CS ACS Solution engine with external AD database

Similar Questions

• Cisco Secure ACS Solution Engine ping

  1. I installed Cisco Secure ACS Solution Engine with V3.3 and I can access via the http port 2002 but I can't it ping from anywhere in the network, but the server can ping every thing, is this normal.

  2. If I can't ping haw I can define the service keeplaive to load balance 2 ACS engine using CSS

  By the way, I forgot that ACS 3.3 device has a CSA integrated. This agent is enabled by default. He explains why you can't ping it.

  For enable/disable it, go to "System Setup Configuration - device. Toggle the checkbox enabled the CSA according to needs.

  http://www.Cisco.com/en/us/partner/products/sw/secursw/ps5338/products_user_guide_chapter09186a008023361d.html#wp859228

  Rgds,

  AK

• Is it possible to authenticate 2 or more domains Active Directory via acs solution engine v4.2?

  Hello

  Is it possible to authenticate ACS solution engine v4.2 against 2 or more Active Directory domains by using the generic LDAP configuration?  One scenario would be to geographic distribution where 1 area would be for the USA and the other would be an another say country Canada (e.g. US.corp and CA.corp).

  Thank you

  James

  Hi James,

  It is possible to configure multiple servers authentication LDAP, one for each area. I can tell you that it is much more efficient configuration and administration viewpoint experience and end-user to use AD as an external database Microsoft if your installation is actually all in the same namespace for example amer.CompanyName.com and canada.companyname.com.

  To configuration LDAP multiple databases, go to the external user databases > generic LDAP > create a BITTER called, then do the same for CANADA.

  Cordially, Jeremy

• Cisco Secure ACS Solution engine v3.2

  Device equipment ACS Soultion engine by default comes with two network adapters. Can I configure it so a Nic on VLAN 30 and the other VLAN 50 network card?

  VLAN 30 - will be the network who communicate or provide credentials for authentication of the ACS Remote Agent for Windows.

  VLAN 50 - will be for authetication of network devices. RAIDUS or TACAUS.

  This is not possible as single network adapter works both. (Look for the rear Control Panel items)

  http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacsapp/csapp33/install/ovrvuap.htm#wp1046176

  Kind regards

  Mahmoud

• Cisco ACS with external DB - EAP - TLS

  Hi guys,.

  I understand how the EAP - TLS exchange works (I think), but if I have a client (with or without wire) that uses EAP - TLS with a CBS, I confirm the following.

  Let both users and computer certificates are used:

  1. customer and ACS are with each of the other automatic certificates to ensure they are known to each other. The eap - tls Exchange.

  2A. At any given time and I'm assuming until the successful eap - tls message is sent to the client, the ACS to check if the user name or computer name is in the AD database?

  2B. Wot is the parameter that is checked on the AD database?

  I read here that it can be: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517

  Client certificates

  The client certificates are used to identify with certainty the user in EAP - TLS. They have no role in the construction of the TLS tunnel and are not used for encryption. A positive identification is made by one of three ways:

  CN (or name) comparison-compare CN in the certificate with the user name in the database. More information on this type of comparison is included in the description of the subject field of the certificate.

  Comparison of SAN-compare the San in the certificate with the user name in the database. It is only supported from the ACS 3.2. More information on this type of comparison is included in the description of the field another name of the subject of the certificate.

  Binary comparison - compare the certificate with a binary copy of the certificate stored in the database (only AD and LDAP for that). If you use the binary comparison of certificate, you must store the user certificate in a binary format. Also, for the generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".

  3. with the foregoing, if options 1 or 2 are used (CN or SAN comparison), I guess it's just a check between a value out the CERT of the ACS and checked with AD, is that correct? With option 3, GBA exercise a complete comparison of the certificate between what the client and a "cert stored client" on the AD DB?

  Please can someone help me with these points.

  I'm so lost in this kind of things :)) I think.

  Thx a lot and best regards,

  Ken

  TLS only * handle * is complete/successful, but because the user authentication fails.

  CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: State = SSLv3 client SSL read Exchange of keys A

  CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: State = SSLv3 read Certificate SSL check

  CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: SSL = SSLv3 read state completed A

  CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: State = SSLv3 write change cipher spec A SSL

  CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: SSL = SSLv3 write finished State has

  CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: State = SSLv3 data embedded SSL

  CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: State SSL = SSL handshake completed successfully

  EAP: EAP - TLS: handshake succeeded

  EAP: EAP - TLS: authenticated handshake

  EAP: EAP - TLS: CN using the certificate as an authentication identity

  EAP: State EAP: action = authenticate, username = 'Jousset', the user identity is "jousset.

  pvAuthenticateUser: authenticate "jousset" against CSDB

  pvCopySession: assignment session group ID 0.

  pvCheckUnknownUserPolicy: Group of session ID is 0, the call pvAuthenticateUser.

  pvAuthenticateUser: authenticate "jousset' against the Windows database

  External DB [NTAuthenDLL.dll]: Cache of Creating Domain

  External DB [NTAuthenDLL.dll]: Domain for loading Cache

  External DB [NTAuthenDLL.dll]: no UPN Suffixes found

  External DB [NTAuthenDLL.dll]: could not get the domain controller for dwacs.com trust, [error = 1355]

  External DB [NTAuthenDLL.dll]: could not get the domain controller for enigma.com trust, [error = 1355]

  External DB [NTAuthenDLL.dll]: could not get the domain controller for acsteam.com trust, [error = 1355]

  External DB [NTAuthenDLL.dll]: could not get the domain controller for vikram.com trust, [error = 1355]

  External DB [NTAuthenDLL.dll]: domain loaded cache

  External DB [NTAuthenDLL.dll]: could not find the user jousset [0 x 00005012]

  External DB [NTAuthenDLL.dll]: user Jousset is not found

  pvCheckUnknownUserPolicy: assignment session group ID 0.

  Unknown user "jousset" was not authenticated

  If EAP-failure (RADIUS Access-Reject (is sent, no EAP-Success(Radius Access-Accept).))

  And no matter how port will not be allowed to pass traffic unless the NAS device gets an EAP-Success(Radius Accept) for the user.

  HTH

  Kind regards

  Prem

• Replication of ACS and integration with the Active directory database

  Hi all

  I have to configure two ACS SE with the internal database replication. I have also a server active directory that must integrate with ACS. My doubt is that I need to configure the IP address of the ACS during installation of the remote agent on active directory or only the primary ACS

  No need to give the IP of two ACS. Give the primary IP of ACS.

  Kind regards

  ~ JG

  Note the useful messages

• Cisco ACS 4.1 for external advertising for authentication

  Hello

  We have just configured Cisco ACS 4.1 solution engine and using a Windows 2003 domain controller as a remote agent.we use as Protocol Ganymede.

  Users that are created in ACS himself are able to connect to various network devices. but users in domain (active directory) can not connect. We get the access denied message. same time we get external DB is not operational message in ACS.

  Active directory server where agent that runs in CSWINAgentlog, we get the following error 'NDLIB'... FOUND 0 TRUSTED DOMAIN.

  Could you please help us to isolate the problem.

  Thank you & best regards

  Make sure that the worm of acs and remote agent software is the same. And also execution of remote agent account must have special domain administrator rights, like the act as part of operating system and log in as a service.

  Kind regards

  ~ JG

• If you use network storage, configure ASM disks with external redundancy groups

  Hi Experts,

  If you use network storage, configure ASM disks with external redundancy groups. Don't use groups of Oracle ASM failure. Oracle failure groups consume cycles additional CPU and can run in unpredictable ways after suffering from a disk failure. When you use external redundancy, disk failure are transparent to the database and do consume no additional database CPU cycle, because it is discharged on storage processors.

  This does not mean

  • RAID 1 + 0 for diskgroup + REDO1
  • RAID 1 + 0 for diskgroup + REDO2
  • RAID 5 for diskgroup + DATA
  • RAID 5 for diskgroup + FRA

  Is this one suggested, the recommended best practices for oracle on VMWARE?

  
  

  Thank you and best regards,

  IVW

  
  

  Hello

  You can check the storage analysis as well...

  http://www.Dell.com/downloads/global/solutions/tradeoffs_RAID5_RAID10.PDF

  discussion of the Oracle

  https://asktom.Oracle.com/pls/asktom/f?p=100:11:P11_QUESTION_ID:359617936136

• Satellite A300 - how to use the recovery with external DVD drive disc?

  Hello

  I bought a toshiba Satellite A300 - 15 d

  FTM the tsscorp drive that is installed in the camera no longer works (does not detect any type of media what so ever). ) need to recover the laptop, so I used a USB DVD drive to boot from the restore disc, but after that the charges of recovery console it says waiting for media in the f: drive, which is the tsscorp drive although I used an external drive to load the disc.

  What files should I edit to make it to load from the drive externally and if this isn't the solution, what do I do?

