WLC4402, SSC 4.0, EAP FAST with ACS 4.1.23 and Active Directory

Similar Questions

• Use EAP-FAST with ACS 5.2

  Hello everyone,

  I use Active Directory as external identity for ACS store. In ACS 5.2 Web interface to navigate to of access policies > Access Services and going tab protocols allowed , the only protocol that works is PAP/ASCII. In the documentation of ACS, it is described as the less secure authentication for ACS.

  I would use EAP-FAST. Should what command I enter on the aaa client to work with? The router's IOS version 12.4.

  Here is his aaa configuration:

  AAA new-model
  !
  !
  AAA server Ganymede group + ACSTEST1
  Server 1.1.1.1

  2.2.2.2 Server

  !
  AAA authentication banner ^ CCCCCC * GANYMEDE + server is not available, use local defC
  AAA-authentication failure message ^ C
  AAA authentication login default group Ganymede +.
  Connection authentication AAA VTY Ganymede + local group
  Connection authentication AAA CONSOLE Ganymede + local group
  the AAA authentication enable default group Ganymede + activate
  AAA authorization exec default group Ganymede + authenticated if
  AAA authorization commands 1 default group Ganymede + authenticated if
  AAA authorization commands 15 default group Ganymede + authenticated if
  AAA accounting exec default start-stop Ganymede group.
  orders accounting AAA 15 by default start-stop Ganymede group.
  AAA accounting system default start-stop Ganymede group.
  !
  !
  AAA - the id of the joint session

  I have found no help in the Cisco IOS Security command reference or in the Internet.

  Thank you for your help.

  Best regards, Andy

  Hello

  GANYMEDE + authentication is only supported by the PAP, is not possible to use EAP-FAST.

  Please keep in mind that the EAP methods using RADIUS, and not with GANYMEDE.

  HTH,
  Tiago

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• Authentication EAP - TLS with ACS 5.2

  Hi all

  I have question on EAP - TLS with ACS 5.2.

  If I want to implement the EAP - TLS with Microsoft CA, how authentication computer and user will be held?

  Understand that the cert is required on the client and the server end, but is this certificate to the computer links or links to individual users?

  If the links to the user, and I have a shared PC connection by few users, is that each user account will have their own certificates?

  And each individual user will have to manually get the CA cert? is there another method that my environment has more than 3000 PCs.

  And also if it binds to the user, any user can get their CA cert with their AD username and password, if they bring in their own device and try to get the CA certificate, they will be able to properly install the cert in their device on the right?

  I hope you guys can help with that. Thank you.

  Hope this will answer most of your questions:

  Client certificate or user

  http://www.Cisco.com/en/us/Partner/Tech/tk59/technologies_tech_note09186a00804b976b.shtml#T10

  Computer certificate

  http://www.Cisco.com/en/us/Partner/Tech/tk59/technologies_tech_note09186a00804b976b.shtml#T15

  In the case of EAP - TLS we have the certificate of computer and user installed on the machines.

  Kind regards

  Jousset

  The rate of useful messages-

• 5.2 ACS does not check the Active directory changes

  Hi all

  I work with ACS 5.2 and using Radius Authentication client vpn.

  The authentication method used is Active Directory in a Windows environment with multiple domains in the same forest.

  My problem occurs when I change from one group to the other user in Active Directory. After that, I get the following message appears when try to connect:

  15039 selected authorization profile is DenyAccess

  The message is as correspond to the default policy.

  Another user in the same ad group works very well.

  All domains in the forest have a relationship of trust between them.

  I use universal groups to include all domain users belongs to this forest.

  Can someone help me?

  Concerning

  What is your rule of authentication corresponding against a single ad group?

  You can check which groups were extracted for the user, as follows:

  -goto "monitoring and troubleshooting.

  -Select authentication - RADIUS - today

  -Find the input that do not match and click on the Details icon

  -Expand the section "Details of authentication". Look under "Other attributes" groups comes from AD to be enrolled in the user

• Continuation with VIO and Active Directory reference error

  While deploying the instance OpenStack de VIO, I get the following error message when checking the parameters of authentication source:

  Cannot find the specified user (Group). Details: The LDAP search request failed. Further reference

  This seems to be a problem, I met several times, where AD would send a reference instead of the response that the client must follow. But I don't see any option to allow removal with Active Directory. Is there a way around this?

  Concerning

  Gerald

  I found a work around for the problem:

  The query is successful when you use the ports for the Active Directory Global catalog.

  The ports are:

  • 3268 (without encryption)

  or

  • 3269 (with SSL)

  Disadvantage: You can't just use your do domain name address all the domain controller, you must specify one with its host name.

