ACS 4.2 Appliance and Windows Agent

Similar Messages

• ACS appliance and remote agent testing

  Having problems with integrating ACS appliance with Active Directory. Have installed the remote agent on a member server and from the ACS appliance can enumerate the Active Directory groups correctly so there is at least some communication happening.
  Looking at the remote agent logs whenever a request for the AD groups comes through you see corresponding log entrys. When a user tries to authenticate though there are no logs coming through to the remote agent. So maybe it is not being sent to remote agent?
  In the failed authentications log on the ACS the error is unknown user, it does show the correct username + domain as the person trying to authenticate.
  The Windows server is setup for unknown user policy.
  ACS version is 4.1.1.23, Remote Agent is latest version available.
  Any ideas or things to check?

  Hi,
  As per your last line, It seems that ACS and RA ver are not same. Please note that ACS appliance and RA software ver has to be same else it won't work.
  Regards,
  ~JG

• ACS 4.2.1 AND WINDOWS 7

  HI all,
             We are having some authentication issues with windows 7. The issue some windows 7 machine fails randomly. We are using ACS 4.2.1 MS-PEAP with machine authentication, every now and then a pc fails to authen. And the log always show that: External DB user invalid or bad password. And the user to whom the machine belongs always says that did not change their password! So the error message it clear, but as we are doing machine authentication can the machine change their password on their own? Or can group policy push a password change? Last week, I have the server guys to check for the log in the AD server, the log confirmed that was a password change prior the user try to authen.
  Has any one had experienced this?
  Thanks,
  Jean Paul---

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Hello Jean,
  I am guessing that you are using 802.1x wireless.
  This is a expected behaving because the AD force the computer to change his password every month and if the computer is not on the domain at that moment the computer won't take that change.
  This is a Microsoft issue and unfortunately Cisco does not have any workaround for that.
  Please see links below that explain this situation.
  http://support.microsoft.com/kb/216393/en-us
  http://support.microsoft.com/kb/904943
  Hope this helps
  Erdelgad
  Cisco CSE

• Linux Grid control and windows agents

  Hi all,
  I have a Linux based GC and want to communicate with agents on a windows server. Does this combination use SSH? how do you go about installing agents remotely in this configuration. Any help would be apreciated.
  rgds
  alan

  It's possible to install agents remotely on Windows. See this metalink note:
  How to Install/Configure Cygwin and 'ssh' Server on Windows for use with Grid Control Remote's Agent Deployment
  Doc ID:389632.1
  Werner

• ACS 4.2 appliance external database configuration with AD

  Dear All,
  How to configure external database in ACS 4.2 appliance for Windows Active Directory.Active Directory is configured in Windows 2012.ACS internal database is working fine without interruption.What configuration is requred to configure external database(Active Directory).It would be highly appreciated if you share your experience with me.
  Thanks,
  AS

  Please check
  Supported Interoperable Devices and Software Tables for Cisco Secure ACS Release 4.2
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4-2/device/guide/sdt42.html

• ACS and Windows Domain / AD

  Hi All,
  In my environment there are two Windows Domain - Doamin A and B. ACS is configured on member server in domain B and hence Windows Authentication for users in Domain B is working fine. However I'm unable to see domain A in Configure Domain List on ACS server in Windows Domain configuration menu.
  Please note, there is one way trust between domain A and B with Domain A trusting Domain B.
  Is there a way I can use the same instance of ACS to authenticate the users in Domain A as well? If YES, can you please guide me with some pointers - thanks.
  I'm using ACS and Windows AD elements to authenticate users for SSL Web VPN on ASA 5540.
  Apprecaite quick help on this.
  -Satishcp

  Unfortunatley we are not using the Cisco Secure ACS Appliances, rather its ACS Ver 3.3 running on Windows 2000 Server (member server in Domain B).
  My guess Remote Agents for Windows / Solaris works with Appliances alone.

• ACS Windows Agent Issue

  Hi,
  We just upgraded our 3.3. ACS to the latest version without issue. I created the Remote Agent on the ACS, but we I install the Agent on the Windows 2003 server I get "Unable to initialize variables". Anyone? Thanks.
  John

  John,
  - Logon to the computer as a Local Administrator, preferably "Administrator", and then try and uninstall Remote Agent & try and install it back. Log on locally to the box and install the RA.
  - If above doesn't work, you might have to manually uninstall Remote Agent. After uninstalling, you can try to reinstall the current version of the remote agent.
  somishra

• ACS Se 4.2.1.15 patch 4 and Windows 2008 R2

  Hi, Can anyone advise whether ACS Se and Remote Agent 4.2.1.15.4 supports Windows 2008 R2 please. Thank you.

  Hi,
  ACS 4.2.1.15 does not support windows 2008 R2.
  ACS 5.2 supports the same.
  It is a bug CSCtg12399 which is resolved on ACS 5.2.
  The release notes of ACS 5.2 describing the same.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/release/notes/acs_52_rn.html
  The following link gives details of the ACS 4.2 and Windows 2008 compatibility.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html#wp100949
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you feel your query is answered. Do rate helpful posts.