  Thanks in advance

  Hey Buddy,

  Unfortunately I think that it of not possible to use the recovery with external CD/DVD drive disc. Therefore, place the internal for use the recovery disc.
  You can get a new drive to an authorized service provider.

  But if the original OS from Toshiba is installed, you can use the function of disk recovery HARD reinstall Windows as well. Go to the advanced boot menu (F8) and select Repair my computer :)

• Issue of operability of the ACS as RADIUS with ASA 5.0?

  Hello

  I'm trying my VPN to get authenticated user with RADIUS (ACS 5.0). and VPN users database is created in AD. Now when I am trying to connect through the Cisco VPN client, I am unable to do so. Infact, I get an error message (through debugging at the level of the SAA for aaa and isakmp) my RADIUS server is DOWN.

  Please let me know is there any compatibility issue with ACS 5.0 on it because everything was working fine on my version 4.2 of the ACS.

  Concerning

  Ritesh

  Ritesh,

  Yes, there is a lack of ACS 5.0 with vpn authentication.

  When you try to connect with the VPN client. you will not see any hits in the follow-up and the views.
  The ASDM logs: you'll see radius server is not accessible.
  Debugs you show RADIUS period.
  This will work with Ganymede.

  Access policy rule was does not. Also, could not use RADIUS as hit CSCsy17858

  http://cdetsweb-PRD.Cisco.com/apps/goto?identifier=CSCsy17858>; Used Ganymede + instead of RADIUS.

  If you want to use the RADIUS then you need to upgrade your version of acs to 5.1

  You can down load patch 9 (5-0-0-21 - 9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg) from the below path:

  Go to Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software 5.0.0.21 >

  Reference: update of the CSA since version 5.0 to 5.1:
  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.html

  HTH

  Kind regards

  JK

  The rate of useful messages-

• 5.3 of the ACS cannot work with two rules of service strategy

  Hello my name is Ivan

  I have a question about ACS v5.3 appliance.

  I have a v 5.3 ACS wo authenticate users wireless, as well as a cisco wlc. A profile is to business users and the second profile is invited.

  Business users must authenticate with Active Directory and the guest with WLC. Guest users to authenticate with the local database of GBA.

  I have set up two service political selection that correspond with the Radius protocol. The first rule is for users to Active Directory and the second is for users in

  the local database of ACS.

  When I try to authenticate users with active directory is OK, but when trying to authenticate users with the local database (Portal comments) GBA was trying to find the

  internal user in Active Directory, because math the first rule and the second profile cannot authenticate.

  When I change the order, first of all the State of users internal and second rule of users from Active Directory, internal users can authenticate in ACS, but

  in Active Directory users cannot authenticate.

  I think that my ACS authenticate only the first rule of the RADIUS to the Active Directory, not two rules of RADIUS at the same time. Or maybe there is a problem in the BONE of the ACS.

  Authentication separately is OK.

  Please could you help me to resolv this problem?

  I enclose my two rules

  Concerning

  Hello Ivan,.

  To solve your problem, you must configure your ACS so that the first selection policy (active directory) corresponds to only for users of the company and the other strategy of selection service (internal users) does not match.

  The second strategy selection of service must be only for guest users.

  If you use Cisco WLCs, it will be easier for you.

  Why?

  Because you can use 'End Station filter' easier to match the SSID.

  In feature selection policy, you build your game to the fine filter station (add it via the Customize button).

  Now, you must create two filters of end station, one is the ssid of comments and one corresponds to the ssid company. (tell how to create later)

  After you create the filter end station and match the selection policy of end station filter function, you have a political service selection matches corporate only guest SSID and other SSP the SSID matches.

  Now you can select different identity for the two SSP sources.

  Now for the filter end of station:

  End station filter is used (in our case) to distinguish the SSID.
  If I want to separate applications of different SSID, I use the end station filter to match what SSID I use.
  cretae end station filter to your SSID, follow the following image:

  

  on point number 4, write resounding brand (*) asteristk of your SSiD (case-sensitive), without spaces. Be sure to avoid spaces before or after.

  (I assume you are using cisco WLC. If not, the idea cannot be applied the way I described above).

  So far, we're OK, except one point. The default SSID guest is not sent by the Cisco WLC to the radius server when the client tries to connect to it, while the SSID of 802. 1 x is.

  To say the WLC to send the guest SSID, you must add this command to the WLC:

  RADIUS config callstationidtype ap-macaddr-ssid

  I hope I described correctly. Let me know if you got it or if you need more explanation.

