Active Directory + ACS Remote Agent
I have a camera ACS (3.2). I understand that I need to use a remote ACS agent installed preferably on a domain controller, Windows authentication. My question is: if I use Active Directory, can I not use external user databases and configure generic LDAP with the appropriate settings to access Active Directory? So I wouldn't need a remote agent? Or I have to use external user databases and configure the databases Windows (which means using an external remote agent? Or I can choose two methods? His confusion as active Direcory cann support for pre-2000 windows domains and I do not know which method of mapping of external user database to use.
My apologies, missed the word "apparatus" in your original post.
You can probably do this use anyway, I guess, even though we suggest using a Remote Agent with the Windows DB. If you are not going in this direction, make sure your security permissions (http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/raig/rawi.htm#642394)
I've had users use the LDAP with Windows Ad database before and it works very well, the only difference (IIRC) is you don't get all the group maps of Windows with this method, but for the authentication of the user only, it should work fine.
Tags: Cisco Security
Similar Questions
-
THE ISSUE WITH ACS REMOTE AGENT LOG
Hello guys,.
I installed a Cisco ACS SE with version 3.3. I try to configure for sendo journal acs agent remotely, but it does not work. I installed acs remote agent and I activated the registration service during the installation. ACS appliance may communicate with the remote agent, but ACS cannot write logs on the Remote Agent. If I look at logg on ACS its OK, but when I look at the logs on the Remote Agent Windows there is nothing there. Could someone help me?
Thank you
Hello
Please try logging configuration remotely as shown in the link:
Kind regards
Anisha
P.S.: ACS 3.3 is out of life and support. Please install the latest version.
-
HI guys,.
I installed the Remote Agent ACS on my AD controller. I can add the agent to ACS... but I do not see the Windows authentication avaiable in the agent...
The Agent runs with a service account that has all rights AD.
Anyone able to help?
Make sure that this worm device software and remote agent are the same.
To display the version of CSAgent.exe, type csagent.exe - v, and then press ENTER to command line
C:\Program Files\Cisco\CiscoSecure ACS Agent\csagent
Kind regards
~ JG
-
Hello
Is it mandatory that remote agent for CSA will be installed on the primary domain server, would this work if it were to be installed on a virtual server that is a member of the main domainserver? This should be used for authentication using a vpn.
What impact is remote agent has on the operation of the wrt the CPU server, disruption, etc.
Thank you.
ACS can be installed on a member server.
-
Hello
I have problem with authentication remote agent acs for VPN connection, I want to remove the agent and point to another server I click on this remote agent and then remove and apply it gave me the error below:
This Agent is used for NT authentication, this must be reconfigured until it can be removed
What should I do to remove it?
I also want to ssh to the machine what is the default username and password?
THANKSSSSSSSSSSSSS
What is the ACS version you are using?
To watch 4.2/4.1
Database of external-> users
Configuration of the database->
Windows database->
Configuration of external user database->
Database user configuration Windows->
Agent selection remote Windows
And remove agents here.
___
HTH. Please rate this post if this has been helpful. If it solves your problem, please mark this message as "right answer".
-
Support for multiple Active Directory ACS 5.2
Hello
I couldn't find a way to add multiple domain controllers to Cisco ACS 5.2, all that he requires in the GUI of the ACS entered the domain name? We are limited to add the root DC /forest?
I'm not a Microsoft Expert...
I could not understand how ACS detects the DC through this simple entry? What is with the help of DNS?
Comments are appreciated.
Dumlu
ACS 5 may be joined with a single domain right now. When GBA is joined to a domain, ACS can authenticate any user who belongs to this domain any domain controller in this domain. It relies on DNS resolution to find the appropriate domain controller.
I think that what you are looking for is Multi domain authentication. If you do this, then you should have a two-way trust between the immediate area (the area which is a part of the ACS) ACS other areas. The ACS will send authentication to one of the domain controllers in its domain and it will then be forwarded to the other domain. It could be a child or a parallel domain, but it must have 2 path of trust between them.
