ACS 4.0 TACACS+ - Two Domains

Similar Messages

• Can ACS support multiple Active Directory Domains for 802.1x EAP-TLS?

  Hi
  I'm looking to implement ACS 5.2 using 802.1X, we have two seperate AD domains.
  Now.. this is the tricky part...
  A single switch will need to support both ADs, so if a machine in AD1 is connected, it will be authenticated to the ACS using AD1 and applied to VLAN1, while a machine that is in AD2 will be authenticated to AD2 and applied to VLAN 2.
  I'm looking at machine authentication, not user authentication, so I assume that I will need to import two certs from each AD.
  Can any expert please let me know if they think that this will be possible please??
  Many thanks

  Yes ACS can support multiple AD domains but you will have to configure one as your AD domain and the other as an LDAP database and this will work since you are planning to use eap-tls.
  The question I have is which version of ACS are you using? If you are using ACS 5.x then you can setup and identity store sequence so if the user is not found you can move to the next store and this will prevent you from installing two certificates on every machine.
  You can then setup an authorization rule for the seperate containers on where the workstations are located (this is assuming machine authentication is being used) for the AD database or the LDAP database and then assign the vlan based off that.
  Thanks and I hope this helps!
  Tarik Admani

• ACS Authentication in another (trusted) domain bij ACS Agent

  Hi
  I have got two domains. Domain A is top level domain. Domain B is Child domain from Domain A.
  The ACS Agents are installed on two DC's in Domain A.
  Authentication of clients in Domain A is ok.
  Authentication of clients in Domain B is a problem.
  I created a Universal Group in Domain A. In this Universal Group, I put a Global User Group from Domain B. Authentication not ok.
  The ACS "Failed Authentication Log": sais: "External DB account Restriction".
  What is the problem here ?
  Gr.
  Remco

  Windows Group Mapping Limitations
  ACS has the following limits on group mapping for users who are authenticated by a Windows user database:
  •ACS can only support group mapping for users who belong to 500 or fewer Windows groups.
  •ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user. You cannot use group membership in domains that the authenticated domain trusts that is for ACS group mapping. This restriction is not removed by adding a remote group to a group that is local to the domain providing the authentication.
  What does the second bullet actually mean ?
  Is it not allowed to make a domain local group in Domain A (in which the Remote Agents are) that contains users (not groups) from Domain B ?
  Do you have to connect to Domain B in ACS (seen due to Trust relationship) and create a group mapping directly in Domain B ?

• ACS 4.2 multiple AD domain authentication

  I have acs 4.2 for windows installed on a windows server 2003 box, because of a merger I need to now authenticate against 2 different domains, there is a bidirectional trust between the two domains and the dial-in permission has been set in ADUC but whenever I try to authenticate a user it says dial-in permissions needed in the acs failed authentication log. I think it's an AD issue but i can't know for sure as i'm not a windows guy, any suggestions?

  Hi Jeremy,
  The 2003 box where you have installed ACS, is this server part of both domains which you wanted the users to be autheticated?
  Have you enabled the dial in permission on the ACS as well as per the screenshot below?
  Regards
  Najaf
  Please rate when applicable or helpful !!!

• Can I have two Domain in one network?

  I have two Server in my office in same network.
  Server A is Active Directory / Domain Server. Certain user join domain and connect to this server.
  Server B is File Server. The other user just use Workgroup. But now this server want to Up Domain to be Domain Server.
  But user that connect to the domain Server A will not connect to domain server B and user connect to domain server B will not connect to domain server A.
  Is there any problem if I setup two domain in one network?
  Please Advise.

  Domains are logical structure of your network. Yes you can create two domains in the same network. One thing you should consider in this scenario is trusts between your domains. By default separate domains have not any trusts between each other and you should
  establish trust manually if you would like to have users in A authenticated in domain B.
  Regards.
  Mahdi Tehrani Loves Powershell
  Please kindly click on Propose As Answer or to mark this post as
  and helpfull to other poeple.

• WLS 8.1 two domains with EJB and webapp deployed has JVM conflicts?

