ACS 4.2 integration with AD 2008 R1
Hi,
I have configured my WLC 4402 for Radius authentication using Cisco ACS server version 4.2 Patch 4.
When using Local Database of ACS my Wireless Users are able to authenticate but users are not able to authenticate from External Database of Windows AD 2008 R1.
In ACS logs I am getting the this error-
Authentication session timed out. Challenge not provided by client.
Please suggest.
Thanks in advance,
Pulkit
Can you raise the service control to full and try again? You will need login into the machine (I am assuming acs for windows) and then analyze the auth.log and the rds.log and see if you are having any windows related errors in the auth.logs and see what the issue is in the RDS logs.
Which authentication protocol are you using? Leap, eap-tls. PEAP?
thanks,
Tarik
Similar Messages
-
Hello Everyone,
Can a single ACS appliance be integrated with a diff OU in the AD (maybe with a diff IP address range). If yes, how?
Thanks,
RishiRishi,
Are you looking to leverage certain group in AD to be assigned to a specific subnet? If yes, then this can be done through dynamic vlan assignment.
Thanks,
Tarik Admani -
Autheticating useing Cisco ACS 4.2 integrated with Active Directory 2003
How do i check that users are Autheticated useing Cisco ACS 4.2 integrated with Active Directory 2003, any one help me in this thanks
You can't actually see the user's membership from ACS. All you can do, create group-mapping under external database >> group mapping section. This would give you an option to map external (AD) group with an Internal group.The group memberrship need to be modified under Active Directory.
Once user is succussfully authenticated and learned as a dynamic user in ACS user setup database, it would be mapped with an ACS internal group based on group mapping we did.
Let me know if you have any doubts.
Regards,
Jatin -
WLC integrating with Windows 2008 AD
Hi,
I want to integrate WLC with windows 2008 server. If anybody done this integration i would like to know what are the step i need to do in the Microsoft Side, If you have any document related to MS 2008 integration pls share the information with me.
Thanks in adavence.
Regards,
SunishCan you provide more detail around what you mean by integrate? I don't think a WLC can talk directly to AD (Kerberos, LDAP, or otherwise).
If what you mean by "integrate" is to be able to authenticate wireless users against AD, then you will need something to proxy that authentication. That is usually a RADIUS server. Cisco ACS and Microsoft IAS and two common RADIUS servers, both of which can talk to AD. Check out the Cisco ACS 4.2 configuration guide for a good example. Here's a link to an older Microsoft article, but it still applies to 2008 (Microsoft IAS is still included with Windows Server).
http://www.microsoft.com/downloads/details.aspx?familyid=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&displaylang=en -
LMS 2.6 and ACS 4.2 compatible with Windows 2008 R2 Active Directory?
Hi,
We are planning to upgrade CORP Domain from Windows 2003 Active Directory Schema to Windows 2008 R2 Active Directory Schema.
I wanted to know if the following applications which are installed on windows (domain member servers) are compatible with windows 2008 server R2 schema?
CiscoWorks LAN Management Solution 2.6
Cisco Secure Access Control System 4.2
Cisco Fabric Manager 1.5
Any help is much appreciated!- CiscoWorks LAN Management Solution 2.6 - Not supported and this software is EOS-EOL.
www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_end-of-life_notice0900aecd80532c07.html
- Cisco Secure Access Control System 4.2 - Not supported either:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/windows/install.html#wp1041324
- Cisco Fabric Manager 1.5 - Was not able to find anything for version 1.5 and not really familiar with this product. However, according to the below not even version 4.2(7d) supports 2008:
www.cisco.com/en/US/docs/switches/datacenter/mds9000/sw/fm/release/notes/20325_10.html#wp657668 -
ACS 5.3 Integration With RSA
Hi People,
I have Integrated the ACS 5.3 with AD.
Now my next goal is to Integrate ACS with RSA in such a way that all my Cisco devices should use the username and password from the AD.
The enable privilege level should come from the RSA Token OTP.
Is it possible to do such a thing with ACS 5.3???
If so how could i do it???