  Greetings,

  Amjad

  Rating of useful answers is more useful to say "thank you".

• Are there any known problems with external battery for iPhone 6 s karim?

  Are there any known problems with external battery for iPhone 6 s karim? Jackery of input: 5V / 2. 1a.

  I had heard that some may damage internal parts of the phone.

  I am interested in what Apple says rather than what says karim.

  Thank you.

  Jkim99 wrote:

  Are there any known problems with external battery for iPhone 6 s karim? Jackery of input: 5V / 2. 1a.

  I had heard that some may damage internal parts of the phone.

  I am interested what said Apple rather than what it says karim.

  Thank you.

  There is no Apple here in this technical forum from user to user.

• Portege M200 with external monitor - what is the best resolution?

  As a result of a recent post on using an external monitor with the M400, I have a question on the use of one with the M200. I realize that the M200 uses the graphics card Nvidia rather than the graphics card Intel in the M400 - is it better with regard to the use of an external display is concerned? The M200 manual says that it will support up to 1600 x 1536 resolution on an external display. I want to use my M200 in a docking station with an external monitor to the extended desktop.

  What would be the best resolution to go with externally? Should I go for 1400 x 1050 screen LCD M200 match? Or could I go for a 1600 x 1200, that should the graphics card (!) be able to cope? Or, finally, if I went to a widescreen 1680 x 1050, how would the face Nvidia card? The screen is not as clear as with the 1600 x 1050 screen?

  What are the chances of work at all? I see in the M400 manual which she is supposed to support 2048 x 1536 on an external monitor, but this seems to be a problem, judging from the other post.

  Any help appreciated - thanks

  Hello

  Well, the resolution of the screen depends primarily on the graphics card.
  If you want to use a display resolution that the graphics card must support. In addition, the graphics card driver is important. If the graphics card will support the resolution of the screen, BUT the resolution is not listed in the graphics driver, so you will not be able to choose this value.

  To my knowledge, if you use the docking station you will get Supportepar as the notebook display resolutions.
  The resolution of the external display also depends on the external display. If the material of the monitor will not support the resolution so you will not be able to get all the images on the external monitor.

  I think the best way is to test that the resolution is the best. Some people prefer the high resolution of small icons and other blind ;) like low resolutions (1024 x 768) because of the large icons

• Portege M200 with external DVD drive

  I have a M200 with external drive DVD COMBO Slimline PX1055E-1NST.
  I've upgraded to VISTA and it will reinstall the devicedriver. Where can I find a driver that works with VISTA?

  Hello

  Your player is connected to the PCMCIA slot. Am I wrong?
  Unfortunately, at the moment that these drivers don't exist! :(
  I didn t find on the page of the Toshiba driver.

  Try searching for any 3rd-party PCMCIA drivers for Vista. Maybe you're lucky.

• How I replace perfectly my record excel sheet with ability of database? + General questions about computing distributed with LabVIEW

  Surprisingly, I'm almost finished with a full blown control-simulation application, that I've been working on for more than a year now, thanks in no small part of this community. The final step is to run on the simulations of k ~ 8 and be able to meet a simulation and overall statistics on performance. Each simulation is taking about 6 minutes of real time to run (~ 2 seconds of real time per hour of simulation time, valid for 7 days of simulation), as we seek to about 800 hours of your time to simulate. I have 5 computers available and a raspberry 2 Pi these simulations on, I'm looking to set up a kind of compute cluster at the end in about 2 weeks.

  The ability of current logging is sketchy; I got about 40 columns of data, and they are written in a spreadsheet with a .xls format tabs-delimited. This works very well for individual simulations, but it would be quite heavy to deal with if I had more than 20,000 of them. I think this must be done with a relational database sort, but my experience with databases is very limited, especially then, when it comes to LabVIEW. Here are my questions:

  -Can I create a kind of master-slave configuration where a computer (and probably the Pi) keeps track of the simulations are complete, which are running, and who have never run? Computers slaves ask for simulation settings, and IP would give them to him.

  -How should I take care of the database? Each simulation is about 500 k in .xls format, it's about 5 GB of data in all. Computers slaves synchronization from time to time to take care of the redundancy?

  -How can I refine my memory + General fresh disk I/O? How can I know which items from my point of view most of them?

  -Do you have suggestions for the implementation of clusters of databases relational/computer with LabVIEW?

  I have attached a picture of my configuration of logging + the overall structure of the application. It is a state machine with a structure of the event for the interruptions.