• ACS 4.2 and Active Directory

  I'm putting in place our new ACS 4.2 server. This is version 4.2 Build 124, running on a Windows 2003 server. I'm having some trouble with the enumeration of the groups and just may not know what Miss me. We have 7 different areas, and I can only list one of them groups. We do not run ACS on one of our domain controllers, but the server is a member of the domain controllers. I even added a service account is a domain administrator and services run as account but I still cannot enumerate groups. Any help would be greatly appreciated.

  Hello

  I know that you have a domain administrator account that is running the services ACS. But I'd like to as go you through the steps listed below again.

  ------------------------------------------

  -You should have a user on AD.

  -To make it difficult to hack, give him a very complicated password for a long time.

  -Make the user member of the Domain Admins group.

  -Make the user member of the Administrators group.

  -Make the user member of the Enterprise Administrators group.

  On to Windows 2000/2003 server running ACS:

  -Add the new user to the appropriate local group.

  -Open "Administrative Tools" in the control panel.

  -Open "Computer management".

  -Open 'Local users and groups' and then 'groups '.

  -Double-click the group "Administrators".

  -Click on 'Add '.

  -Choose the domain in the box "search in".

  -Double-click the user created above to add it.

  -Click OK.

  -Give special rights to the new user on the ACS server.

  -Open "Administrative Tools" in the control panel.

  -Open "local security policy".

  -Open "local policies".

  -Open "User rights assignment."

  -Double-click "Act as part of operating system"

  -Click on 'Add '.

  -Choose the domain in the box "search in".

  -Double-click the user created above to add it.

  -Click OK.

  -Double click on "Log on as a service."

  -Click on 'Add '.

  -Choose the domain in the box "search in".

  -Double-click the user created above to add it.

  -Click OK.

  -Set the ACS services to run as long as the user created.

  -Open "Administrative Tools" in the control panel.

  -Open "Services".

  -Double-click the CSADMIN entry.

  -Click the 'connection '.

  -Click on "This account", and then on the button 'Browse '.

  -Choose the field, double-click the user created previously.

  -Click 'OK '.

  -Repeat for the rest of the CS services.

  -Wait for Windows to apply the security policy changes, or restart the server.

  -If you restarted the server, skip the rest of these instructions.

  -Stop and then start the CSADMIN service.

  -Open the GUI of the ACS.

  -Click on System Configuration.

  -Click on the Service order.

  -Click "restart."

  Note If domain security policy is set to override settings for "Act as part of operating system" and "Log on as a service" rights, rights of user changes listed above will also be to do here.

  If you log on several areas, a full two-way trust must exist between the domains, the user (ACS account) must be created and given the high access in each domainbto be questioned and FULL domain each domain must be listed as a DNS suffix in the properties of the IP Address of the server on which the ACS is installed (restart netlogon service after adding the FULL domain name).

  HTH

  JK

  Please help the rate of messages-

• Problems with delays of parental control and activity reports in Windows 8 PC

  The family safety team has identified two problems for people using parental controls in Windows 8:

  ·         Time stop working

  or

  ·         Parents receive reports of activities that have no PC activity, even if children are using the PC. (Use and web application use is still reported, but the chart for PC time used is empty.)

  I had the same problem (s).

  Finally fixed it.

  The child user account must have the PC 'trust' in relation to the windows live account online restored. Connect you to the computer with the user account does not. By scanning or the mouse, click on the right side.

  'Settings', "Change PC settings" "sync settings" "passwords" "trust this PC.

  You will need to have a code sent to your mobile phone or the phone at home or email.

  Once the code is entered and verified, the PC is now in 'Trusted PC (s)' account online windows live.

  This must be done on each user and each PC that does not work.

  Good luck, hope this helps other parents. I was pulling my hair out with this not working do not. Time limits is the best thing in the WORLD, as long as it works!

  Sorry kids, no more free time on my watch!

• How to migrate from windows 2003 to windows 2008 with all the work of GPO active directory, DNS, without problem?

  Hello...

  I have a problem with windows 2003 to windows 2008 migration. I have try several round of flyway of google and youtube, but he is still fail.
  in the first,.
  I have HP Proliant server with windows server 2003. So I restore the backup to a different server HP Proliant wih same hardware specification. I've been back up the System State and the drive C with NTBackup. After I restored on HP Proliant, that I want to migrate, the DNS server is timeout request and the client cannot join domain. I was surprised, because the backup and the material is the same, but it can work as well as the original server.
  in the second case,
  I have windows server 2003 in HP Proliant server and it works well. I'm doing a replication on this server to another windows 2003 server in an another HP Proliant and works of good replication (another user can join the domain). After, I have installed windows server 2008 to another PC and make the replication of the duplication of windows 2003. And this success to replicate, but not on the DNS (DNS query time-out).
  I have the despair to try migrating Windows 2003 and 2008 because he is still fail in DNS. Another way to migrate to Windows 2003 and 2008 with DNS, AD and GPO work?

