In an another (trusted) domain bij Agent ACS ACS authentication
Hello
I had two areas. Domain A is the top level domain. B is the child domain of the domain A.
The ACS Agents are installed on two domain controllers in domain A.
Authentication of clients in domain A is ok.
Authentication of clients in domain B is a problem.
I created a universal group in the field. In this universal group, I put a global group of users from the domain b. authentication not ok.
The ACS "Journal of authentication failed": SAIS: "external DB account Restriction".
What is the problem here?
Gr.
Remco
Check if users are not mapped to a group of people with disabilities. Do not map several windows for ACS group groups. The following link can help you
Tags: Cisco Security
Similar Questions
-
Remote agent ACS - can I install on windows server 2003 64-bit
I have Setup tehfor customer 4.2 ACS to authenticate the client wirneless, ACS have to communitate with AD (windows 2003, Enterprise Edition, 64 - bit). Can I install remote agent (ACS 4.2) for ACS ACS can contact the AD to do?
Please help me.
Currently we do not support 64 bit OS.
Kind regards
~ JG
Note the useful messages
-
How to move an exchange server to another server on a different domain (trusted domains)
Here is my scenario,
I have two domains in windows server 2003. I'll call them X and Y. They are configured as areas of trust.
I have an exchange 2003 server is currently installed in the domain of X. I want to reduced area X, but all emails to users in the domain X and have been created in the field X Exchange 2003 Server... I'm not an experienced Integrator Exchange, but I was administering the server for some time and I am very familiar with Microsoft Platforms.
Can I just move the server from one domain to another?
I have to install a new exchange server and then migrate the mailboxes? (how to do that?)
I do not know how...
Your help will be appreciated!
Kind regards.
Hello
You question on exchange servers is more suited for the experts in the TechNet forums. Please repost your question on the link below.
Thanks, hope this helps.
-
Remote agent ACS could not start
Hello
I installed the agent remmote ACS for windows from the ACS 4.1 Update CD (the CD migration is not found). I followed the guide of installation and configuration of the remote agent. In the services window I assigned the user of services created in ad in the log on tab and I stopped the process. When I try to start a warning message is displayed that explains the process carried out and stopped. How can I solve this problem? the software is on the CD to upgrade not the right one?
Seems to be a permission problem. Make sure that this remote agent running Server account is part of the domain administrators group. If she is already using domain administrator account, then do use the local account. It should work.
Let me know how it goes
Kind regards
~ JG
-
Hi guys,.
I'm stuck here and I don't know how to do this... Please help!
So far I have configured the main domain + 5 external domains: all domains have an external trust relationship 2-way with the main domain, and everything works.
I am trying to set up another field: 2-way trust in place and active, field added to the composer, everything seems to be fine, because the field in the dashbord has a nice square green on the side and said "this domain has a two-way trust relationship with the domain of servers connection." and "State of the field is Normal. No problems found. ».
So... why if I try to add a right to a floating pool, all areas are lists except this one?
I checked on all servers connection I use 'vdmadmin-N domains-list - active' and the area is correctly listed...
Thanks to anyone who can point me to the right direction!
Sara
I forgot that we are under Windows... a reboot of all my servers to connect fixed everything
I hope that helps!
-
How can I add Desktop-pools in trusted domains?
Hello
(and Hello to all, this is my first post!)
We saw 5.2 and vCenter Server 5.5.
There are three areas with a relationship of trust and reliable. We installed a the VIEW and VCENTER.
All I want is to create office pools and deploy them in related areas.
When I create a new pool of funds, I am not able to discover other areas to select other OUs.
Where I'm wrong? How to prepare other domains? I have not found a doc describing this...
Thanks for any advice.
Patrick
Hello
I knew in the Geman document on http://pubs.vmware.com/view-52/topic/com.vmware.ICbase/PDF/horizon-view-52-administration.pdf
- Sign to see the Admin
- Go to "Display Configuration"-> 1. tab "vCenter Server.
- You will find at least one record for the server vcenter Server
- Click on 'change '.
- Go to "view composer server settings.
- In the following pop-up window, you will find 'areas '.
- Click on 'Add' and enter a domain administrator account.
I hope this help s/body
-
Flash as2 cross subject to access the SWF from another server domain
I have question cross-domain, how do I access the .swf from another swf file without using System.Security.allowDomain() in the swf file, which we are called.
I use 2 domains and I have 2 files swf is a.com (a.swf) and another is of bcom (b.swf) I want to access the file the a.swf b.swf frames, if I use the system.Security.allowDomain() in b.swf file I can access executives. But without using this way I can access the file from another domain.
