Cisco ACS 5.3 connect to multiple identity stores / external database?
Hello
I understand that Cisco Secure ACS 5.3 supports integration with the existing external identity repositories such as LDAP and Active Directory Windows servers. In fact, in my environment, my ACS 5.3 is now integrated with AD and RSA.
My question is can Cisco Secure ACS 5.3 integrate with "several" WIndows AD, LDAP, RSA server etc.? If so, is there a document from Cisco saying this? The key word here is multipple. Please help with kindness.
You can only authenticate against an Active Directory domain. If you have users from several domains, the domain that you configure in ISE must approve other areas.
On the other hand, if you use regular LDAP so it supports multiple LDAP servers.
It may be useful
Tags: Cisco Security
Similar Questions
-
ACS 3.0 Windows, VPN, remote access and external databases
I'm trying to implement a VPN solution, and most are very good.
We have a VPN concentrator, which authenticates with CSACS and who, in turn, back off the coast of authentication with a Windows domain. Unknown user policy allows new users themselves create dynamically.
The VPN uses the Cisco VPN client. The hub is visible on the internet, and the bit works fine.
Bit difficult, but we are also trying to set up the access line by using a phone company for users who do not have their own internet access.
I have problems which to authenticate to the Windows domain.
If I manually create a user and add a chap password, this user can authenticate OK. If I manually add a password of chap user can authenticate.
If the user does not exist I get "user CS unknown', if I did not add a password manually, but the user is I get"Invalid password CS CHAP", so it seems that the problem is is interrupting this authentication against the field, but I don't see why.
The telephone company radius server in my network as a aaa client configuration and is almost the same configured as VPN concentrators (the difference is the Conc VPN is configured as 'RADIUS (Cisco VPN 3000)' and as 'RADIUS (IETF)' radius server)
Any thoughts?
You cannot use CHAP to authenticate a domain Windows, the way THAT CHAP requires the password must be stored is incompatible with the Windows passwords. You need to configure each connection Dial-Up Networking to dial-up users to use MSCHAP or PAP.
-
Cisco ACS 5.1 and RSA Authentication Manager 6.1
Hi all
We recently had a Cisco Secure ACS 1120 and I improved the Unit 5.1 5.0 with all your support
Now, I need to integrate Cisco ACS 5.1 with RSA Authentication Manager 6.1. I have config file of RSA ACE Server successfully downloaded and exported to 1120 ACS.
I also added as NetOS Agent ACS in the RSA server during the process, I found a few warnings. The ACE Server is not able to resolve the IP address to the name (is it necessary?).
I have not created any file of secret key for communication between FAC and RSA and I used encryption is FOR.
Now, when I log into ACS and search for devices in the identity store sequences I am not able to get Sever Token RSA.
Let me know what was wrong, where can I fix and also please tell me what is the communciaction between the RSA and ACS?
Hoping that you guys help me as usual when I'm in a hurry...
Sree
Were you able to successfully create the RSA identity server. After selecting the sdconf.rec and you press on submit what happened? The RSA instance created OK?
If you go to
Users and identity stores > external identity stores > RSA SecurID Token servers, what do you see in the list?
-
connection via Cisco ACS 5.0 limit
Hi all
My infrastrucer wireless a few days ago I deploy Cisco ACS 5.0 with Active directory integration. My wireless users are connecting through web authentication process. The authentication process is gone through AD & his works very well. But I want to work on my 5.0 ACS that a user cannot simultaneously connect several devices at a time.
Hello Sabine,.
'max sessions' featre introduced acs 5.3.
Maximum user sessions
For optimal performance, you can limit the number of concurrent users to access the network resources. ACS 5.3 imposes limits on the number of simultaneous sessions of service by the user.
The limits are defined in several different ways. You can set limits to the user level or at the level of the group. Depending on the configurations of the user's maximum session, the session number is applied to the user.
IMPORTANT: for maximum sessions work for access of the user, the administrator must configure RADIUS account management.
You can go through the link listed for more information below:
The code that you're using now ACS 5.0 is not recommended for a production environment. You need to upgrade the ACS to achieve the functionality of session max.
Jatin kone
-Does the rate of useful messages- -
Cisco ACS, multiple CA, assignment of VLAN relevant to the domain
Hi all
I searched for a solution to a specific customer requirement.
I want authenticate users with certificates from different RootCA wireless and assign them to one VLAN based on their field? Ideally, using the same SSID and a Cisco ACS server.
Is this possible? Has anyone seen that it works?