Thanks,
ManojI think that can try and make a rule in the identity policy based on the Service attribute in the TACACS+ dictionary
(this is not tested and based on my recollection so would need your verification)
1) Create a custom condition for the service attribute in TACACS+ dictionary
Policy Elements > Session Conditions > Custom
Create: Dictionary: TACACS+ ; Attribute:Service
2) Utilize in a rule in Device Admin identity policy
Access Policies > Access Services > Default Device Admin > Identity
Sselect a rule based
Customize based on condition in 1
Create a rule for when Service is "Enable". Select identity source as RSA in this case -
ACS 5.2 Sync with Windows 2008 AD but cannot see the Groups
Hi Pals,
Recently I've been working with the ACS 5.2 (Installed on VMWare). At the beginning I was using a Win Server 2003 Enterprise edition AD, and there was no problem with the AD and the CA Authority. Because some of my customers use Win Server 2008 I change the AD platform to Win Server 2008 Enterprise edition (x64).
I don't really have a great experience with Win Server Platforms and, for what I've seen, the Win Server 2003 Services deployment is easier than the Win Server 2008 is.
So, when I used the Win server 2003 I could not only synchronize the ACS with the AD but also use some groups created on the AD to perform the Network Access Authentication. When I try to do the same with the Win Server 2008 AD the ACS and the Server get Synchronized but when I want to add the groups for the Authentication purposes there is no one, absolutely nothing... so I cannot do any test.
Also I looked for information about the compatibility between the ACS 5.2 and the Win Server 2008 platforms and at the end the platforms are compatibles.
Any Idea??
Thanks in Advance.
Jose M Cortes HHi Jose,
This should generally work.
From what I could read, you cannot list AD groups when trying to select them under an authentication/authorization rule.
What about when trying to list them under the AD configuration?
Users and Identity Stores > External Identify Stores > Active Directory > Directory Groups > select...
Unfortunately, without more details on a specific error message, it would be hard to tell where the root cause could lie.
We could collect some initial logs from ACS 5.2, in order to start isolating the issue:
1. Log in to the ACS command line and enable the following debugs:
admin# acs-config
Escape character is CNTL/D.
Username:
Password:
acsadmin(config-acs)# debug-adclient enable
acsadmin(config-acs)# debug-log mgmt level debug
acsadmin(config-acs)# debug-log runtime level debug
2. Recreate the issue a couple of times by trying to list the AD groups in the authentication rule and even by trying to list them under
Users and Identity Stores > External Identify Stores > Active Directory > Directory Groups > select...
3. Take note of the time stamp when you recreate the issue and then collect the ACS support bundle from the Monitoring & Report Viewer, under
Troubleshooting > ACS Support Bundle
Please be sure of collecting the support bundle while checking the following options:
Include full configuration database = Unchecked
Include debug logs = All
Include local logs = All
Include core files = All
Include monitoring and reporting logs (all categories checked) = Include files from the last 1 day
Also, please communicate the time stamp when the issue is observed, so that we can track it faster in the logs.
Regards,
Fede
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Cisco ACS 4.2 integration with Active Directory
Hello,
I´m new in the administration of ACS, we have recently implemented on server ACS version 4.2
for manager all users authorization for our Network.
We are in one environement which have an Active Directory, group and users.
Now, i´m just able to creat a new user in ACS and work with on the Client SWITCH, what i need to do, is to integrate my ACS 4.2 with Active Directory.
for work with the user and Group that a register in my AD.
Someon can help me please?You can't actually see the user's membership from ACS. All you can do, create group-mapping under external database >> group mapping section. This would give you an option to map external (AD) group with an Internal group.The group memberrship need to be modified under Active Directory.
Once user is succussfully authenticated and learned as a dynamic user in ACS user setup database, it would be mapped with an ACS internal group based on group mapping we did.
Let me know if you have any doubts.
Regards,
Jatin -
New AD 2012 setup, integrating with existing 2008 setup
I would like to setup AD for a client.
I currently have a Windows 2008 file server with a single local user that everyone uses to connect, wide open permissions, no groups, very basic and simple setup.
I have created two new test 2012 R2 servers for AD, I can join my workstation to the Domain, login with an AD user and mount the shared drive from the fileserver, create files etc, everything works.
When I created the domain I selected 2012 functional level.
Would it be best to keep everything at the 2012 level and upgrade the fileserver to 2012 and then join the domain?
Or redo the AD setup and make it compatible with 2008 and 2012 servers, then I can just join the server to the domain.