Because I have a risk to change the file b.swf so I vant to go without changing the file b.swf is any other wey to access frames of the file the file a.swf b.swf. Please someone help me solve this problem.
use a local executable (such as php) to load the b.swf and send it back to a.swf. for example:
loadSWF.php:
<>
$fh = fopen ("www.b.com/b.swf", "r");
Header ("Content-type: application/x-shockwave-flash");
fpassthru ($FH);
?>
a.fla:
var target_mc:MovieClip=this.createEmptyMovieClip("target_mc",this.getNextHighestDepth());
target_mc.loadMovie ("loadSWF.php");
-
We have ACS running without any problem. We have a special VLAN to a public kiosk that clients can use to surf the internet. The kiosk is wireless and is configured for automatic connection with a specific account. The access point uses the vlan 1 and vlan 40 terminal wireless. When the kiosk machine authenticates to ACS running on our domain controller (who resides on the vlan 10)-is the kiosk machine communicates with the domain controller or the kiosk machine communicates with the access point, which, in turn, communicates with the ACS server? I would like to block 40 access vlan in the vlan 10 but if the kiosk machine must communicate with the domain controller, I don't think I can. Any help is appreciated. Thank you.
Unreliable kiosk machine only communicates with the AP. The AP will send credentials on the ACS server, which in turn, will try to authenticate them on the Windows domain controller.
-
5.6 ACS authentication problem
We are in the process of upgrading our ACS 4.1 for a 5.6 ACS appliance.
The unit is installed on the network, etc. correctly licensed.
I joined the ACS server to the AD domain without problem. I created a few local and external (AD) users for testing.
I created a network (switch catalyst) as a Ganymede client device + and specified single-connect.
When I SSH into the switch, I can connect using my AD user name and password, but I can't go into enable mode. It says "authentication failure".
My aaa settings are
radius-server host 172.25.50.8
RADIUS-server timeout 3
RADIUS-server application made
radius-server keyMiss me something somewhere, I don't know where. If I try and download the bundle to support ACS, it says download, but does not say where (or how).
any advice would be great. I'm new to this product.
See the document: http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/migration/guide/migration_guide/Migration_support.html#pgfId-1014889
-
Can I choose my device of trust preferred to iCloud two-factor authentication?
I've recently implemented Icloud two-factor authentication, because I love the he adds extra security.
As usual, I have my macbook on me, I also have to log on windows pc, every now and then.
Unfortunately, ICloud chooses my headless mac mini which I use as a server at home instead of my laptop or Iphone.
I would like to stop receiving the confirmation on this machine code, everyone was faced with a similar problem?
If so how to solve it?
Codes to go to all the secure devices.
Of course, you can trust features remove at any time.
-
Domain user in dell FS7610 authentication mode
Hello world
I have configured my first FS Nas.FS 7610 7610 are integrated with PS Series equallogic and we reached FS7610 by Group Manager gui. Container and actions are created via the gui Manager, shares are available on the network, but we are only successful connect CIFS share with CIFS administrator account storage not the domain administrator account even if the FS7610 are joined with domain name must also know what to authenticate the domain user to share any CIFS.
Thank you best regards &,.
Ali Hassan
Problem has been solved by entering a DNS entery...
-
ACS authentication with Active Directory based on ad groups
Hello
I'm trying to integrate Cisco ACS 5.4.0.46 with AD and I connected successfully GBA to AD and I used as a successful AD authentication for network devices but my problem now is that anyone with an AD account can connect to network devices that compromises security. I created a group in AD that I would use and I added the group under users and identity stores > external identity stores > Active Directory > groups directory. I also chose source of identity for Default Device Admin as AD1 and under the authorization, an authorization policy that uses a compound condition that uses AD1 and the custom group. However after you have set all that I am still able to connect to the switch with a user not in the custom group. Based on what I have explained to you can someone tell me if Miss me a step?
Thank you
Derek Velez
Thanks for the update and the fence wire. Set default default rules to deny access when user legimitate if does not match a rule set by the administration of the CSA he should get denied access. In your case, it has been updated a permit so that both type of users access (members and non-members of ad groups).
The best way to resolve these issues is to look at the monitoring and troubleshooting > attempt user > magnifying glass. You will see how this user has been allowed access.
~ BR
Jatin kone* Does the rate of useful messages *.
-
Secure ACS Authentication and Authorization with SecurID
I am able to authenticate connection attempts using an external database (RSA SecurID). The problem is that everyone with a token is authorized to connect on any switch with priv15 or whatever I put (but no way to control who gets what access). How can I allow users based on a certain type of belonging to a group? The SecurID server is already integrated with LDAP, it only checks to see if the user exists in the database.
I need to create two groups, or even only allow a single group and deny everyone, but anyone in the organization with a token is allowed to connect. I can't find guides who do anything beyond authentication when you use a SecurID token.
