Cisco Secure ACS 4.2 Windows authentication of different domain

Similar Questions

• With Cisco Secure ACS for Windows GANYMEDE +, authentication fails with AD

  I'll put up a Cisco Secure ACS 4.2 server to act as a RADIUS server for switches and routers I use Windows 2003 server for the candidate countries.
  and an Active Directory of Windows 2003 server.  The ad server is very good, it is used for many other things.

  I've implemented ACS as defined nit it installation guide, including all the steps in the "Member Server" section of the installation guide
  When you use AD as an external database (e.g. setting up services to run with a domain administrator account, set up a machine called "CISCO"
  on the field, etc.).

  I've set the unknown user policy to use the database of Windows, if the internal database does not contain the details of the user.

  If I add a user to the internal database, authentication goes through fine, with an entry in the journal "Authentication," spent

  02-24-2010, 05:07:03, authentic failed, eXXXX, Network Administrators (NDG), X.X.X.X, (default), internal error, (get the internal error error message)

  I scoured google etc and just cannot come up with any reason why this should be the case.
  I followed all of the installation to the letter guides.  I need to get this up and running as soon as possible,
  so am eager to know if someone can help me with this one!

  Thanks and greetings

  Sharan

  George,

  Internal error is fairly generic, but a common situation, we see this error is when ACS is installed on a

  64-bit computer.  ACS would not work with the active Manager when it is installed on the 64-bit before machines

  ACS 4.2.1.

  -Jesse

• Cisco Secure ACS vs IAS in Windows

  Hi all

  I need deploy an AAA for the following situations.

  (1) remote access via Cisco VPN Clients.

  (2) AAA for wireless windows PC in remote areas

  (3) AAA for Cisco switches and routers in remote areas

  (4) authentication with a windows domain

  The the Windows IAS would be virtually free that we already have Windows 2003 domain controllers at each remote site. However, Cisco Secure ACS might also be an option. Not all have experience in these two?

  What are the positives\negatives of each? and limits?

  Does anyone have any information on case study etc. in comparing the two?

  Your help is greatly appreciated.

  Kind regards

  Andy

  PS: There is a limitation in Windows 2003 Standard edition, which limits the number of Radius clients to 50. Although we have more than 50 potential clients in society, no site has more than 50 altogether.

  MS IAS allows you to implement the solution using only the RADIUS protocol

  ACS offers the feature to use RADIUS as well as GANYMEDE.

  Looking 4 solutions you want to implement, only 3rd solution will be a little easier with GANYMEDE, but even once it not something you can not implement using RADIUS.

  On the limitation of Radius client, ACS offers a large database that you can use for customers, so limiting to 50 customers. In addition many many features, you'll love to integrate into your network as the NAP/NAC implementation, made it easier.

  So you need to check if you have the budget, you can go to ACS, IAS on the other can work well for all solutions (except limitation of radius client, I m sure that MS can provide a workaround solution).

  the following link can help you with information on sales of ACS:

  http://wwwIn-nmbu.Cisco.com/thevault/files/1027/5/ACS4.1-Sales-guide%20April%204%202007.htm

• Cisco Secure ACS 4.2 on VMware ESX 4.0.

  We must move from ESX 3.5 to ESX 4.0 a virtual machine running Cisco Secure ACS for Windows version 4.2.

  This solution is compatible and supported by Cisco?

  Thank you.

  Andrea

  ACS Windows 4.2 is not supported by Cisco, when installed on VMWare ESX 4.0 in accordance with the following documentation:

  http://Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/device/guide/sdt42.html#wp37898

  Only ACS 5.1 is supported on ESX 4.0:

  http://www.Cisco.com/en/us/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_vmware.html

• Cisco Secure ACS Solution Engine ping

  1. I installed Cisco Secure ACS Solution Engine with V3.3 and I can access via the http port 2002 but I can't it ping from anywhere in the network, but the server can ping every thing, is this normal.

  2. If I can't ping haw I can define the service keeplaive to load balance 2 ACS engine using CSS

  By the way, I forgot that ACS 3.3 device has a CSA integrated. This agent is enabled by default. He explains why you can't ping it.

  For enable/disable it, go to "System Setup Configuration - device. Toggle the checkbox enabled the CSA according to needs.

  http://www.Cisco.com/en/us/partner/products/sw/secursw/ps5338/products_user_guide_chapter09186a008023361d.html#wp859228

  Rgds,

  AK

• Cisco Secure ACS 5.3 SNMP agent does not

  Hello

  I have problems with the SNMP on Cisco Secure ACS 5.3 agent (patch level 5) stop, is there a quick way to restart the SNMP daemon via the command line?