• Is it posible? two ACS 4.2 Appliance with the same remote agent

  Hello,
  I have a ACS 4.2 Appliance integrate with Active Directory, CA and Remote Agent, i want to agregate another ACS 4.2 Appliance with the same configuration, the same Active Directory, CA. my question is: can i configure the another ACS with the same Remote Agent of the first? in other words ...
  i attach the diagram.
  Thank you

  I have a
  ACS 4.2 Appliance integrate with Active Directory, CA and Remote Agent,
  i want to agregate another ACS 4.2 Appliance with the same
  configuration, the same Active Directory, CA. my question is: can i
  configure the another ACS with the same Remote Agent of the first? in
  other words ...i attach the diagram.Thank you
  Hi,
  Maximum number of appliances supported—While a single Cisco Secure ACS Remote Agent can provide services to many Cisco Secure ACS Appliances, support is limited to five concurrent connections by the appliances served. For example, if you have three appliances that are primary Cisco Secure ACSes and three appliances that are secondary Cisco Secure ACSes used for failover purposes only, the remote agent can provide services to all six appliances and stay below the maximum of five concurrent connections.
  http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_installation_and_configuration_guide_chapter09186a0080193aa1.html
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• SAP Conversion Agent for PI 7.1 EHP 1 and Windows 2008 Support

  Hello
  I have read that some people were able to run SAP Conversion Agent on a PI 7.1 EHP1 Installation on Windows 2008 Sever. But in the Product Availability Matrix there is no support for 2008 yet.
  In the SAP Library (http://help.sap.com/saphelp_nwpi71/helpdata/en/43/fc39c16bfb025ee10000000a1553f7/frameset.htm) under the release notes for SAP Conversion Agent there is still version 8.5, but when I install the actual Support Package I have Conversion Agent 8.6 running and according to information on the informatica.com site this version is running under 2008!
  Has anybody clear and actual information about which OS the newest SAP Conversion Agent for PI 7.1 EHP1 supports? Or has anyone experiance on Conversion Agent and Windows 2008 Server?
  Thanks
  Christoph

  Hi Mark
  Thanks for your reply! Fact is that in the actual Package (SP06) the version of Conversion Agent Engine supplied is not 8.5.5 as in the SAP Note mentioned, it is version 8.6.0:
  C:\Documents and Settings\pi1adm>CM_console -v
  Engine-Version: 8.6.0(Build:30)
  Engine-Syntaxversion:4.00.10
  I will oben a ticket for that ...
  Regards
  Christoph

• ACS and Windows 2000 user database communication port

  Could my Windows 2000 SP4 + ACS v3.23 can install any new Windows 2000 service pack ?
  I'm affraid to infect ACS Service.
  So, I want to install firewall on this server to block malicious traffic.
  However, my ACS used external user database Windows 2000 for authentication.
  Who can tell me What protocols or port list they are communication?
  I have to avoid these traffic on my firewall.

  Hi cheng
  I think you can install any servie pack without problem and the SP4 is the latest one for WIN2000 and you server already has this SP
  For your second question you need to specify many protocols according to your active directory config in this link you can find a list of this protocols and the best way is to make debug or logging or use a siniffer to know the exactly protocols flow between your ACS and AD server
  http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx
  Best Regards

• ACS 3.2 for Windows and Windows Active Directory.

  I'm using a member W2K server to run ACS 3.2.
  I'm using ACS and Windows group mapping but my users always go into default group.
  Why?
  Thanks.
  Andrea.

  I'm assuming your ACS \DEFAULT domain has NT Groups mapped to . Use a new Domain Configuration to add your AD and group mappings.
  The group name in ACS must match exactly the same group in AD. ie. If your AD group name is "Engineering" , create a ACS group with exactly the same spelling. Also,avoid certain characters such as @#%&*() in the naming of groups, both in AD and ACS.
  Hope this helps. let us know.
  P

• ACS 5.3 and Windows AD account lockout

  Currently on 5.3.0.40.2 when a invalid password is attempted via TACACS or RADIUS to the AD identity store is locks the account out on the first failed attempt. The AD policy is lockout after three attempts. Is there a way to fix this issue so the account is not locked out with only one failed attempt? I see options for local password policys in ACS but nothing for the identity store. For what its worth this happened also with ACS 4.X deployment before we moved to ACS 5.3.
  Just wanted to see if this is the expected behavior or if I should open a TAC case to see what is causing this.
  Thanks.

