Cisco ACS 4.1 for external advertising for authentication

Hello

We have just configured Cisco ACS 4.1 solution engine and using a Windows 2003 domain controller as a remote agent.we use as Protocol Ganymede.

Users that are created in ACS himself are able to connect to various network devices. but users in domain (active directory) can not connect. We get the access denied message. same time we get external DB is not operational message in ACS.

Active directory server where agent that runs in CSWINAgentlog, we get the following error 'NDLIB'... FOUND 0 TRUSTED DOMAIN.

Could you please help us to isolate the problem.

Thank you & best regards

Make sure that the worm of acs and remote agent software is the same. And also execution of remote agent account must have special domain administrator rights, like the act as part of operating system and log in as a service.

Kind regards

~ JG

Tags: Cisco Security

Similar Questions

  • Cisco VCS and LDAP for authentication of users

    I have a question about setting up LDAP for authentication of the user on the VCS. I want to have redundancy in my LDAP link. I believe that this is possible by setting a FULL domain name to the address of the LDAP server, then selecting a type of SRV resolution. What I'm not clear on is what the value for the server address would be if I used actually as SRV type of resolution. I should also add that I am looking to use TLS

    To clarify, if my AD domain name is myad.netcraftsmen.net. I have set the field as server address:

    myad.netcraftsmen.NET: assuming that VCS properly interrogate the DNS for the _service._proto correct parameters?

    or would I need to create an SRV record to that effect and set the field server address with the address (including the fields of _service._proto)

    or I need to specify one of the SRV records formats used by MS AD areas (there are several).

    If the latter, then what SRV record for TLS. I don't see records with port 389 (non-secure).

    My intuition tells me that this is probably the first option, but I could be far away.

    Anyway, thanks in advance for any input.

    Kind regards

    Bill

    Hi William,.

    I just checked it on a X6.1 VCS, and it seems that VCS searches SRV _ldap._tcp.domain (where 'domain' has been entered as the server address), both when the encryption is set to 'None' and 'TLS '.

    Hope this helps,

    Andreas

  • Installation of Cisco ACS 5.4

    I am setting up Cisco ACS 5.4 for my org. The way I put it in place, ACS passes authentication to a RADIUS server. The problem is that it does for the user and the password to enable on each account. Is there a a way to configure ACS to review on-site in its stores of internal identity for the enable password but keep passing on the user part of RADIUS?

    Hi Jessica,.

    I went through your query and it seems that you would like to authentication of the connection to be checked with another external radius (radius proxy server) server and can be verified with the password to enable configured locally on GBA.

    I don't think that if this cannot be done with the Protocol radius with Ganymede, however we can use service attribute and that you can set in the identity > selection if the service corresponds to point of AD database connection or if the matches allow it to point to the internal database based on rules. I've attached a screenshot of the same thing for your reference. The source of identity could be anything configured databases.

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • Cisco ACS 5.4 and VPN 3000

    Hello

    I'm trying to use CIsco ACS 5.4 for RADIUS authentication for VPN by using VPN concentrator 3000 users.

    I added the VPN 3000 on ACS and added GBA on VPN group with a shared secret authentication server. When I do a test on the authentication server using the local account that I created on ACS it happens as no response was received from the server so that I can see the RAIDUS AAuth in green.

    Any help would be much appreciated.

    Concerning

    AR

    Hey,.

    What is the report on GBA?

    "RAIDUS AAuth in green"

    If so, a pcap help between the two.

    Concerning

    Ed

  • Cisco ACS 5.3 Newbie

    Hi guys,.

    I'm looking to implement a Cisco ACS 5.3 for MAC address based VLAN on a 2960 switch.

    like all the world done this before? Basiacally I want is

    1. do you have a list of the devices specified in the ACS with their MAC address

    2. connect the swicth for GBA

    3. where a device is plugged in, the swicth should check with the ACS on what VLAN, the host must be on.

    Thank you.

    In ACS, you must configure to authenticate by using the 'internal hosts' (which is the database of the mac address) and authorize using 'profiles of authentication' (this is where you configure what VLAN to use)

    If you are a beginner I recommend you test authentication only. If all goes well, you can add the permission.

    ON the side of the switch, you need to configure something like this

    AAA new-model

    key PASSWORD on the RADIUS server host x.x.x.x
    RADIUS vsa server send authentication

    RADIUS AAA server group ACS
    Server x.x.x.x
    !
    !
    AAA dot1x of default authentication group ACS
    AAA authorization network default group ACS
    AAA accounting dot1x default start-stop group ACS

    Interface GigabitEthernetX / X
    MAB
    authentication order mab
    Auto control of the port of authentication
    dot1x EAP authenticator

    Please rate if this can help

  • Selection rule for the 5.2 Cisco ACS Service

    Hello dear,

    I'm trying to configure the Cisco ACS 5.2 to Dot1x of authentication for clients on windows 7 & windows XP, I did all the steps but I could not create Service rule, it gives me an error message that you can see in the attached screenshot.

    After that I specify the allowed protocols it gives me the choice to choose the choice of identity and the is ' t it give me this error.

    your help is very appreciated.