  Robert,

  I understand where you come, I encountered the following bug:

  CSCte39351

  The process of the SNMP agent in demon device ACS stops.

  and reboot the box will bring him back to the top and after about 3 days, he'd stop. I just want to see if it's the same bug that could be back in patch 5. The best thing to do at this stage is to plan a quick down and restart the box to see if the snmp process starts again. If this then gives IT a week to see if the snmp Protocol falls down. If it does then make reference to this bug and open a new case of tac for repair. If not, then you should be in the clear.

  Thank you

  Tarik Admani

• Cisco Secure ACS 5.1 and strong authentication ACS administrators?

  Hello

  Is it possible to authenticate administrators using an RSA SecurID token?

  There is no indication on this issue in the Panel "System Administration > directors > settings > authentication.

  (I'm under Server Secure ACS 5.1.0.44)

  Thank you

  Christophe

  Hi Christophe,

  Unfortunately not.

  The DB supported only for accounts of Administractors is the internal DB of GBA.

  I hope this helps.

  ARO
  Tiago

• Cisco Secure ACS appliance - impossible to edit... Reason: The host no longer exists.

  Hi team,

  I have 2 camera which I am not able to remove a group of network devices home device.

  When I try to remove the device after error is thrown

  Impossible to edit INMUM-VPE-T1-3rdFloor-3750-S...  Reason: The host no longer exists.

  Running on Version: Cisco Secure ACS4.2.0.124

  One would come in all of these issues. someone knows the solution.

  Concerning

  Vineeth

  Hi Vineeth

  Yes, you can do through GUI.

  The GUI:

  1 ACS gui > network configuration > click on 'Search', then click 'Search' again.

  2. complete list of all network devices. On top, you will see an option "Download".

  Download the complete file.

  Let me know if it helps.

  Thank you

  Nelson Saha

• How ACS to communicate with DomainController in different domain controllers?

  Dear Sir

  Our company has 4 ACS, version 5.3, a primary school and three others are secondary.

  They are in the other domain controller, and I do not know which domain controller they communicate, how to check and how to configure ACS5.3 to communicate dedicated DomainController?

  Thank you

  Michael

  Michael,

  Can you try this and see how it goes:

  You can run the following command in the CLI of the ACS to the ACS
  configuration mode-

  ACS / admin # acs - config

  Escape character is CNTL/D.
  User name:
  Password:

  ACS/acsadmin(config-acs) # dns.dc ad-agent-configuration. .com distribution

  You may see a problem with the format of the command. I have not personally tested lately on ACS 5.3.

  Note # using this will force the ACS to authenticate using only this specific DC. If the domain controller
  becomes inaccessible, you must run this command to point the ACS to a different domain controller.

  In addition, this would require a reboot for the services.

  http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/cisco_secure_access_contro...

  Open the TAC case if you are not comfortable running the above command.

  -Jousset

• Cisco Secure ACS groups 5.1 Active Directory and RSA Authentication Manager 7.1 for profiles

  / * Style definitions * / table. MsoNormalTable {mso-style-name: "Table Normal" "; mso-knew-rowband-size: 0; mso-knew-colband-size: 0; mso-style - noshow:yes; mso-style-priority: 99; mso-style - qformat:yes; mso-style-parent:" ";" mso-padding-alt: 0 cm 0 cm 5.4pt 5.4pt; mso-para-margin: 0 cm; mso-para-margin-bottom: .0001pt; mso-pagination: widow-orphan; font-size: 11.0pt; font family: 'Calibri', 'sans-serif"; mso-ascii-font-family: Calibri; mso-ascii-theme-make: minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-make: minor-fareast; mso-hansi-font-family: Calibri; mso-hansi-theme-make: minor-latin ;}"}

  Hello

  I'm deploying an ACS connected to an RSA AuthManager (that is connected to an Active Directory domain)

  I create several groups within the Active Directory server, I try to give to users for their groups different access rights.

  I tried to define an access policy "NetOp/NetAdm" and two authorization rules:

  Rule-1 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETOP 'Auth for net operators' 0

  Rule 2 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETADM 'Auth net admin' 0

  Default: refuse

  In the identity, I have configured the RSA identity source, so that users get authenticated by the RSA Authentication Manager.

  But I still refuse to get access, RSA authentication is successful, but the group membership, active directory does not work, even with the unix attributes or group principal defined for the user.