I realize that the ACS can have trust company for the relevant RootCA (dunno what version is needed for this?). And that assignment VLAN is also possible to a unique SSID based on RADIUS attributes. But I am not sure that these parts would fit together?
Would appreciate some advice!
Thanks in advance
Rob
Hello
Yes, this is possible. I suggest that you implement one by one to make sure that everything works, but no problem to do so. All recent versions of ACS allow this.
You can do mapping group from ad groups (a group for each area, so if you want to) and assign the vlan based on the mapping of this group.
GBA can trust several certification authorities and authenticate users with certificates of all these cases. It's just a matter of import these number certificate in the trust list.
And you can assign the vlan and use only one ssid as well.
I can't guide you on the procedure that it depends on which version you have and if you have IOS ap or WLC, but it is basically each function separated as in the config Guide and just used all together.
Nicolas
===
Remember responses of the rate that you find useful
-
Authentication PEAP with Cisco ACS 5.3 and Lotus Notes DB
Hello
I want to authenticate clients wireless against the name of user/passwords stored in a lotus notes database.
Network: PEAP SSID-> Accesspoint-> controller-> ACS 5.3 WLAN 4404-> Notes DB
Is this possible?
I can connect to the attributes and ldap groups and query. but when I try to authenticate a user, I always get an error "object not found in the identity store.
Bind test succeeds (> 100 groups and > 100 subjects.)
EAP MSCHAP v2 is not taken in charge with LDAP by ACS
You can use EAP GTC
You should a begging utility that supports PEAP (EAP-GTC)
such as ADU, Intel Proset, CSSC Cisco AnyConnect,... you can google for a list of applicants
Open the new thread for cause of Apple
------------------------------------------------------------------
Be sure to note the correct answers and report this thread as answered
-
Problem with certifcate on Cisco ACS
We want to authenticate our internal wireless users using our Cisco ACS running 5.3. GBA questions our Active Directory environment for the user name and password provided. I created a CSR on GBA and it provided to Entrust. They gave me a root certificate, string and server. I've linked the server certificate to the CSR under System Administration > Local Server Certificates > local certificates. I then added the chain and the root certificates to the users of the site and identity stores > autorités. When I try to connect to a laptop client he asks a user name and password, but after entering this information, I am presented with the warning on this certificate below. This certificate is to Entrust and I see the certificate root in the root store on the laptop. Any ideas what would cause this. TAC does not seem to have all the answers. They say it's a problem of the client machine.
In case you want to check your configuration settings.
http://www.Cisco.com/en/us/products/ps10315/products_configuration_example09186a0080bd1100.shtml
~ BR
Jatin kone* Does the rate of useful messages *.
-
Cisco ACS secure 5.3 allowing foreigners on ACS local domain server domain accounts
All the
My company has recently acquired another company
Each company has its own domain and controllers
The problem:
Executives of the absorbed company sometimes come to the main site for meetings using their own laptops
configured for their own areas. This caused problems of authentication wireless with Windows 7 machines.
The domain account when you connect is forcing the dispatch of the password, the name of domain user and the foreign domain
The need:
We need to somehow add foreign domain as the source of authentication on the local ACS authentication attempt with our wireless controllers is allowed.Give advice on how this could be achieved.
Hello Steve,.
Concerning the behavior that you experience with ACS to be able to authenticate users against the foreign domain is completely expected and you will only be able to authenticate by entering the user name and domain name.
The only option to join the ACS for a foreign domain is LDAP configuration and in this way, you will be able to join the AEC directly with this area, however, there are several limitations on the supported protocols when you use LDAP as you can see from the following link, then you want to see if he would be available as an option for you or not depending on the Protocol that you use (which I suppose is it PEAP / MSchapv2) as you mentioned that users will type the identifying information, so it does it does not for you):
http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/cisco_secure_access_contro...
Excerpt from the link:
Authentication Protocol EAP no B-4-table and user database compatibility
Identity storePAP/ASCIIMSCHAPv1/MSCHAPv2CHAPACS
Yes
Yes
Yes
Windows AD
Yes
Yes
NO.
LDAP
Yes
NO.
NO.
RSA identity store
Yes
NO.
NO.
Identity of DEPARTMENT store
Yes
NO.
NO.
Table B-5specifies the EAP authentication protocol support.
Authentication Protocol EAP compatibility of database user and table B-5
Identity storeEAP - MD5PEAP-EAP-MSCHAPv2EAP-FAST MSCHAPv2PEAP-GTCEAP-FAST-GTCACS
Yes
Yes3
Yes
Yes
Yes
Yes
Yes
Windows AD
NO.
