ACS 5.1---AD Authentication VS LDAP

Similar Messages

• RSA authentication with LDAP group mapping

  Greetings,
  I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.
  The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.
  As far as I know, you can only use one LDAP configuration with RSA.
  Any thoughts on this?

  @Tarik
  I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.
  I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.
  Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.
  I would still prefer to do this dynamically.
  Scott

• Error in authentication with ldap server with certificate

  Hi,
  i have a problem in authentication with ldap server with certificate.
  here i am using java API to authenticate.
  Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
  I issued the new certificate which is having the up to 5 years valid time.
  is java will authenticate up to one year only?
  Can any body help on this issue...
  Regards
  Ranga

  sorry i am gettting ythe same error
  javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
  here when i am using the old certificate and changing the system date means i can get the authentication.
  can you tell where we can concentrate and solve the issue..
  where is the issue
  1. need to check with the ldap server only
  2. problem in java code only.
  thanks in advance

• Shared Services External Authentication using LDAP in 9.3.1

  Hi,
  I have installed Hyperion Shared Services with native directory. And now planning to setup external authentication using LDAP. I need some guidance to understanding how the external authentication works.
  Questions:
  1. Is it possible to setup Shared Services to use both Native and LDAP user directory? What I mean is some users will be able to login using Native directory, and some others will need to login using User Directory (external authentication).
  2. For User Directory (say we use LDAP), when the user is added into Shared Services, can they be assigned with Groups created in Native directory? We want to explore to use just the external authentication and define all of the groups within shared services.
  If not possible, can we manage the Groups of the User directory using shared services? How is the groups work with external authentication?
  Any feedback would be much appreciated.
  Thanks,
  Lian

  Hi,
  Yes you can use both Native and external authentication. When you add the external provider the native is left by defaut anyway.
  Yes you can add your external users to native groups. You can also provision the groups in the AD if you wish.
  Gee

• SAP J2EE Engine -Config Tool authentication test(LDAP only)

  Hello. Can i know what causes the directory server authentication test(LDAP only) in the SAP J2EE Engine config Tool to fail to authenticate.
  Error message i got was: authentication failed: Unprocessed Continuation Reference(s).
  Please advise.

  Hi,
  what kind of directory server are you using?
  I'm not sure but it is possible that your ds uses referrals returns a referral to your client and the client does not follow them. Do you have any referrals configured?
  Cheers

• Using ACS for Cisco Prime authentication

  I'd like to use our Tacacs server running ACS to be the authentication method for user accounts in Prime, but don't even know where to start with this..
  Any pointers?

  The configuration on the Prime Infrastructure side is minimal:  define the authentication server Prime is to use and select a mode for Prime Infrastructure to use with it.
  Administration > AAA > TACACS+ Servers > add tacacs server.
  Administration > AAA > AAA Mode Settings > tacacs+ and enable fallback to local.
  The bulk of the configuration is on the authentication server side, particularly indefining groups, services and authorization tasks.  This is covered in the "Performing Administrative Tasks" chapter of the Prime Infrastructure Configuration Guide, starting with the topic "Configuring ACS 5.x"
  http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1595935
  "Configuring ACS 4.x"
  http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1625896
  https://supportforums.cisco.com/docs/DOC-17909
  In case it doesn't work, please get the logs from the ACS reports and monirtoring for tacacs authentication and error message while accessing cisco prime.
  Jatin Katyal
  - Do rate helpful posts -

• How can I implement Authentication in LDAP

  How can I implement Authentication in LDAP.

  Hi,
  If ur using JAAS, then use NTLoginModule in ur conf file and your own defined CallbackHandler for validating and obtaining the Subject (user connected to your domain).
  Remember the user is the one which the code obtains when u login to your Domain based machine.
  Apart from this, Apache Http Server also provides you with a popup window asking for the user's credentials when u set the SSPIDomain in the httpd.conf file.
  httpd.conf
  ========
  <Location /Seet/servlet/ >
  SSPIAuth On
  AllowOverride None
  Order allow,deny
  Allow from all
  AuthName "seet190 auth"
  AuthType SSPI
  SSPIAuth On
  SSPIAuthoritative On
  require valid-user
  SSPIDomain seet190
  </Location>
  seet190 is the domain name
  Actually so far in the Security Forum, u might refer to some of the replies posted for more help but actual LDAP authentication can be done by passing the user's info too.
  HTH,
  Seetesh

• ACS + Wired dot1x machine authentication

  Hi,
  I am trying to setup wired machine based authentication. I have followed this guide
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml#req
  However I simply get the same error all the time on ACS.
  Invalid message authenticator in EAP request
  Switch config;
  interface GigabitEthernet0/46
  switchport access vlan 20
  switchport mode access
  media-type rj45
  dot1x pae authenticator
  dot1x port-control auto
  dot1x reauthentication
  dot1x guest-vlan 20
  i am trying to setup group matching to perform vlan assignment however I am just entering under the unknown user policy at the min with no vlan assignment setup.
  Anyone shed any light on this, all I want to do is authenticate a machine via certificates issue a vlan id based on the machine name and AD group matching. No user authentication this can be done via the PDC.
  Purely using machine auth.
  Cheers
  Scott