  Hi;
  Well, we got it working. Not sure of the exact fix, but allow me to ramble, perhaps it will help someone else.
  We think that a combinationof factors caused the problem. First, we had clock drift, and that resulted in clock skew messages in the logs like these:
  Sep 20 18:06:03 ecb-acs1 adclient[8322]: INFO  base.adagent start: Problem connecting to domain controller (KDC refused skey: Clock skew too great), will try again later.
  and
  ecb-acs1 adclient[1163]: WARN  base.bind.cache LDAP fetch CN=bubba,OU=staff,OU=edcenter,OU=edcenterarea,OU=episd,DC=episd,DC=org threw unexpected exception: SASL bind to ldap/[email protected] - GSSAPI Mechanism with Kerberos error ": Clock skew too great"
  Somehow the ACS lost the ntp config, very disturbing, because I know that one of the first things I did was setup NTP. So I re-did the ntp config, confirmed the time was accurate. Still failed. Then, because I was annoyed by the log entries comning out in UTC, I did a clock timezone to set it to local. That made the logs come out in local time, but might have caused other problems (I saw another forum entry for that) so I set it back to UTC.
  This begs the question - how to leave the timezone at UTC but fix the timestamps for the logs? This is easy on Cisco switches.
  Various reboots of the ACS after deleting the object in AD did not fix the problem. During these reboots I continued to use the original userid and password to authenticate. At all times, the "test connection" button showed that the credentials were OK.
  Because we had recently added our first Win2008 domain controller to our world (all ther other DCs are Win2k3), we started worrying about this:
  http://support.microsoft.com/kb/978055/en-us
  But, after some checking, it seems as if we already had the fix applied.
  Next, we created a dedicated user in AD for the ACS to use when authenticating. Deleted the ACS object, restarted the ACS, applied those new credentials. Still broken.
  Our AD admin looked in various logs and found some things, here is his summary:
  ----------- from Danny --------
  Checked the domain controller log under system.  Found the following:
  While processing an AS request for target service krbtgt, the account ecb-acs1$ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 17. The accounts available etypes : 23  -133  -128  3  1. Changing or resetting the password of ecb-acs1$ will generate a proper key.
  and
  While processing an AS request for target service krbtgt, the account stcrye did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 2). The requested etypes : 18. The accounts available etypes : 23  -133  -128  3  1. Changing or resetting the password of stcrye will generate a proper key.
  This may be related to either clock scew between acs and the domain or introducing server 2008 domain controllers into an existing server 2003 domain. 
  On a desperate hunch, after yet again deleting the ACS object in AD and reloading the ACS, I used the new dedicated ACS user account, but gave it a wrong password. Hit save, watched it fail. Then I put in the correct password, hit save, and it worked! Finall we have re-joined and are connected to the domain.
  BUT ... I have now lost all confidence in ACS 5.3 . We are in the middle of a major rollout of WiFi clients using 802.1x authentitcation, replacing our previous pre-shared WPA setup. We are talking > 20,000 WiFi clients. If ACS <--> AD is not rock-solid, I need to try something else. Should we consider using LDAPS instead?
  Steve

• 802.1x and Remote Agent

  AD 2000 Domain, ACS appliance (running 3.3.1), remote agent on the Certificate authority. setup PEAP per instructions.
  When i try to login with a user on a desktop, it errors out. This is the error message i see in the RemoteAgent logs
  CSWinAgent 02/03/2005 17:13:56 A 0048 0604 NTLIB: Attempting Windows authentication for user RFI5771
  CSWinAgent 02/03/2005 17:13:56 A 0048 0604 NTLIB: Windows authentication SUCCESSFUL (by DC1)
  CSWinAgent 02/03/2005 17:13:56 A 0048 0604 NTLIB: Obtaining RAS information for user RFI5771 from DC1
  CSWinAgent 02/03/2005 17:13:56 A 0048 0604 NTLIB: NetUserGetLocalGroups failed with result [5]
  CSWinAgent 02/03/2005 17:13:56 A 0048 0604 NTLIB: nt_GetUsersNTGroups failed
  Its funny. With my ID, everything works (dot1x gets authenticated, dynamically assigned VLAN, properly authenticated.
  But I can't get it to work with any other user. Thinking that there was a rights issue Service account, i tested with a Domain admin account. No avail.
  Any thoughts? I tested this whole setup in a lab with ACS for windows and it works like a charm. Getting it to work with the appliance has been a bit challenging.

  Hi,
  Did you ever get to the bottom of this issue. I have the same issue with ACS 3.3.3 for windows. I have not seen this issue on any other ACS Win / Appliance installs.
  Thanks in advance
  Allan

• Change IP Address ACS 4.2 Appliance

  Hello,
  I have an ACS 4.2 Appliance integrated with AD and CA in Windows 2K3 both of then working OK and Remote Agent, but we want to change the IP Address of the ACS 4.2 Appliance, What is the procedure to do this? have i install the certified again? i know that certified depend of hostname and ip address.
  Thank You
  Álvaro

  Hello,I
  have an ACS 4.2 Appliance integrated with AD and CA in Windows 2K3 both
  of then working OK and Remote Agent, but we want to change the IP
  Address of the ACS 4.2 Appliance, What is the procedure to do this?
  have i install the certified again? i know that certified depend of
  hostname and ip address.Thank YouÁlvaro
  Hi Alvaro,
  Best take the  serial console of the ACS Appliance and type set ip and follow the procedure to change the ip address
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/solution_engine/admap.html
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post