  My question is this valid configuration scenario? Is there another way to define several profiles according to the Group of users of external source?

  The stages of monitoring:

  Measures

  Request for access received RADIUS 11001

  11017 RADIUS creates a new session

  Assess Service selection strategy

  15004 Matched rule

  Access to Selected 15012 - NetOp/NetAdm service policy

  Evaluate the politics of identity

  15004 Matched rule

  15013 selected identity Store - server RSA

  24500 Authenticating user on the server's RSA SecurID.

  24501 a session is established with the server's RSA SecurID.

  24506 check successful operation code

  24505 user authentication succeeded.

  24553 user record has been cached

  24502 with RSA SecurID Server session is closed

  Authentication 22037 spent

  22023 proceed to the recovery of the attribute

  24628 user cache not enabled in the configuration of the RADIUS identity token store.

  Identity sequence 22016 completed an iteration of the IDStores

  Evaluate the strategy of group mapping

  15006 set default mapping rule

  Authorization of emergency policy assessment

  15042 no rule has been balanced

  Evaluation of authorization policy

  15006 set default mapping rule

  15016 selected the authorization - DenyAccess profile

  15039 selected authorization profile is DenyAccess

  11003 returned RADIUS Access-Reject

  Thank you

  Christophe

  I think you need to do is to create a sequence of identity with RSA as a selection in

  Authentication and recovery research list of attributes and AD in the additional attribute list recovery research. Then select this sequence as a result of the politics of identity for the service

• Cisco Secure ACS Solution engine v3.2

  Device equipment ACS Soultion engine by default comes with two network adapters. Can I configure it so a Nic on VLAN 30 and the other VLAN 50 network card?

  VLAN 30 - will be the network who communicate or provide credentials for authentication of the ACS Remote Agent for Windows.

  VLAN 50 - will be for authetication of network devices. RAIDUS or TACAUS.

  This is not possible as single network adapter works both. (Look for the rear Control Panel items)

  http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacsapp/csapp33/install/ovrvuap.htm#wp1046176

  Kind regards

  Mahmoud

• Cisco Secure ACS 3.3 (1)-> 4.0 upgrade problems (1)

  Hi all!

  I have problems updating my primary ACS since version 3.3-> 4.0

  I always get the following error message, then it does the upgrade:

  "The record of the CiscoSecure ACS seems to be blocked by another application: C:\Program Files\CiscoSecure ACS v3.3.

  Please close all applications... blabla... »

  The thing is, I have improved my ACS backup first, and this upgrade worked like a charm.

  In both cases, both for the primary and backup I do a takeover with Dameware remote, copied the ACS 4 folder on the hard disk of the server and make the upgrade of this folder.

  As I said, the upgrade of backup server worked without a hitch.

  That's what I tried:

  1. I checked that NO application use the 3.3 ACS file and no Explorer window is open on this folder or subfolders.

  I checked using a small program called Filemon.exe from Sysinternals. According to this program, anything accessed said folder.

  I also checked it again by renaming actually ACS 3.3 file once I stop all services of the ACS. I could not rename the folder if the services have been started.

  2. I tried to stop the ACS services first and then make the configuration, got the same error.

  3. I have disabled the antivirus software, got the same error.

  Basically I am at my wits end now...

  However, I have two options:

  1. uninstall ACS 3.3, do a clean install of ACS 4.0 and import the data of all the GBA backup.

  Who would not raise by the primary association with the ACS configuration backup? So I think I will need to go on it later and make changes, if necessary?

  2 make a backup of the ACS 3.3 with csutil b

  Uninstall ACS 3.3, do a clean install of ACS 4.0 and import all the data with csutil - r

  Would this work? I've seen conflicting information here in this forum, some say that it works, the other say it's not.

  I'm a little confused why it worked so well the GBA backup but fails on the primary ACS.

  Any help would be greatly appreciated!

  Thank you!

  Ivar Thorolfsson

  Hello

  Folder lock message often appears if newspapers located in the directory of the ACS are too big.

  Move the logs of the following directories: -.

  CSAdmin\Logs

  CSAuth\Logs

  CSDBSync\Logs

  CSLog\Logs

  CSMon\Logs

  CSRadius\Logs

  CSTacacs\Logs

  Newspapers

  Then try to upgrade.

  Kind regards

  Vivek

• DISCONNECTED in Cisco Secure ACS AD

  We have ACS

  5-3-0-40-8

  As disconnected Active Directory showing connectivity

  We faced the same problem when he was 5.x, we went to

  5-3-0-40-8

  After 2.5 months now, we have faced this problem. Permanent any solution for this.