I am hesitant to touch the fileserver, not sure how well upgrading from 2008 to 2012 works?
The main reason for setting up AD is for group policy, permissions on the server, setting up groups etc.
Thanks for any advice.The functional level only apply to DCs (e.g. you can only have Windows Server 2012 DCs or later) - So you can go ahead and join the file server to the domain just as you did with the workstation.
Enfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services Blog -
Hi,
Is it possible to integrate ACS and CAR with DB-2 Database and if yes, are there any limitations or issues related to that? Does CAR or ACS loose any functionality in such integration?
I am not looking for detailed process of the integration at this time, all I want to know is if it is supported and are there any issues.
Thanks,
Habib U DashtiHi Habib,
Yes, ACS can be integrated with DB-2, as ACS is ODBC compliant and so as DB-2, The other way round is that you can convert DB-2 database in flat file structure and import it into ACS database. Regarding limitations or issues i do not have any info.
And CAR has its own database & does not support DB-2.
Thanks. -
ACS 4.2.0.124 Appliance with Active Directory with windows 2008
we have a solutions of 802.1x with Cisco ACS appliance wich is working fine, the soluction include two ACS appliance version 4.2.0.124, 02 remote Agent wich is setting up on windows 2003. The remote agent is integrated with Active Directory windows 2003. The computers have windows XP with service pack 2 and service pack 3, all computers do machine authentication and then user authentication. My customer in thinking in migrate the Active Directory windows 2003 to windows 2008. My question is ¿there wil be some problem with Active Directory 2008 with the current soluctión of ACS and 802.1x solution ? or I will have to do aditional task.
MarcoHi,
You can find the suported Windows Server versions on the online documentation:
ACS 4.2: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/windows/install.html#wp1041376.
ACS 4.2.1: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/Installation_Guide/windows/install.html#wp1041376.
So, i would suggest you to double-check carefuly the Release and Service Pack of the new 2008 Servers and also the OS bit version to make sure you migrate to Win2008 but continue on a supported scenario.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
ACS Integration with Microsoft Active Directory Services
Hello Everyone,
I've been tasked to design the integration of ACS with MS AD. What I want to know is the below assuming I have a software ACS or a ACS device and the protocol for authentication is Radius
- What is the criteria for the AD to integrate with ACS software of appliance
- Should that AD be hosted on the domain controller or not?
- If not, on what (Domain Controller, Tree, Forest, Branch, Flower, Fruit ) should the AD be hosted on?
- What will I have to do to authenticate users logging into Cisco Security Manager with ACS integrated with AD?
- Are there any other dependencies that I will have to categorically mention in my design document?
Thanks,
RishiIn ACS v5.x, there is a screen for integrating the ACS with AD.
(Users and Identity Stores > External Identity Stores > Active Directory)
Just enter the local domain name (domain.com) and a valid AD administrator account username and password, and the ACS will connect to the domain. This allows you to use existing AD credentials to login and administer your network devices.
Tying the ACS to AD really only takes one screen and less than a minute, but you will still have to tell the ACS which AD groups get which permissions (for example, read-only or read-write access), and you will have to setup a search sequence (Users and Identity Stores > Identity Store Sequences) to tell ACS to first look at AD for credentials, then check the local ACS user database for valid accounts. The permissions part is still fairly quick, and it only takes me about 45 minutes to build an ACS from scratch including all AD integration and custom RADIUS attributes for some of our devices.
The authentication would occur like this:
User SSH/telnet/console to device
Device contacts ACS using TACACS or RADIUS
User receives login prompt and enters AD credentials
Devices sends credentials to ACS
ACS validates credentials in AD
ACS sends authentication OK message to Device
Device logs user in.
Command Authorization looks something like this:
User enters a command
Device sends command authorization request to ACS
ACS looks at which AD group the user belongs to and looks up permissions configured in ACS for that group
Based on the permissions you have assigned, ACS either sends an allow or deny message to the Device
Device allows or denies the user command.
Criteria: We use an ACS 5.2 virtual machine and have had it work perfectly with Server 2003 and Server 2008.
AD is hosted on our local domain controller (Bonus: no planting of flowers required!)
Dependencies:
Issue: The Device looks to ACS. ACS looks to AD. If AD fails, users cannot use their AD credentials to login.