Thank you.
Hello
Have routers and switches, you given the command "authorization exec default group aaa GANYMEDE", it seems that you have only defined authentication on devices. When the control is in place, user access privileges may be governed by the ACS. In network administrator access by default policy (if you are using the default strategy for GANYMEDE), to set the authorization rule to verify membership in a user group and provide the appropriate profile of shell. Make the default rule to give DenyAccess shell profile to other users.
-
Cisco ACS authentication issues
Hi all
I have just set up my ACS for Windows Server. It runs version 4.1 software. I have problems for authentication. I have my setup in the GUI of the ACS use Ganymede to authenticate the AAA Clients. I have the key in the switch and the corresponding keys to ACS server. I have facility users. Here's my config AAA on the switch...
AAA new-model
AAA authentication login default group Ganymede + local
the AAA authentication enable default group Ganymede + activate
Here is the information of debugging on Ganymede
183757: 2 sep 10:14:22.131 edt: TAC +: send worm package AUTHENTIC/START = 192 id = 2789804961
183758: 2 sep 10:14:22.131 edt: TAC +: using Ganymede server-group "Ganymede +" list by default.
183759: 2 sep 10:14:22.131 edt: TAC +: opening TCP/IP 10.11.8.200/49 Timeout = 5
183760: 2 sep 10:14:22.135 edt: TAC +: handle opened TCP/IP 0x80E767B8 to 10.11.8.200/49
183761: 2 sep 10:14:22.135 edt: TAC +: 10.11.8.200 (2789804961) AUTHENTIC/START/CONNECTION/ASCII queued
183762: 2 sep 10:14:22.335 edt: TAC +: (2789804961) AUTHENTIC/START/CONNECTION/ASCII processed
183763: 2 sep 10:14:22.335 edt: TAC +: received bad AUTHENTIC package: length = 6 expected 128683
WC2950-12 #.
183764: 2 sep 10:14:22.335 edt: TAC +: invalid package AUTHENTIC/START/CONNECTION/ASCII (control keys).
183765: 2 sep 10:14:22.335 edt: TAC +: connection TCP/IP closing 0x80E767B8 to 10.11.8.200/49
183766: 2 sep 10:14:22.339 edt: TAC +: using Ganymede server-group "Ganymede +" list by default.
183767: 2 sep 10:14:22.339 edt: SSH1: password for wcromwell authentication failure
I have the same keys on the AAA server as I do on my switch...
Thank you
Please check the secret key of NDG and main aaa clients. NDG substitute main aaa clients.
Make sure you have the right key in NDG >
Kind regards
~ JG
Note the useful messages
-
With Ganymede ACS authentication problem
My organization was using ACS with AD to authenticate users for access to network devices.
But lately, it does not work. There has been no known changes.
Can anyone help point the possible problems or links to see how the actual configuration of the CSA to be or look like for that to work.
My apologies if this is naïve question, am not not so easy with ACS.
Thank you!
Hello
There are two ways to correct the message 'windows dialin permission required. You can either add permissions to call on the user accounts on your database of Windows, or you can remove the option "Require Dialin permissions" ACS. To do this, go to "External user databases" and select "Database Configuration". Then go in your database of Windows and click "configure". The first option is a
box that gives you the opportunity to "make sure that grant dialin permission is checked.
Checking this box will cause the error you get if your windows users do not have permissions to call. If you uncheck this box, it must clarify this.
HTH
JK
Maybe you are looking for
-
Windows updates this morning gave me a different firefox: Customize has fewer choices. No text and icon, what I want. In addition, this new version has dropped my AutoFill.
-
Removing partial downloads in El Capitan
I have a few partially downloaded files that cannot be deleted, renamed, you name it. I've never had this problem before. How can I get rid of these annoying files? Thank you!
-
Tecra S11 - market auto in the BIOS
Hello I have a Toshiba Tecra S11 and I want to on my laptop when I plug in the power cable.I find all of the features in my BIOS of energy auto on, or something like that. Furthermore, is it possible to turn on with a USB keyboard or usb receiver inf
-
Tecra A7-drivers - missing from the site
HelloI need to download drivers for my laptop Tecra A7 PTA71E, but when I go to-> http://UK.computers.Toshiba-Europe.com/innovation/download_drivers_bios.jsp?service=UK the search engine, which says "Sorry we couldn't find drivers corresponding to yo
-
Sony xperia sgpt1211uss. slow performance
Firstly my screen of google is so great that I can't get out. The x in the upper left is not visible. ? Next. Shelf loads and runs extremely slow. Cannot play video like you tube vids or anywhere else. Vids take five minutes or more to load, then sta