    Kind regards

    Ibrahim

    Try another browser like Hussam suggested and let us know the results.

    I updated FireFox to 15.0.1 and now I am not able to manipulate many parameters with ACS 5.3
    Version of this browser is extremely stupid with ACS 5.x, but it shows not all message boxes. It just does not display the page when you click on the link.

    If different browsers show the same question, I would say that you restart the machine (physical or virtual) completely and try again.

    It is also best to upgrade to the latest patch, if this is not already the case.

    Greetings,

    Amjad

    Rating of useful answers is more useful to say "thank you".

  • Renew the certificate in Cisco ACS for PEAP authentication

    Hi, we installed in laptops wireless customer a certificate created by Cisco ACS to authenticate, but its about to expire.

    How can I do to renew the certificate whithout affecting users.

    (1) Yes, we can generate a new cert but install the latter.

    (2) install generated new cert on the client.

    (3) install the new cert in ACS.

    Good plan and will probably work.

    Kind regards

    ~ JG

    Note the useful messages

  • Devices configured for authentication under ACS

    Hi friends,

    Would like to know how many devices can be configured for authentication under ACS version 5.6.0.22 (Cisco Secure Network Server 3415).

    I'm not able to find the same everywhere.

    Concerning

    JN

    Hello

    It depends on the license that you install on the ACS 5.6.

    All deployments of 5.6 ACS supports customers AAA 100 000, 10,000 network, 300,000 users and 150 000 host device groups. 5.6 ACS collector server log can handle 2 million records per day and 750 messages per second for stress sent by the various nodes of ACS in the deployment on the server of log collector.

    Please visit this link:

    http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/cisco_secure_access_contro...

    With the Base license, a Cisco Secure ACS 5.6 appliance or virtual machine software can support the deployment of up to 500 devices of access network (DNA) such as routers and switches. These are not authentication, authorization and accounting clients (AAA). The number of network devices is based on the number of unique IP addresses that are configured. The limit of 500-device is not a limit for each individual device or the instance, but a limit of scale that applies to a set of instances of Cisco Secure ACS (primary and secondary instances) that are configured for replication.

    The optional add-on of large deployment license allows deployment to support over 500 network devices. Only one major deployment license is required by the deployment because it is shared by all instances.

    Please visit this link:

    http://www.Cisco.com/c/en/us/products/collateral/security/secure-access-...

    Kind regards

    Aditya

    Please evaluate the useful messages.

  • Cisco Connect v1.4 for Mac - cannot add the USB printer

    I just installed Cisco Connect v1.4 (11266.0) and have updated my software 1.0.03 E4200.

    I want to add a printer USB connected to the router, but when I open the Cisco Connect, then select the "add new devices... "button, the only option for a printer is"Wireless Printer", not"Printer"followed by USB or wireless user guide. There is now way to add a USB printer. Any suggestions?

    Hello.

    It is an old Bill, still not fixed!

    http://homecommunity.Cisco.com/T5/Cisco-connect/no-option-for-USB-printer-on-Cisco-connect-1-4-11266...

    Greetz

  • Cisco UC virtual Foundation for MM410V

    Hello

    We bought Cisco UC virtual Foundation for a multi-party media 410V. Due to the limitation of 8 vCPUs, we should change it to VSphere that comes with the MM410V. Anyone know if its possible to swop on the granting of licenses for VMWare products? VMW-VS5-410V-K9 can be ordered as a stand-alone Cisco element.

    You touch the CSCuv30061bug, the workaround is to remove the Foundation license run VMWare in mode assessment temporarily until you can get a replacement license.  Long term solution is to contact your Account Manager or Cisco Service customer and request that it be converted with VMW-VS5-410V-K9.

  • NPS Windows Help for authentication of aaa for Cisco router - is it safe?

    I am very confused about how all this works and was hoping someone could help me.

    I followed a bunch of tutorials online for authentication RADIUS of installation on a Cisco router and he did to a NPS Windows Server. Now I can ssh into the router my AD account.

    Now that I got it to work, I go to the settings to make sure everything is secure.

    On my router, the config is pretty simple:

    aaa new-modelaaa group server radius WINDOWS_NPSserver-private 123.123.123.123 auth-port 1812 acct-port 1813 key mykeyaaa authentication login default local group WINDOWS_NPS

ip domain-name MyDomcrypto key generate rsa

(under vty and console)# login authentication default
    On the NPS Windows:
    • I created a new RADIUS client for the router.
      • 

    • Created a secret shared and specified Cisco as the name of the seller.
      • 

    • Created a new strategy of network with my desired conditions.
      • 

    • And now the frame of the configuration of the network policy that worries me:
    

    

So initially I thought my AD credentials were being sent over the wire in plain text, but I did a capture and saw this:


    


    
How is my password being encrypted and how strong is the encryption?

Another thing is how can I configure aaa authentication with mschapv2? The documentation I saw for mschapv2 uses the "ppp authentication ms-chap-v2" command, but I'm not using ppp I'm using aaa with a radius server.
 

