA authentication login group Ganymede + local
AAA authorization exec default localRADIUS-server host 192.168.1.25 single-connection key ciscoacs--> (192.168.1.25 ACS, the key configured on the ACS server server is also ciscoacs)
line vty 0 4
exact connection authentication================================================
I created a user on ACS server and I believe that when I'm trying to telnet to the router I should use the user name and password configured on the ACS server.
When I try to use, authentication fails, and also if the router accepts locallly configured user details then I think there was no communication between the router and the other GANYMEDE ACS server + will be used for authentication and if no communication between the router and acs server then only it should be the responsibility of local user
Please help me.
reports and activity--> passed authentication
reports and activity--> failed attempts
Rating of useful answers is more useful to say "thank you".
-
Hello
I have observed this for a few months now on my windows Server 2008 domain (all my clients are windows 7) and it drives me crazy. My wireless nodes #1 bandwidth consumption is taken by 'Windows file shaing' on ports 137, 138, and 445. I tried to pull the bandwidth on these ports on all of my users wireless using the wireless controller, then the claim of the user than even a small file as 100 MB ' would take hours to download. If windows 7 OS is too talkative, I prefer to go back to windows XP?
What is the solution of my problem, I need to have my users to upload files and at the same time be fair with my bandwidth that does all my work of nodes and servers without really hard wire. Help please.
"Note: someday open a session:"windows file sharing"takes about 10 GB of bandwidth ' and sometimes 5 GB"
Hello
The question you posted would be better suited in the TechNet Forums. I would recommend posting your query in the TechNet Forums. You can follow the link to your question:
http://social.technet.Microsoft.com/forums/en-us/category/w7itproHope this information helps.
-
Join question / unlink you domain Windows 8
I recently performed a clean installation of Windows 8 without problem. I tried to join to a domain. Everything seems to work as expected and I even got the standard windows of information indicating that I have was greeted at the field and I had to restart. After the reboot, I am unable to log on to the domain and I get a message indicating that the trust relationship is broken. Unfortunately, I can't use my local admin account either... the system is telling me no matter what I try to do requires high privileges which I am unable to access the connection with the Act that the workstation has not correctly joined to the domain. In addition, for the domain controller, I can not find a computer account for this system. Is there an easy way to separate this pc "is not entirely-joints" the domain and return it to a State of "stand alone" so I can try to join again? Thanx.
Hello
For the Domain Join questions, I recommend that ask you this question on the following forums.
Windows 8 IT Pro category:
http://social.technet.Microsoft.com/forums/en-us/category/w8itpro
Concerning
-
How to disconnect a domain-windows 7
My laptop is connected to a domain, so it was easier for me to do a job. I know that want to unplug my laptop computer in the domain and remove all other domain accounts. Help me to do?
To the Manager, the users of your machine, open Control Panel, search for users, click on in the search result 'User accounts' upper level, then in "Manager user accounts. From there, you can remove and add users.
To disconnect from a field, open Control Panel, search for 'System', then click on in the first level «system» search result From there, you will see information about your computer, such as name, area, etc. You can click on the button 'Change settings', then in the 'change' button and finally in the "working group" option button. You need to restart the machine.
-
PEAP-MSChap v2 & ACS 4.0 & Windows 2003
The rest of this guide for Peap-mschap v2, I get the following error on GBA "EAP - TLS or PEAP authentication failed during SSL negotiation.
When I disable "Validate server certificate" on Win XP controlled wireless card I can connect immediately. What is the advantage/disadvantage uncheck "Validate server certificate".
Please notify
http://www.Cisco.com/en/us/products/ps6366/products_configuration_example09186a00807917aa.shtml
First of all to know what these devices take encryption supported. I think if they support WPA/WPA2 with PEAP. Devices don't need to be on the field to work with this type of encryption.
-
Hi all
I appreciate your help. And I hope that this issue has been addressed previously, although I couldn't find any solution there.
I manage a domain windows 2008 with 3 domain controllers. Recently my workstations continue to fall out of the field. I get "the trust relationship between this workstation and the primary domain failed" to many workstations.
I know how to fix properly, use netdom.exe. But the mistakes keep coming back. I don't know where to look for the source of this error. A possible problem might be the time in any field is out of sync. But all my workstations synchronize with the domain controller with the primary domain controller role and seems to work correctly.
Are there other sources, that I need to check? This is getting frustrating.
Thank you much for the help.
Sincerely,
Hello
Post your question in the TechNet Server Forums, as your question kindly is beyond the scope of these Forums.
http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer
See you soon.
Maybe you are looking for
-
I recently reinstalled Firefox 11. I have more option of a drop down button bookmark in my default toolset. The Bookmarks button available only creates a sidebar instead.
-
My Satellite C850 - 1 2 cannot find the BT device
Hello I have blutooth switchen on my laptop but it can not find the device that's a speaker of bush. any ideas please?
-
I've been playing around with the settings of password on my iphone and I accedentaly set a digital multiple access code. I know the password is composed entirely of number 5, but I don't know how much, when I did I filled the bar with less than 5 ye
-
Windows 8.1 - M92p - driver ACPI
Hi guys,. Came on a little problem while building a Windows 8.1 for this M92p image I have. There is a device that is not installed: Unknow device - ACPI\LBA0001 I found the driver for it. When I auto install from the exe, it works very well. The pro
-
Online and automated phone activation fails for XP Home
Activation fails for me for Windows XP Home Edition, after changing a lot of material. Online activation failed. I called the automatic activation phone number where I give them a "ID of Activation" appears on my screen and I like that it is not vali