In other words, so that you may choose is to set up 2 separate domain controllers from different domains such as LDAP servers. In this case we do not need a way 2 trust and you can separately for each domain authentication request.
-
The upgrade to Cisco ACS SE and Remote Agent
Hello
Currently we are upgrading the PDC to Windows Server 2008, Standard Edition R2.
I am little confused with information available for upgrade scenarios. Appearing on the current working versions.
Cisco ACS SE - version 4.1 Build 23 5 Patch 1
Cisco ACS Remote Agent version 4.2 (0.124)
The new operating system will work on 64-bit, I think that the current ACE SE and the remote agent can / must be upgraded.
My existing versions, give the possible scenarios of upgrade available for me. After that upgraded SE and Remote Agent should work for the 64 bit OS.
Thanks in advance!
Yes, it is not possible to upgrade the ACS ACS 5.2 existing to level 4.1. They are two different boxes run on a different platform.
Unfortunately ACS 4.x does not support windows 2008 r2.
5.2 ACS is the only option left, and you will need to buy a new box of seprate with the new licnese for this.
Concerning
Bellefroid
Note the useful messages
-
Problem with Active Directory and the NAC
Hello.
Please I need help.
I have my server with the "Active Directory SSO" began, but when a user tries to connect to the network with its credentials in Active Directory, the PC agent say that 'Invalid username and password.
My server is tuned by the 8910 port.
I conectivity with CBS and active directory.
kpass command runs successfully.
Thks.
Jorge,
If the service is running, then you must put emphasis on the communication client/AD and see where the break occurs.
Can you ensure that the unauthenticated role, you have all the required TCP/UDP ports open, and ICMP and IP FRAGMENTS to all your domain controllers?
HTH,
Faisal
--
If you find this article useful, please note so that others can easily find the answer
-
Unit of ACS and agent remote test
Problems with unit ACS integration with Active Directory. Have installed the remote agent on a member server and the ACS unit can enumerate Active Directory groups correctly so there is at least some communication happening.
Looking at newspapers in the remote agent whenever a request for ad groups comes through see you the corresponding journal entries. When a user tries to authenticate that there is no future logs through the remote agent. So maybe it is not sent to remote agent?
In the authentication failed, connect GBA, the error is unknown user, it shows the correct username + domain name such as the person trying to authenticate.
Windows Server is configured for a unknown user policy.
Version of the ACS is 4.1.1.23, Remote Agent is the latest available version.
Any ideas or things to check?
Hello
According to the guidelines of your last line, it seems that the ACS and RA worm are not even. Please note that ACS and RA device software worm must be same or it won't work.
Kind regards
~ JG
-
ACS 4.2 Remote agent compatibility issues.
I did a little reading on the compatibility of remote ACS 4.2 with Windows 2008 R2 agent, and it seems that the only way out is to upgrade the ACS to 5.2. We have Cisco ACS 4.2 SE and I would like someone to confirm that I have installed what happens if the remote agent on a Windows 2003 server of Member rather than the 2008 R2 domain controller. Such a scenario will work?
Comments are appreciated.
Concerning
Yes, here's what a bug documented with this CSCtg37183 information:
Excerpt from the previous link:
ACS 4.x does not support the Server 2008 R2 to AD. Symptom:
ACS 4.x does not support authentication to a back-end Server 2008 R2 Active Directory.
Conditions:
ACS 4.x
Windows Server 2008 R2 installed on the domain controller
ACS or remote agent installed on a member server in the environment (even if the Server 2003/2008)Workaround solution:
Install the ACS or the Remote Agent on a domain controller 2003/2008
Cisco does not support this scenario because sometimes work well other doesn't work at all, so nobody wants an unstable network right, unfortunately workaround doesn't help much. Although there is an ACS 5.2 trial version that you can test, let me know if I can get you the links.
-
Replication of ACS and integration with the Active directory database
Hi all
I have to configure two ACS SE with the internal database replication. I have also a server active directory that must integrate with ACS. My doubt is that I need to configure the IP address of the ACS during installation of the remote agent on active directory or only the primary ACS
No need to give the IP of two ACS. Give the primary IP of ACS.