    			 
    Hello
    

    RADIUS encrypts the password, but sends the username in clear. GANYMEDE encrypts the user name and password.
    

    You can find the encryption used by RADIUS in the RFC scheme:
    

    https://Tools.ietf.org/html/rfc2865#page-27
    

    MS-Chap-V2 is used for the authentication of users such as the remote access and vpn, not management switch
    

    Thank you
    

    John

  • How Anyconnect VPN users will connect with cisco ASA, which uses the server (domain controller) Radius for authentication

    Hi team

    Hope you do well. !!!

    currently I am doing a project which consists in CISCO ASA-5545-X, RADIUS (domain controller) server for authentication. Here, I need to configure Anyconnect VPN and host checker in cisco asa.

    1 users will connect: user advanced browser on SSL VPN pop past username and password.

    2. (cisco ASA) authentication: VPN sends credentials to the RADIUS server.

    3 RADIUS server: authentication: receipt and SSL VPN (ASA) group.

    4 connectivity creation: If employee: PC so NAW verified compliance, no PC check Assign user to the appropriate role and give IP.

    This is my requirement, so someone please guide me how to set up step by step.

    1. how to set up the Radius Server?

    2. how to configure CISCO ASA?

    Thanks in advance.

    Hey Chick,

    Please consult the following page of installation as well as ASA Radius server. The ASA end there is frankly nothing much difference by doing this.

    http://www.4salesbyself.com/1configuring-RADIUS-authentication-for-webvp...

    Hope this helps

    Knockaert

  • How do use ACS to enycrption for his backup?

    How do use ACS to enycrption for its backup system?

    Bruce,

    GBA backup is encrypted with 40 RC2 - RC2 40-bit encryption method. Encryption

    option to encrypt more data already encrypted for transmission

    between ACS and the ftp server.

    Kind regards

    ~ JG

    Note the useful messages

  • Devo licenza esistente ACS Design Standard for Windows 5.5 di aggiornare alla ACS Design Standard 6 by Mac: come posso procedere?  mailto:Fabio.Baroncini@Lepida.it grazie

    Devo licenza esistente ACS Design Standard for Windows 5.5 di aggiornare alla ACS Design Standard 6 by Mac: come posso procedere?  [personal information deleted by Moderator]

    You can buy an updated version of CS6 using this link. If necessary, change the countries at the bottom of the web page:

    Creative Suite 6

  • Cisco ACS wireless authentication

    Hello guys,.

    I'm testing wireless authentication and authorization with my users wireless via ACS 4.2. I have version 4.2 test on Windows 2003 for the test. I also WLC 5508 and 3602i in my lab. My AD/NPS and CA are Windows 2008 R2.

    Windows 2003 is part of the field; and the GBA, if I go to the external database > Database Configuration > Windows database > configure

    From there, I chose my domain name, select "devices the EAP - TLS Machine authentication. I've also mapped the domain to the group I created in ACS.

    I also looking default RADIUS ports 1812 and 1813 the GBA.

    On my WLC 5508, I created a WLAN and define the RADIUS IP to the IP address of the ACS. However, I tried to join the wireless network. It keep the default.

    I installed the cert of the user on the laptop for EAP - TLS. If I changed the server RADIUS on the WLAN and pointed to AD/NPS that I, my portable test was able to join the network wireless through EAP - TLS.

    I'm a little confused on the ACS GANYMEDE +. GANYMEDE + is only used for the connection to network for managing devices or can be used for regular users for authentication and authorization?

    For example, a user wireless, which is part of the domain, need to join a corporate network without wire in his office. Can I use GANYMEDE + for it or it must be the RADIUS by ACS 4.2?

    Thank you

    Yes it's true, and it applies as well in Wired.

    On GBA, please add WLC as an AAA client with RADIUS (Cisco airespace)

    Configuration of WLC and ACS for the RADIUS settings.

    http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml

    You can visit the listed link below to install the certificate on ACS 4.2

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/peap_tls.html

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

Maybe you are looking for

  • Install Windows 98 SE on Toshiba Portege 300ct

    Greetings,Im stuck on this one, I got a Portege 300ct a friend that I use for two-way radios program. It is running Windows 98 Second edition with problems. This computer has no FDD but I have the docking station with CD player. I reformatted the dri

  • Need me a SIM card for iPad mini 2

    IM thinking about buying a mini iPad 2. But not sure if I need a SIM card. Anyone know?

  • Can I upgrade to Windows 7?

    is my edition windows vista family 32-bit premium and im thinking about upgrading to windows 7. my system cope with windows7 without having any problems in program?

  • After installing Vista Ultimate, thinkpad r61 connection Wi - Fi doesn't work do not

    installed vista ultimate, now Wireless does not, ethernet not tho, thinkpad r61, had professional vista prior to upgrade, wireless worked fine, wireless adapter: wifi link 4965 AGN, yes a driver updated, done Yes ms dignostics, 1 other thing tho, can

  • Creating Popup screen without borders

    Hello everyone, I'm developing an application in which I use the pop-up screen. but the popup screen comes with white border by default. How do I remove the border pop-up screen white default. If possible can someone explain to me with the code snipp