  Hello

  The question you posted would be better suited to the TechNet forum where IT professional will deal with your question.

  http://social.technet.Microsoft.com/forums/en-us/w7itpronetworking/threads

• Active Directory + ACS Remote Agent

  I have a camera ACS (3.2). I understand that I need to use a remote ACS agent installed preferably on a domain controller, Windows authentication. My question is: if I use Active Directory, can I not use external user databases and configure generic LDAP with the appropriate settings to access Active Directory? So I wouldn't need a remote agent? Or I have to use external user databases and configure the databases Windows (which means using an external remote agent? Or I can choose two methods? His confusion as active Direcory cann support for pre-2000 windows domains and I do not know which method of mapping of external user database to use.

  My apologies, missed the word "apparatus" in your original post.

  You can probably do this use anyway, I guess, even though we suggest using a Remote Agent with the Windows DB. If you are not going in this direction, make sure your security permissions (http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/raig/rawi.htm#642394)

  I've had users use the LDAP with Windows Ad database before and it works very well, the only difference (IIRC) is you don't get all the group maps of Windows with this method, but for the authentication of the user only, it should work fine.

• Impossible to browse Active Directory to an ACS 5.1

  Hello

  We joined our ACS 5.1 in our Active Directory 2003, the system seems properly attached on the ACS we like connectivity status: joined and if we try with the test button we get "connection succeeded", on the AD tool, we notice that you have created a computer for our ACS account.

  We wanted to created the group directory but the navigation tool is empty and no request does not give any output.

  The ACS is joined, but we are not able to browse Active Directory.

  Any suggestions that could be the problem?

  Thank you.

  It is a matter of course due to defect mentioned below.

  CSCtf39158 - failed to retrieve ad groups in a single forest with multiple trees scenarios

  You must apply the Patch 3 for this problem

  file name: 5-1-0-44-3

  Download of: CEC / Support / download http://www.cisco.com/public/sw-center/index.shtml

  Letter: Security / identity management / Cisco Secure Access Control System / Cisco Secure Access Control System 5.1 / 5.1.0.44

  ##Steps to create the repository.

  This FAC CLI mode

  Create a repository (it's basically FTP server definition)
  AAA/admin (config) # repository FTP---> (can be any name)
  AAA/admin(config-Repository) # url ftp: / /
  AAA/admin(config-Repository) # password ordinary user

  ===============================
  Steps to install the ACS 5.1 patch:
  ===============================

  Issue the command patch GBA following in EXEC mode to install the fix of the ACS:

  ACS, install patch patch - repository name.tar.gpg repository-name

  Rgds.

  JK

  The rate of useful messages-

• When you try to add 'fédération Service Active Directory' in the VM, it fails with exception after clicking on the last step of the wizard.

  Log Event Viewer as below.

  *****************************************************************

  Event log:

  Log name: Microsoft-Windows-ServerManager/Operational
  Source: Microsoft-Windows-ServerManager
  Date: 07/03/2012 18:09:06
  Event ID: 1600
  Task category: no
  Level: error
  Keywords:
  User: HDC\Administrator
  Computer: Win2K8HDCRoot.HDC.Com
  Description:
  An error has occurred in the Server Manager. An unexpected exception has been found:
  System.ArgumentNullException: Value cannot be null.
  to Microsoft.Windows.ServerManager.ActiveDirectoryFederationServer.ActiveDirectoryFederationServerProvider.SaveRegistrySetting (Nullable 1 setToCreate, String value, String NomValeurRegistre)
  at Microsoft.Windows.ServerManager.ActiveDirectoryFederationServer.ActiveDirectoryFederationServerProvider.PerformActionBeforeInstall (InstallableFeatureInformation featureInfo, DiscoveryResult discoveryResult, ChangeTracker changeTracker)
  at Microsoft.Windows.ServerManager.Common.Provider.PreInstall (InstallableFeatureInformation, DiscoveryResult discoveryResult, ChangeTracker changeTracker comments)
  at Microsoft.Windows.ServerManager.Common.Provider.FlushSyncPreInstall (guestsToSync from list 1, 2 syncResultMap dictionary)
  at Microsoft.Windows.ServerManager.Common.Provider.FlushSync (SyncProgressHandler progressCallback)
  at Microsoft.Windows.ServerManager.Common.Provider.FinalFlush (SyncProgressHandler progressCallback)
  to Microsoft.Windows.ServerManager.Transformation.SyncEngine.Sync (ChangeTracker changeTracker, DiscoveryResult discoveryResult, progressUpdateIdList of list 1)
  to Microsoft.Windows.ServerManager.DiscoveryResult.CommitUpdates (ChangeTracker changeTracker, ProgressUpdateCallback progressUpdateDelegate, featureIdsOfInterest of list 1)