  Restarting the service got suspended and where we rebooted the server to fix.

  Please help on this as soon as possible.

  Thank you best regards &,.

  Sakthivel M

  You questions'are running one of the code and patch of ACS more stable if we are talking about ACS - AD. I don't know that it should not be a problem with the ACS. Something is not configured correctly. Most likely a problem of DNS or NTP.

  In order to deepen and to know what might be the causes, you will need to provide some information and newspapers when it happens again.

  1.] we have ACS currently running on the machine or Vmware?

  2.] when you say that it is in the disconnected state, you see do both authentication failed or it shows just disconnected status. In case of failure, what is the error, we get in the section logging ACS? In addition, you can see test connection arrive at positive results?

  3.] what is the status of the customer-ad on the CLI service, can be verified with "view the status of the acs application" when you say its disconnected?

  4.] in addition, when you try to join again while it is disconnected, you see an error? can you share?

  5.] more importantly, debug level logs would tell us the real story. Before you reproduce the problem, we must look at the newspapers to the debug level. (If this can not be reproduced then wait the issue reproduce)

  Go to the ACS CLI:

  ACS / admin # acs - config

  Escape character is CNTL/D.

  Username: acsadmin

  Password: XXXXXXXX

  ACS/admin(config-ACS) #.

  Set newspapers ACS desired debugging level.

  ACS/admin(config-ACS) # debug level to debug-log duration

  ACS/admin(config-ACS) # enable debug-adclient

  NOTE: once you have finished, put newspapers.

  Generate the support beam and download it here. Talk about the timestamp when the questions has been reproduced, it will help me track down the newspapers concerned.

  Jatin kone
  -Does the rate of useful messages-

• Cisco Secure ACS 4.1 - blocking attempts to authenticate to a specific host

  We use the application of RADIUS of ACS 4.1 for both wireless 802. 1 x and for our old PIX 515E authentication, as well as a few other features.

  We try to migrate users off the PIX and want a method of disabling their ability to connect through the PIX once we have them migrated to the new method of remote access.

  Authentication in ACS logs show the IP address of our PIX under "NAS-IP-Address" as the source of the authentication attempt.

  Is there a relatively simple/easy way to block this IP address attempts (which causes these attempts fail) all by allowing wireless systems and others to proceed as usual on a per user basis?

  Brian:

  If I have understood correctly, you must allow users to connect to the wifi but prevent users to connect via PIX.

  What you can do is to create a configuration of access network (OAN) Restriction under the config görüş (or under Configuration user if each user).

  See this image:

  

  If you don't see the network access restrictions config under the user and/or group config, you can activate the Interface-> advanced options configuration.

  HTH

  Amjad

  Rating of useful answers is more useful to say "thank you".

• ACS 4.2 RSA Authentication and LDAP group mapping

  Hello

  I have a firewall, PaloAlto, with overall protection enabled (SSL - VPN) feature

  I use Cisco Secure ACS as a proxy for the RSA SecurID authentication.

  After authentication is try to map ad through LDAP query groups.

  The question I've found, is that the user I get with user authentication has no field:

  Show user ip-user-mapping all | mbm60380 game

  10.240.1.24 vsys1 UIA 2388 2388 domain\mbm60380

  10.240.1.1 vsys1 UIA 2101 2101 domain\mbm60380

  10.240.250.1 mbm60380 2590859 2590859 vsys2 GP

  But the list of users that I receive from the LDAP query includes the domain prefix:

  See the user group name domain\group1 property

  short name: domain\group1

  [1] domain\aag60368

  [2] domain\ced61081

  [3] domain\jas61669

  [4] domain\mbm60380

  [5] domain\pmc61693

  [6] domain\vcm60984

  I would like to create the user with the area of GBA but it must delete the domain before querying the RSA server, as it does not support field stripping.

  I tried to fix this on the Palo Alto firewall without success.

  I'm trying to run Cisco Secure ACS 4.2 changing, but it did not work either:

  RSA servers are configured as an external database.  They are not defined in the groups of network devices.

  Can I set up domain stripping for queries servers RSA?

  Thank you

  Hello

  I think it should work, but it is a bit awkward:

  Create an entry in the Distribution of Proxy in the Network Configuration.

  DOMAIN\\USER *.

  Prefix

  Before returning to the AAA server, from there to authenticate to the server RSA without the domain prefix.

  Make sense?

  Thank you

  Chris