Yes
Yes
Yes
Yes
Yes
Yes
LDAP
NO.
Yes
Yes
NO.
NO.
Yes
Yes
RSA identity store
NO.
NO.
NO.
NO.
NO.
Yes
Yes
Identity of DEPARTMENT store
NO.
NO.
NO.
NO.
NO.
Yes
Yes
Note: Please mark it as answered as appropriate.
-
I am setting up Cisco ACS 5.4 for my org. The way I put it in place, ACS passes authentication to a RADIUS server. The problem is that it does for the user and the password to enable on each account. Is there a a way to configure ACS to review on-site in its stores of internal identity for the enable password but keep passing on the user part of RADIUS?
Hi Jessica,.
I went through your query and it seems that you would like to authentication of the connection to be checked with another external radius (radius proxy server) server and can be verified with the password to enable configured locally on GBA.
I don't think that if this cannot be done with the Protocol radius with Ganymede, however we can use service attribute and that you can set in the identity > selection if the service corresponds to point of AD database connection or if the matches allow it to point to the internal database based on rules. I've attached a screenshot of the same thing for your reference. The source of identity could be anything configured databases.
~ BR
Jatin kone* Does the rate of useful messages *.
-
Cisco ACS. Two-factor authentication.
Hello.
We intend to use the connection diagram: cisco asa + cisco acs 5.4 + rsa securid.
We use two groups on Cisco ACS. Group "A" must use two-factor authentication, and the 'B' group don't.
How to create this rule?Perform the rule base identity selection with dap-tunnel-group-name as a selector.
ASA will send auth request name of the tunnel group.
Attached example.
-
Connection to multiple devices sequence using FF Fieldbus Foundation open VFD
I am trying to connect to multiple devices on the same bus fieldbus. When I try
to connect using 'FF VFD open' admission that he is VFD tag (I left it as)
by default (0)). I can connect to a device, he questions and close the connection.
However, when I try to do the same with the following equipment, it errors on Open
VFD. The bus, everything seems to be connected correctly, I can query all devices
there and get their various identity papers, so I think it's to communicate all the
right.
I tried to connect using different, unique VFD tags. As I mentioned, I
have tried to disconnect and close the entire connection before trying to
to connect to another unit. I tried to connect to individual units with the
other disconnected from the bus and each will connect and work very well, so I
know that everyone is able to work-just not when other units are also present.Any idea is appreciated.
-
Cisco ACS wireless authentication
Hello guys,.
I'm testing wireless authentication and authorization with my users wireless via ACS 4.2. I have version 4.2 test on Windows 2003 for the test. I also WLC 5508 and 3602i in my lab. My AD/NPS and CA are Windows 2008 R2.
Windows 2003 is part of the field; and the GBA, if I go to the external database > Database Configuration > Windows database > configure
From there, I chose my domain name, select "devices the EAP - TLS Machine authentication. I've also mapped the domain to the group I created in ACS.
I also looking default RADIUS ports 1812 and 1813 the GBA.
On my WLC 5508, I created a WLAN and define the RADIUS IP to the IP address of the ACS. However, I tried to join the wireless network. It keep the default.
I installed the cert of the user on the laptop for EAP - TLS. If I changed the server RADIUS on the WLAN and pointed to AD/NPS that I, my portable test was able to join the network wireless through EAP - TLS.
I'm a little confused on the ACS GANYMEDE +. GANYMEDE + is only used for the connection to network for managing devices or can be used for regular users for authentication and authorization?
For example, a user wireless, which is part of the domain, need to join a corporate network without wire in his office. Can I use GANYMEDE + for it or it must be the RADIUS by ACS 4.2?
Thank you
Yes it's true, and it applies as well in Wired.
On GBA, please add WLC as an AAA client with RADIUS (Cisco airespace)
Configuration of WLC and ACS for the RADIUS settings.
http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml
You can visit the listed link below to install the certificate on ACS 4.2
~ BR
Jatin kone* Does the rate of useful messages *.
-
I have configured the aaa authentication in the pix firewall to see the ACS RADIUS Server for verification of the user. If the ACS server becomes unavailable, then I could not connet the pix firewall.
In the router, I have the configuration option
AAA authentication login default group Ganymede + local
that tells the router first looking for a radius server and if is not available connect through the local database.
Is there an option in the Cisco pix firewall to connect using local information if ACS is not available?
Thanks in advance
Hello
PIX back up method to entered the unit in the event of server failure aaa works on 6.3.4 code and above. In the codes plus late 6.3.4 If the RADIUS server fails it is impossible to get in unless password recovery. "However if we have not configured for console aaa authentication than user name: pix and password: cisco" works by default.