  Test configuration environment:
  Windows 2003 server installed with weblogic 8.1 server and oracle 9i.
  This weblogic server have two domains, one is for EJB deployment, the other is a webapp that implements accessing to oracle through EJB.
  The issue is when we tested a method provided by the EJB that uses double to calculate some total value, the result was correct. But when we tested it using webapp that was deployed on the same server of EJB, it's result was negative or zero.
  I think the reason is that the JVM which both EJB and webapp used for calculation was the same and may made some conflicts when they run at the same time.
  Any suggestion would be greatly appreciated.
  Thank you in advance!
  Shuaibing
  Message was edited by:
  linuxapple

  This morning I deployed that webapp to the Domain that deployed the EJB, The results of calculating in webapp's jsp was correct.
  Any one be kind enough to tell me what the calling JVM differences between single domain(deployed by EJB and webapp) and two domains (deployed EJB and webapp separately)?

• Cisco ACS 5.1 Tacacs with Juniper Srx 210

  Hi all,
  I am trying to do authentication for Juniper SRX 210 FW With Cisco ACS 5.1 Tacacs but I am unable to acheive it ..
  Can any one help me how to add Junos service in ACS 5.1..How to Intergarte Juniper SRX 210 in Cisco ACS 5.1

  Hello Pranav
  As Nicolas said, you really need to know what attributes Juniper SRX is using. It also depends on what you're looking for, for example it's very different "password authentication" from "command authorization". I answered a similar question here https://supportforums.cisco.com/thread/2111466
  You don't need to enable any new service. ACS is capable to attend any TACACS (or RADIUS) device as long as you tell ACS what are the TACACS (or RADIUS) attributes needed for that device.
  This is an example in which I have configured ACS 5.x with an attribute called "local-user-name" which JunOS router use for authentication. For that you need to go to "Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles".
  If you don't know the attributes you can capture the packets and troubleshoot from Juniper cli and from "ACS view" side. That's how I find out the "local-user-name" attribute.
  Please rate if it helps. Kind regards

• Combining two Domains in a single Forrest

  Issue:  We have a forest - bcxxx.com and with-in lives two domains: xyz.com & abc.com.  Both domains are in the same physical location.  Is there a best practice to merge one into the other or create a new domain and merge the two into
  one?  I'm inherited a mess and there isn't a need to have them separated.  There is currently a trust between the two but  I would like to clean this up the best way possible and do it following the best practice format.  A single domain
  environment would work fine and it would be more organized and less complicated. 
  Is there a way to do this with-out starting over from scratch?  700+ Users +600 devices would make this a nightmare.  Any suggestion will be greatly appreciated.
  RT

  Thank you for the input, i appreciate it.  Yes, this current setup is unnecessarily complicated and a big mess.  There are to many issues to mention just in general as to the amount of odd errors popping up.  So instead of trying to troubleshoot
  each individual one I want to take the proper steps to help clean it up, upgrade the domain, and then see if these problems still exist.
  Some of the daily issues: unable to browse devices on the network - Computers by name or add computer to the domain | DNS Issue.  By manually adding the same DNS IP's addresses to the NIC which it had the by DHCP resolves the issue.  Setting it
  back to Automatic DNS after the fact, the computer works works fine.  This is just one very minor problem.
  Thanks again.
  Randy Taylor

• How can i put two domains with IAS

  Hi!!
  I have IAS in Win NT and i publish www.mycompany.com published with it, but now i want to publish other domain www.myproduct.com in the same machine and i dont know how because in the http.conf servername parameter i only can put one server, if i install two networks cards and with two IP's can i do this? or is impossible?
  Could anyone help me?
  Regards.

  Hi!!!
  Thnaks for your help!!
  But if with these two domains i need to publish pages generated with the pl/sql toolkit how this works?
  If i publis /pls/myapp and /pls/myapp2 where i see this in this, in two domains? can i give permissions or something to only see myapp in domain1 and app2 in domain2?
  Thanks in advance.