Device ---> ACS ---> AD
Solution: Configure the Device to look at ACS first, then a local table if ACS is not available. Also, configure the ACS to look at AD first, then a local ACS account list if AD is not available. (You can configure local user accounts on the Device and in the ACS)
Device ---> ACS ---> AD
Device ---> ACS ---> AD ---> ACS local
Device ---> ACS ---> AD ---> ACS local ---> Device local
The new version of Cisco ACS is UNIX-based, and you can download a free trial to load up and try before you buy. It is far FAR superior to the old ACS v3.3 that we had for years.
I hope this helps for your design document!
--Chris -
OIM 9.1.0 Integration with Active Directory 2008 R2
Hi,
My customer is running Root/Child AD structure based on windows 2003 w/SP2, OIM 9.1.0 deployed under one of the child domains, and integrated with child domains controllers which runs windows server 2003 as well.
My customer has decided to upgrade his AD to Windows Server 2008 R2 domain controllers across the entire AD Forest and still wants to integrate the current OIM v9.1.0 with AD for all of his Users provisioning and password synchronizations.
Am not sure if current OIM version of OIM 9.1.0 is compatible and supported by OIM v9.1.0 under active directory version 2008 / R2, and not sure if it can be integrated with such AD version.
Any guidance is really appreciated.
Also I was thinking of such scenario but also not sure of its support ability and if OIM will keep working on such scenario, the scenario is to upgrade only the AD root domain to Windows 2008 R2 while keeping the child domain holding the OIM 9.1.0 at Windows 2003 version.
Is this a working and supported scenario by OIM v9.1.0 ?I believe you question should be if the connector supports this architecture. Check out the versions supported for the connector you are using and you should be good.
-Bikash -
Integration of Xcelsius 2008 SP3 with BO Edge 3.1
Hello Experts,
We are using Xcelsius Engage 2008 SP3 and want it to be integrated with BO Edge 3.1 ..
I have downloaded and installed the Xcelcius SP3 trial. The build version is - 12.3.0.670
On insallation of SAP Integration Kit 3.1 .. I see SAP in the main Menu of the Xcelsuis 2008. However unlike Crystal Reports 2008 SP1 the SAP menu is all greyed out ( Its non-modifiable )
Am i missing anything here..?
-AmitHi,
I am using following components on my front end desktop -
SAP GUI 710 Patch 17
SAP Integration Kit 3.1 ( Client components )
Crystal Reports 2008 SP1 ( Integrated OK with the SAP Server )
SAP Crystal Dashaard Design 2008 ( provided in the link - http://www.sap.com/solutions/sapbusinessobjects/sme/freetrials/index.epx also referred to as Xcelcius Engage 5.3.. ) - SAP link visible on the menu of Xcelsius Engage but is greyed out .
SAP BW Version - Installed on a separate host - Netweaver 7.0 SPS 19.
SAP BO Edge 3.1 - Installed on a separate host with SAP Integration Kit ( Server Components )
Can you please inform if Xcelcius Enterprise is different from Xcelsius Engage ..? If yes from where i can download the trial version of the Xcelsius Enterprise..?
-Amit -
ACS Express integration with Active Directory
Hello,
I have ACS Express version 5.0.1 installed on Cisco ADE; I'm trying to get it integreated with an Active Directory without sucess.
I did packet captures on the ASA that is in between and I can see communication going thru just fine. I ran a diagnostic on the ACS express and got this:
DIAGNOSTIC USING THE IP ADDRESS OF THE DOMAIN CONTROLLER:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tabla normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Output of AD Domain Diagnostics:
IP Diagnostics
Local host name: he-zfm-acs-01
Local IP Address: 172.31.67.10
Not found in DNS!Make sure it is in Reverse Lookup Zone.
FQDN host name:he-zfm-acs-01.clarocr.americamovil.ca1
Domain Diagnostics:
Domain: 172.24.2.93
Subnet site:
WARNING! Unable to locate computer's subnet site in Active Directory.
Ask your Active Directory administrator to add this computer's subnet
to the appropriate site.
DNS query for: _ldap._tcp.172.24.2.93
Found no SRV records!