  Hi Guys,
  The plot thickens, I can authenticate via user 802.1x and I can also authenticate the machine against my existing 4.1 ACS server however when using the new server 4.2 I get the external DB authentication failure??
  Thanks for your help.
  Scott

• ACS 3.3, RSA Authentication Manager, Win2k3 AD

  What is the best practice for implementing cisco ACS 3.3, RSA, Win2k3 AD.
  We want to use these combo to authenticate our Remote access client. Our VPN/Firewall box is a ASA5540.
  Thx

  Hi
  You basically have 2 posibilities:
  Posibility 1:
  Use the ACS as the Central AAA Server and integrate all other Authentication-Servers with the ACS.
  The ACS Supports different Token Servers / AD / RADIUS Server directly.
  This is very smooth, you use the ACS to control all Authentication Request from your Network devices , TACACS+ or RADIUS.
  There is some limitations'thoug: ACS only supports One AD Domain and no Trusts ... this can be painful..
  Poisibility2:
  Use The ACS as a RADIUS proxy-Server.
  There are no "direct intagration" with the other Radius Servers - such as the ACE or the different ISA-Servers, but still alll client can use the ACS as their "AAA Radius Server".
  This requires separate configuration of all RADIUS servers, but it overcomes the limitation of the ACS Support of Microsoft TRUSTS.
  It is possible to use a mixture of both Cenarios, and you could use things like the domain-suffix (everything behind @ in [email protected]) to deside wich RADIUS server should do the Authentication.
  Hope This Helps
  Greetings
  Jarle

• APEX 3.2:  Switching between APEX authentication and LDAP?

  I'm building an APEX 3.2 application that has to be deployed automatically to the target environments (by executing the APEX export SQL in the relevant parsing schema).
  One problem is that different environments will have to use different authentication mechanisms:
  Development and System Test will use simple APEX authentication (i.e. APEX users).
  Acceptance Test and Production will use LDAP via OID for single sign-on.
  So how do I set the application up so that it can switch from APEX authentication to LDAP authentication if it is in the Acceptance Test or Production environments?
  My customers seem very reluctant to have a manual step in the process e.g. to switch the authentication scheme for the application after installation, so I need to find a way to do this automatically if possible.
  Any suggestions?
  Thanks.
  Chris

  Chris,
  We do something similar, in that we dynamically switch authentication based on the application you're trying to log in to. Basically, you need to set up a custom authentication procedure which checks which system you're in, and then validates the user appropriately.
  Does that help?
  -David

• ACS 5.1 administrator authentication via AD

  Hi,
  We are migrating from ACS 3.3 to 5.1 - formerly we were able to configure ACS to use an external database for internal user passwords. Thus, in 3.3, we had AD users using a Windows database for their password and we were able to use our AD accounts to administer ACS.
  In 5.1, when viewing the "Accounts" under the System Administration dropdown, there appears to be only the ability to create internal accounts and use internal passwords. This is yet another password mechanism to track, enforce, and audit - it would be preferable to have the option to use our AD accounts to get around this. I've looked through the User and Identity stores and don't see an obvious way of making this work, and there is no mention of it in the documentation.
  Note that I am not talking about authenticating devices to Active Directory, this functions fine - I'm talking about the actual ACS system administrator / web authentication. Am I just missing the option?
  Thanks.

  Doug,
  The option you are looking for in not available in any  ACS 3.x/4.x / 5.x.
  ACS administrators are configrued  locally.
  Regards,
  ~JG
  Do  rate helpful posts

• PEAP authentication to LDAP

  Hi,
  I have a working WLAN solution that uses PEAP (1252 AP's, WCS, 4400 controllers etc.). At the moment we authenticate against Active Directory via a Cisco ACS appliance (v4.1) - this works fine.
  We are trying to also get authentication working to our LDAP Server - however, ACS keeps reporting "Authentication type not supported by external DB". It also doesn't seem to even try to contact the LDAP server looking at our LAN sniffer logs.
  Any ideas ? Thanks, Tim.

  You can't authenticate PEAP against LDAP (at least a non-Active Directory LDAP; I've never tried pointing to an Active Directory LDAP). PEAP is a Microsoft-funded "standard". If you still want to use EAP but don't want to deal with client certs (as in EAP-TLS), you can do EAP-GTC or EAP-FAST. The problem for lots of people with that is that Windows XP and Vista do not support it natively via ZeroConfig. You have to use a client such as Intel ProSet, Juniper Oddysey, or Cisco Secure Services Client.
  See http://en.wikipedia.org/wiki/EAP-TLS#PEAPv1.2FEAP-GTC for more info about EAP.