Kind regards
~ JG
Note the useful messages
-
ACS Appliance Agent remote problem
Hello
We have depending you on the situation:
-2 x ACS SE
-2 x ACS Agents on member servers remotely
-2 x ASA
We would like to authenticate the VPN users connecting to the ASA via the ACS and active directory.
I have configured the remote agent following this link:
But we are not able to pick up groups active directory to the AEC gui--> user external database > database group mappings > Active Directory > new Configuration.
On the domain controller, we get the error ID 1030 and 1058, someone had these problems too?
Thanks in advance and best regards
Dominic
Most likely, this is a Permission problem. What OS and SP you use.
Have you tried to run the remote agent by using the LOCAL account instead of the service account that you created?
Kind regards
~ JG
Note the useful messages
-
am setting up remote access on the MS 2003 Server following the white paper, but can not find the 'users Active Directory & computers' to set the ip this part has been renamed or hidden somewhere?
original title: MS Server 2003Post in the Windows Server Forums:
http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer/ -
Secure ACS unit and Remote Agents
Hello
We test Secure ACS 3.2 device and authentication against AD via remote agents. When two or more remote agents are registered with the device in the network menu, is the pretty smart device to try the second machine remote agent if she can't talk to the first? We tested this failover by stopping the service of the remote agent on the first domain controller where it has been installed. However, failover does not occur. We want to know if this failover is supposed to work, and if so what we need to do to make it work.
Yoshi Nagase
Hello
I implement a solution similar to yours... 2 ACS unit with 2 Remote Agent...
I set the remote agents on the Network Configuration and the external user DB - database of Windows - Windows Remote selection of the Agent.
In this menu the value primary and secondary Remote Agent
HTH
Omar
-
Upgrade ACS 4, 1 - question of Remote Agent
I've updated Cisco ACS 3.2 to 4.1. Having satisfied certain issues, we finally got installed. Now, we are facing this problem of the remote agent. There is a lot of configuration to do for this agent? Here is the part of the instructions. I know right what they want me to. Where is this Cisco computer? Where we put the Cisco account? We certainly do not have a domain controller on our network called Cisco. Is it better to put this on a domain controller or a member server?
Thank you
Dwane
Step 1 Add CISCO workstation.
To meet the requirements of Windows for authentication requests, ACS must specify windows
in my computer to which the user tries to open a session. Because the ACS cannot determine this information
of authentication requests that send AAA clients, it uses a name of generic workstation for all applications.
Use CISCO under the name of the workstation.
In the local domain and in each trusted domain and a child domain that uses ACS to authenticate users.
ensure that:
? A computer named CISCO account exist.
? All users that Windows will authenticate are allowed to connect to the computer named CISCO.
For more information, see the Microsoft documentation for your operating system.
Go down to da external user---> DB Configuration---> Windows---> Configiure--->---> RA remote agent choose in the drop-down list---> Summit.
ACS will now use this remote agent.
Kind regards
~ JG
Please rate if this helps
Maybe you are looking for
-
complete the loop and get data
I need to acquire the acquisition values of data every x seconds. Waiting in the loop of data acquisition is defined so that the next N samples are acquired after x seconds. Pressing stop the loop of consumer DAQ stops after the sec x which is connec
-
Function of path of the band directly in TestStand?
Hello I use TestStand 2013 one I'm looking for a "Path of the band" function, which can retrieve path name and file name of a coherent path string. Such a function exists in LabVIEW but I found no comparables in TestStand. Kind regard Christian
-
Where can I find a free, (Windows XP compatible) SWF file converter?
-
How to get the 'description' of a control property if the control is a part of the cluster?
Hi, dear all LV offers the possibility to work with the property 'description' of the individual control of the VI. The use of knots of property: reference VI > front propert > control [] property > Description. Unfortunately, I found a way to set or
-
How to transfer a file from the Microsoft Works word processor documents