• Two domains + two servers + one static IP address = DNS confusion

  I'll try to keep this simple:
  I have two domains, two mac mini SL servers, one airport extreme, and multiple static IPs, but only one of them pointing to the router. I've configured DNS successfully for the primary domain (example1.com) and thought that I had set up a second primary zone for the second domain (example2.com) but all external requests point to example1.com.
  So the two setups i've tried are:
  Reverse zone
  1.0.10.in-addr.arpa.
  - 10.0.1.200 - example1.com
  - 10.0.1.201 - example2.com
  Primary zone
  example1.com
  - example1.com - 10.0.1.200
  - example2.com - 10.0.1.201
  OR
  Primary zone 1
  example1.com
  - example1.com - 10.0.1.200
  Primary zone 2
  example2.com
  - example2.com - 10.0.1.201
  Does anyone know of a good tutorial for hosting multiple servers in an internal network, pointing to one name server internally? I've looked everywhere and cannot make sense of the issue.
  Thanks in advance.

  After sleeping on it, I came up with a much easier solution that works better for what I'd planned in the first place. I hung a spare router off my gateway and set up a completely different network for the second server and everything is great now. I knew there was a reason I'd signed up for five IPs...
  In any event, I don't think I would've been able to accomplish what I was trying to do while using the Airport Extreme as my firewall. I wanted to have separate static IPs for each of the boxes and obviously I couldn't do that with the airport, although it took a while for me to recognize that.
  thanks for the suggestion, though. I think I'm going to use that for some subdomains.

• Send connector - e-mails from two domains to distinct anti-spam IPs

  I have an Exchange enviroment that has two domains. I want that e-mails sent from a domain do the relay to an anti-spam, and e-mails sent from another domain do the relay to another anti-spam.
  Example:
  I need to config send connector to send the e-mails from "test1.com" to IP 10.160.190.66 and from "test2.com" to IP 10.160.190.69
  How do I do?
  I need this because each domain uses distincts anti-spam
  Tks.

  Hi,
  Before going on, I would like to confirm the following information.
  What's the version of the Exchange?
  Whether the two domains have their own Exchange or share one Exchange?
  Thanks
  Allen

• How To: Host Two Domains on Lion Server - One IP

  Here is the situation: I own a new MacMini and have installed Lion Server. All of my updates are current. I have purchased two domains from a reputable “Gddy” source. (I don’t know if I can use there official name). I think I am doing something wrong because I have to type the “www.”mydomain.com to get to my websites. How do I host my two sites?
  Here is what I have done so far and have been somewhat successful. For purposes I will refer to my domains in this question as domain1.com and domain2.com. At Gddy my DNS A records for @ both point to my single IP. In addition my www CNAMEs point to @ for both my domains.
  My server admin DNS read the following:
  Name – 1.168.192.in-addr.arpa / Type – Reverse Zone / Value - Blank
  Sub Name – 192.168.1.6 / Type – Reverse Mapping / Value – server.mydomain1.com.
  Name – server.mydomain1.com / Type – Primary Zone / Value – Blank
  Sub Name – server.mydomain1.com. / Type – Machine / Value – 192.168.1.6
  In Lion server I have Web Server turned on and have setup the following web sites:
  server.mydomain1.com
  www.mydomain2.com
  www.mydomain2.com
  I am using iWeb and have both websites loading through SFTP successfully.
  I am using a SSH certificate I created using my apple ID
  Questions:
  Why do my customers need to type the www to access my domains?
  Do I need to setup another primary zone called server1.mydomain2.com?
  Currently everything works fine if you type the www before the domains but I am now on a mission to refine my sites. If users get errors trying to get to my site then they will stop trying and I don't want that. Apple community please help. This stuff really amazes me and the fact that I am somewhat "catching on" is a great feeling. Thank you.