Kind regards
Mahmoud Singh
-
Cisco ACS SE GANYMEDE + accounting fails
Hello
I'm under Cisco ACS SE 4.1.23.5. My problem is that the ACS don't Jrnl of the remote switches. I have configured the following accounting commands:
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 0 arrhythmic default group Ganymede +.
orders accounting AAA 15 by default start-stop Ganymede group.
Default connection accounting AAA power Ganymede group.
When I enable aaa accounting debugging, I get the following logs on the switch.
001091: 12 sep 12:06:06.464 TSB: AAA/ACCT: user johndoe, acct type 3 (2684940942): method = Ganymede + (Ganymede +)
001092: 12 sep 12:06:06.665 TSB: TAC +: (2684940942): received the status of response acct = SUCCESS
001093: 12 sep 12:06:11.128 TSB: AAA/ACCT/CMD: user johndoe, tty2, 15 private Port:
'show running-config '.
" 001094: 12 sep 12:06:11.128 TSB: AAA/ACCT/CMD: find the "default" list
001095: 12 sep 12:06:11.346 TSB: AAA/ACCT: user johndoe, acct type 3 (1583033889): method = Ganymede + (Ganymede +)
001096: 12 sep 12:06:12.000 TSB: TAC +: (1583033889): received the status of response acct = SUCCESS
001097: 12 sep 12:08:16.303 TSB: AAA/ACCT/CMD: user johndoe, tty2, 15 private Port:
' configure terminal '.
" 001098: 12 sep 12:08:16.303 TSB: AAA/ACCT/CMD: find the "default" list
001099: 12 sep 12:08:16.303 TSB: AAA/ACCT: user johndoe, acct type 3 (1098049616): method = Ganymede + (Ganymede +)
001100: 12 sep 12:08:16.504 TSB: TAC +: (1098049616): received the status of response acct = SUCCESS
001101: 12 sep 12:08:29.884 TSB: AAA/ACCT/CMD: user johndoe, tty2, 15 private Port:
It seems that the switch is well a response but the CSA record. I have updated the ACS for the latest patch (4.1.23.5), which is supposed to resolve this known bug.
Is there something that I am missing?
Thank you.
ESD
And what you get in the newspapers of Ganymede Administration?
Kind regards
Prem
-
RADIUS does not not on Cisco ACS SE v4.1 (1)
Hello
I have a CiscoSecure ACS version 4.1 (1) build 23.
I can't configure the Cisco ACS for granular control of access router. I have a Netopia Router that is configured to use RADIUS to authenticate remotely for a telnet connection. The router sends the request to access the Cisco ACS SE RADIUS and a sniff on the side of the ACS shows the application of GBA, but I see no response from the ACS. RADIUS authentication to work with a Windows 2003 server.
I configured an AAA client and a user of the ACS and use the default group. I use IETF RADIUS. Should what attributes I configure. In Windows, I use Service Type framed and Framed-Protocol PPP. This does not work with the Cisco ACS SE. Nothing shows up in the newspapers. It shouldn't be so difficult, but for some reason I can't make it work.
Thanks for any help.
Jutta Kullmann
Jutta,
Good to know it works very well. Please mark this thread as solved so other can benefit from.
Kind regards
~ JG
Maybe you are looking for
-
I lost my disk of Vista for Satellite L305-S5940
Hello I have a Toshiba Satellite L305-S5940. I lost the Vista OS disks required to restart my hard drive crashed.What are my options to reinstall this software without the original disks? Jordan
-
Windows Xp pro activation, says my license key is not valid.
Hello I just got my old hard drive in a 2004 hp pavilion a705w with Windows XP pro top. Then it says please activate your product, and I have put it in the activation key to the original computer back right to the device and fact ensure that it is co
-
Windows XP Professional, Media Center Edition 2005 SP3 will not automatically put into hibernation
I have re-installed drivers quick resume technology drivers & Intel Graphics & Sound & all associated drivers. but not good. Computer will be manually Hibernate & come out of hibernation, but is not automatically updated in hibernation? I tried the r
-
Problem scanning to hp officejet 7410xi for hp Pavilion dv7t
I can print correctly, but unable to scan from the printer to laptop? Printer laptop scan defaults to another older, not used. How can I configure printer to scan to this laptop? Thank you
-
Is Microsoft XP for netbooks and laptops ok?
I need to install Microsoft XP Home Edition in a laptop Asus 5700. It will work in an Asus 5700 since it is smaller than the laptop normal? Thank you for your time.