  The event XML:
  http://schemas.Microsoft.com/win/2004/08/events/event">
   
     
      1600
      0
      2
      0
      0
      0 x 1000000000000000
     
      15
     
     
      Microsoft-Windows-ServerManager/Operational
      Win2K8HDCRoot.hDC.com
     
   
   
      http://schemas.Microsoft.com/win/2004/08/events"xmlns ="Event_NS">
        An unexpected exception has been found:
  System.ArgumentNullException: Value cannot be null.
  to Microsoft.Windows.ServerManager.ActiveDirectoryFederationServer.ActiveDirectoryFederationServerProvider.SaveRegistrySetting (Nullable 1 setToCreate, String value, String NomValeurRegistre)
  at Microsoft.Windows.ServerManager.ActiveDirectoryFederationServer.ActiveDirectoryFederationServerProvider.PerformActionBeforeInstall (InstallableFeatureInformation featureInfo, DiscoveryResult discoveryResult, ChangeTracker changeTracker)
  at Microsoft.Windows.ServerManager.Common.Provider.PreInstall (InstallableFeatureInformation, DiscoveryResult discoveryResult, ChangeTracker changeTracker comments)
  at Microsoft.Windows.ServerManager.Common.Provider.FlushSyncPreInstall (guestsToSync from list 1, 2 syncResultMap dictionary)
  at Microsoft.Windows.ServerManager.Common.Provider.FlushSync (SyncProgressHandler progressCallback)
  at Microsoft.Windows.ServerManager.Common.Provider.FinalFlush (SyncProgressHandler progressCallback)
  to Microsoft.Windows.ServerManager.Transformation.SyncEngine.Sync (ChangeTracker changeTracker, DiscoveryResult discoveryResult, progressUpdateIdList of list 1)
  to Microsoft.Windows.ServerManager.DiscoveryResult.CommitUpdates (ChangeTracker changeTracker, ProgressUpdateCallback progressUpdateDelegate, featureIdsOfInterest of list 1)
  
     
   
  

  *****************************************************************

  Details of home:

  Win 2K 8 R2 Enterprise
  Processor: Xeon x 3440
  Roles: Hyper-V, file Services
  Related network configuration: 'Network Doscovery' lit with "SDDP" and "UPnP" running services. Also "DNS client" and "Function Discovery Resource Publication" are running. The firewall is turned on
  Virtual machines running: 6
  Total none of the network adapters: 2
  1 NETWORK card: (Intel (r) 82578DM Gigabit Network Connection is connected to service internet broadback. "Statis IP" is set for my server.
  Not virtual networks: 2
  Virtual Network 1 is "External" type and connected to the NIC1. The value settings IPv4/IPv6 IP addresses and DNS automatic.
  Virtual Network 2 is of the type 'internal '. IPv4/IPv6 settings is set to Auto for IP and DNS addresses.

  *****************************************************************

  Information on the virtual machine:

  Win 2K 8 R2 Standard
  Roles; "Domain service active Directory", "DNS Server", "File Services" and "Web Server (IIS).
  Related network configuration: 'Network Doscovery' lit with "SDDP" and "UPnP" running services. Also "DNS client" and "Function Discovery Resource Publication" are running. The firewall is turned on
  None of the network adapters: 2
  Network adapter 1 connected to 'Internal' with IPv4 set to a static IP address '192.168.10.1 ' and DNS set to ' 127.0.0.1'. IPv6 is disabled
  Network 2 connected to 'External' and IPv4 adapter set to automatic for the IP and DNS addresses. IPv6 is disabled
  Domain controller for HDC.Com.

  *****************************************************************

  History of the virtual machine:

  Initially, she felt just VS2010 and SP2010 installed without DNS and AD DS roles added. Later, we VS and SP2010 has been uninstalled via the Control Panel, as well as other programs, I can't recall. Then added roles DNS and Active Directory domain to create and control the field x ".com". After a few days, another virtual computer has been configured in the same way and 'AD FS' role added to try app based on the claims. In the coming days, all of the roles above have been removed and added to create and control the current domain ' HDC. Com'. Before this step, the self-signed certificates that have been installed as part of the App claims have been removed from MMC, and IIS services. Don't forget to change the name of the computer as well.