  As Belle points out, this has little or nothing to do with DNS. It's all about Apache.
  When a request comes in, Apache looks at the hostname of the request to determine which site's configuration to use for that request.
  Right now you have two 'sites' configured - 'www.domain1.com' and 'www.domain2.com'.
  When a request comes in for, say, http://domain1.com/ Apache does that same lookup, except it doesn't find a match - you don't have any configuration for 'domain1.com', only 'www.domain1.com'. THESE ARE DIFFERENT.
  There is absolutely no automatic relationship between a host record (e.g. 'www.domain1.com') and its parent domain (e.g. 'domain1.com'). It makes no difference that you have a DNS CNAME that maps one hostname to another because Apache isn't doing DNS lookups on the incoming requests.
  The solution, as indicated, is to tell Apache the list of hostnames that match each site. By telling the 'www.domain1.com' site that it's valid for 'domain1.com' as well (and even 'foo.domain1.com' or 'bar.domain2.com' if you want, too), Apache can serve the request with the appropriate configuration.

• ACS 4.0 to NT Domain with NTLMv2 problem.

  I am trying to authenticate users from a VPN Concentrator (3030) to our NT Domain. We are not running AD yet but we are required to use NTLMv2 authentication on the Domain.
  I want to use ACS4.0 to authenticate Radius w/Expiry from the VPN concentrator and let ACS handle the NTLMv2 part.
  In ACS I have defined my Domain in the External Users Database, I have defined the Unknown User Policy to use the Windows Database, and I have defined the Group Mapping to point to the default group.
  When I run the Authentication test from the VPN setup screen I get a failed request.
  In the CSAuth log I am getting:
  AUTH 02/16/2006 15:13:42 E 0376 1572 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
  AUTH 02/16/2006 15:13:42 E 0376 1572 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
  With NTLMv2 turned off and running ACS 3.2 this setup is working (My production network) My only reason for upgrading to ACS4.0 was the NTLMv2 portion.
  Does anyone have any advise? thanks!

  Please make sure you read this Field Notice:
  http://www-tac.cisco.com/Support_Library/field_alerts/fn62167.html
  Note that, despite the Windows URL mentioning only 2003 server, the 2000 server also supports NTLMv2. Therefore, the following scenarios apply:
  - DC on Win 2003 SP1 - don't require any hotfix since it's included in SP1
  - DC on Win 2000 SP4 - don't require any hotfix since it's included in SP4
  - DC on Win 2003 - require hotfix KB893318

• Two Domains

  I have a windows 2003 AD domain.  I need to change the domain name and also upgrade from 2003.  I am in the process of setting up a Windows 2008 AD Domain.  I will setup full trust between the two domains and slowly move
  resources.
  Can I setup the new domain with IP address from the same subnet, so I would assign for example 10.168.100.50 - 150 to the Current domain and 10.168.100.151 -254 to the new domain?
  Let me know if there is other ways to do this.   I have limited resources.  I have licenses for 2008 not 2012  and my hardware do not support 2012.
  Thanks,
  Bill

  If all you need to do is change the Domain Name and bump up to 2008 then why not just introduce the 2008 DCs into the existing domain and retire the 2003 DCs?  Then bump up the Functional Levels and rename the domain.
  Doing a Domain Migration is fine but it is a huge amount of work and you'll probably chase "little issues" around for weeks afterwards,...when you don't really need to do that to accomplish what you listed.

• Posting two websites on two domains

  I have iWeb '08.
  I have 2 Mac accounts, one personal one family.
  I have two domains, one with each account.
  When I open iWeb on the very bottom in 'green' is my Mac address.
  My question:
  I create a 'personal website' and I upload it to my 'personal account' no problem.
  But now I want to create a 'family website' on my family account - and I use one computer.
  How do I make sure that 'family site' goes to the family domain.
  If I create multiple websites on iWeb '08 - how do I direct those sites to their proper domain.
  I'm confused.
  Also since I have your attention - if I have the HTML - how do I create a button?
  And lastly - I know you can make a website 'password' protected. Is there a way within a website
  to make ONE PAGE private. Let's say all the links on the 'home works' except for that 'one page.' Is that doable?
  Thank you!

  Log into your puter with new user name and then go and change your idisk user name and password to the 2nd .mac so that when you open the idisk it is that 2nd account, then you can launch iweb and make second site for that other .mac account...
  making 1 page protected just use the help menu within iweb it will tell you how, it's simple...