Computer Account Diagnostics
Not joined to any domain
AD Agent Process Status: Not joined to any domain
DIAGNOSTIC USING THE AD REALM:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Tabla normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Output of AD Domain Diagnostics:
IP Diagnostics
Local host name: he-zfm-acs-01
Local IP Address: 172.31.67.10
FQDN host name:he-zfm-acs-02.clarocr.americamovil.ca1
Domain Diagnostics:
Domain: CLAROCR.AMERICAMOVIL.CA1
Subnet site: TELECOM
DNS query for: _ldap._tcp.CLAROCR.AMERICAMOVIL.CA1
Found SRV records:
rom-pro-dc-03.clarocr.americamovil.ca1:389
Testing Active Directory connectivity:
Domain Controller: rom-pro-dc-03.clarocr.americamovil.ca1
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller: rom-pro-dc-03.clarocr.americamovil.ca1:389
Domain controller type: Windows 2003
Domain Name: CLAROCR.AMERICAMOVIL.CA1
isGlobalCatalogReady: TRUE
domainFunctionality:
forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
Forest Name: AMERICAMOVIL.CA1
DNS query for: _gc._tcp.AMERICAMOVIL.CA1
Testing Active Directory connectivity:
Global Catalog: rom-des-dc-01.desa1sv.americamovil.ca1
gc: 3268/tcp - timeout
No TCP LDAP response, giving up on rom-des-dc-01.desa1sv.americamovil.ca1
Global Catalog: rom-amv-dc-02.americamovil.ca1
gc: 3268/tcp - good
Global Catalog: rom-tlc-dc-01.telecom.americamovil.ca1
gc: 3268/tcp - good
Global Catalog: rom-pro-dc-03.clarocr.americamovil.ca1
gc: 3268/tcp - good
Global Catalog: rom-tlc-dc-02.telecom.americamovil.ca1
gc: 3268/tcp - good
Global Catalog: rom-amv-dc-01.americamovil.ca1
gc: 3268/tcp - good
Domain Controller: rom-amv-dc-02.americamovil.ca1:3268
Domain controller type: Windows 2003
Domain Name: AMERICAMOVIL.CA1
isGlobalCatalogReady: TRUE
domainFunctionality:
forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
Domain Controller: rom-tlc-dc-01.telecom.americamovil.ca1:3268
Domain controller type: Windows 2003
Domain Name: TELECOM.AMERICAMOVIL.CA1
isGlobalCatalogReady: TRUE
domainFunctionality:
forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
Domain Controller: rom-pro-dc-03.clarocr.americamovil.ca1:3268
Domain controller type: Windows 2003
Domain Name: CLAROCR.AMERICAMOVIL.CA1
isGlobalCatalogReady: TRUE
domainFunctionality:
forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
Domain Controller: rom-tlc-dc-02.telecom.americamovil.ca1:3268
Domain controller type: Windows 2003
Domain Name: TELECOM.AMERICAMOVIL.CA1
isGlobalCatalogReady: TRUE
domainFunctionality:
forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
Domain Controller: rom-amv-dc-01.americamovil.ca1:3268
Domain controller type: Windows 2003
Domain Name: AMERICAMOVIL.CA1
isGlobalCatalogReady: TRUE
domainFunctionality:
forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
Forest Name: AMERICAMOVIL.CA1
Computer Account Diagnostics
Not joined to any domain
AD Agent Process Status: Not joined to any domainDennis,
TIme in sync on the ACS and AD servers?
Faisal
Maybe you are looking for
-
Standard report with fixed position.
Hello, I have a page where i want the first report to have a fixed position. I have 3 regions with reports, the first will only display product name and number, the next report will display sales. The last report is very long so I have to scroll quit
-
Does anyone else have a yellow tinted screen on there ip4
I bought the iphone 4 3 weeks ago i had it switched out 3 times and my screen still has a yellowish tint to it compared to everyone else i know that has an iphone theres is clear and bright white. Anyone else having this issue?
-
Infotype Updation In HR Module
Can anyone give me a code regarding When an ALV Editable report is generated there should be Update button on the output screen. Once this button is clicked specific field values displayed on editable report should get updated in infotype.
-
Pdf documents show checked background in safari
When I open a PDF document in Safari the background shows as grey and white checks rather than white, how do I fix this
-
How do I deactivate password vault?
Every time I enter a password at a web address, that silly little key in the upper left hand corner of the address bar asks if I want to save the password. I do not store passwords on my system. So, how do I prevent that little drop down question fro