  *****************************************************************
  I'm not good at bases of the any tried out above learning, but ask the members of the scholarly community to help me solve the problem and I'm sorry if I ask some silly questions as part of this thread.

  Hello

  Is generally answer the question you have posted in the Microsoft Answers forums. It is better suited on TechNet forum
  TechNet Forums -http://social.technet.microsoft.com/Forums/en/categories/

• Problem with Active Directory and the NAC

  Hello.

  Please I need help.

  I have my server with the "Active Directory SSO" began, but when a user tries to connect to the network with its credentials in Active Directory, the PC agent say that 'Invalid username and password.

  My server is tuned by the 8910 port.

  I conectivity with CBS and active directory.

  kpass command runs successfully.

  Thks.

  Jorge,

  If the service is running, then you must put emphasis on the communication client/AD and see where the break occurs.

  Can you ensure that the unauthenticated role, you have all the required TCP/UDP ports open, and ICMP and IP FRAGMENTS to all your domain controllers?

  HTH,

  Faisal

  --

  If you find this article useful, please note so that others can easily find the answer

• Administrator rights to the ACS using Active Directory groups

  Good afternoon

  We must be able to use administrative accounts for our device ACS who reside in an Active Directory group, if possible.  If this is not possible, what other safer options would we be able to use (RADIUS authentication or authentication RSA 2)?

  Thanks in advance

  You can only use the locally stored accounts within the ACS.

• How the Network Server 2003 Active Directory, DNS, DHCP with other virtual machines

  Hi ~

  I am trying to create a network within the workstation test environment. I did research on everyday and can't find a direct answer. I want to do is use the Server 2003 functions and create my own private network with the 2 other VMS XP Active Directory domain controller. I want both of these XP machines to be able to log into the domain of the 2003 server. I have never used or learned 2003 server, that's why I do this.

  What do I need to create a custom network? can I use bridged, host-only, nat? Stop the service DHCP from Vmware workstation?

  What is your host operating system and how to get its IP address? What is the result of: ipconfig/all in Windows or Linux ifconfig-a?

  Disable the firewall during installation.

  I don't think that the network connection is all that matters (if you care on the internet or a local area network LAN) for guests, while they are the same. I always use filled but the only thing that really counts, IMHO, is that the host, guests of the XP and W2003 prompt are all on the same subnet and the server has a static IP address.

  I almost always use open for all guests. I put all the guests for static IP addresses on the same subnet as the host. I put the DNS server for XP clients to the IP address of the host to W2003. I have install the DNS role on W2003 server and then install the role of domain controller (AD), with the help of a domain name like lousdomain.local. Then you should be able to join XP guests to this area.

  It's all exactly the same as if it was real machines.

  My default installation is filled with the IP host is defined on 10.0.3.5, a gateway of 10.0.3.1 (my ADSL router), my server W2003 (or W2008) the 10.0.3.4 value and guests XP, the value to something like 10.0.3.6, 10.0.3.7 etc. Again, once again, is not the same as little care as long as they are on the same subnet.

  What are the errors you get when you try to set up?

  What you get from ipconfig/all on each of the guests?

  Lou

• 802. 1 x EAP - TLS for wired users with ACS 5.5

  Hi all

  We are setting up a new configuration for wired users authentication with 802.1 x (EAP - TLS). ACS 5.5 we use as an authentication server.

  We have added the certificate (internal) CA root and certifcate for ACS signed by CA. Now, we want to check that authentication works or not. I hope that the CA root and identity certifcate also we need to install in laptop computers. But I don't know how to download the certifcates for client machine manually to CA.

  Please suggest on how to get certificates for clients both manually and automatically?

  Thank you

  Vijay

  Hi Vijay,

  for Wired 802.1 x (EAP - TLS) you must have the following certificates:

  Intermediate server on ACS - Root CA, CA certificate,

  The customer - Root CA, intermediate CA, user certificate (in the case of user authentication) or Machine certificae (in the case of authentication of the computer)

  I do not know what third-party certificate you use, if its Microsoft in the House or any other certificate server, you need to download the client certificate to the server itself.

  In the case of Microsoft, there will be a user certificate template. You can select and create user certificate

  This is an old document, but a computer certificate for the user configuration steps, you can see the steps to download the certificate user if his server from Microsoft:

  http://www.Cisco.com/c/en/us/support/docs/security/secure-access-control...

  In case you use the third serevr certificate, then you must check with them on how to download the certificate of the user

  See you soon

  Mohammed (rate useful message)