• ACS configuration for NAC authentication

  Hello,
  I've been trying to configure my ACS server to allow user authentication via the cisco NAM, but it does not seem to work anytime i try to log in with my configured username/password on the ACS server.
  I need someone to guide me through how to get this resolved.
  Regards,

  I am assuming you are having the NAM authenticate NAC Agent login requests against ACS.
  This can be done via RADIUS or LDAP.
  Check out the Cisco NAC Chalk Talks, particularly 'Configuring Authentication, Roles, and SSO'
  Chalk Talk Series
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html

• ACS 4.2 Appliance integration with LDAP

  Hi,
  I would like to ask some question from the expert here.
  1. I'm building 802.1x infra for my customer.
  2. We are using ACS SE version 4.2
  3. We have successfully integrate the ACS with AD using Remote Agent.
  4. Using will authenticate using PEAP MS-CHAP v2.
  5. However, my customer dont want to use Remote Agent (RA) because the want the ACS talk to the external database directly.
  6. Their argument is, if they bought other Radius appliance for this project, the appliance should have the same function in order to authenticate the user.
  7. What are needed to complete this requirement?
  I saw in this table http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp857274 the LDAP does not support PEAP MS-Chap v2.
  Can any expert give opinion on this issue?

  Despite various efforts a few years back, LDAP vendors could not be persuaded to implement an MSCHAP interface - which is technically possible.
  That said ACS also has its Windows External Authenticator that will do MSCHAP just fine to a Windows AD Server (via a different interface).
  The old LEAP protocol was mschap inside EAP. EAP-FAST can also do mschap too.
  The key is not use the LDAP authenticator in ACS. If you really must use it, you'll have to make sure you use EAP-GTC inside your PEAP/FAST tunnel

• ASA Remote Access Authentication with LDAP Server

  Thank you in advance for your help.
  I am configuring an ASA to authenticate with a ldap server for ipsec vpn access.  My customer has 3 networks that are to be accessed by remote users.  However they want to be able to say that one user can get to 2 of the networks and not the 3rd.  So basically they want control over what network behind the firewall each user can access.  This seems doable from my reading and I had planned to creating a group for each network that needs accessible and either do attribute maps to each group with a separate group created on the ldap server for authentication.  Basically a ldap group on the ldap server that will have the users name in the group in order for access.  I can restrict access via acl's or filtering to force my group to only be allowed access to a specific network.  Here is the problem I am having now.
  The ldap server has been created and seems to be working fine.  I have created my AAA groups and servers and I have done the ldap test with a test user vpntest and a password on the ldap server.  When I run the authentication test from the ADSM or command line I get a good authentication successful message.  So I configured a vpn client remotely and attempted to authenticate to this group and it says there is no user by that name.  Below is a paste of the debug.  The second part is when I did a successful test from the ASDM or CLI and it worked great.  The first part is when I attempted from the vpn client.  It all looks the same from the search criteria.  What am I missing here or does anyone more knowledgeable see anything that I am doing wrong.  Can this be done this way or should I try radius.  The customer was just adament about using ldap.
  extvpnasa5510#
  [243] Session Start
  [243] New request Session, context 0xd5713fe0, reqType = 1
  [243] Fiber started
  [243] Creating LDAP context with uri=ldaps://130.18.22.44:636
  [243] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
  [243] supportedLDAPVersion: value = 2
  [243] supportedLDAPVersion: value = 3
  [243] No Login DN configured for server 130.18.22.44
  [243] Binding as administrator
  [243] Performing Simple authentication for  to 130.18.22.44
  [243] LDAP Search:
          Base DN = [ou=employees,o=msues]
          Filter  = [uid=vpntest]
          Scope   = [SUBTREE]
  [243] User DN = [uid=vpntest,ou=employees,o=msues]
  [243] Talking to iPlanet server 130.18.22.44
  [243] No results returned for iPlanet global password policy
  [243] Fiber exit Tx=386 bytes Rx=414 bytes, status=-1
  [243] Session End
  extvpnasa5510#
  [244] Session Start
  [244] New request Session, context 0xd5713fe0, reqType = 1
  [244] Fiber started
  [244] Creating LDAP context with uri=ldaps://130.18.22.44:636
  [244] Connect to LDAP server: ldaps://130.18.22.44:636, status = Successful
  [244] supportedLDAPVersion: value = 2
  [244] supportedLDAPVersion: value = 3
  [244] No Login DN configured for server 130.18.22.44
  [244] Binding as administrator
  [244] Performing Simple authentication for  to 130.18.22.44
  [244] LDAP Search:
          Base DN = [ou=employees,o=msues]
          Filter  = [uid=vpntest]
          Scope   = [SUBTREE]
  [244] User DN = [uid=vpntest,ou=employees,o=msues]
  [244] Talking to iPlanet server 130.18.22.44
  [244] Binding as user
  [244] Performing Simple authentication for vpntest to 130.18.22.44
  [244] Processing LDAP response for user vpntest
  [244] Authentication successful for vpntest to 130.18.22.44
  [244] Retrieved User Attributes:
  [244]   sn: value = test user
  [244]   givenName: value = vpn
  [244]   uid: value = vpntest
  [244]   cn: value = vpn test user
  [244]   objectClass: value = top
  [244]   objectClass: value = person
  [244]   objectClass: value = organizationalPerson
  [244]   objectClass: value = inetOrgPerson
  [244] Fiber exit Tx=284 bytes Rx=414 bytes, status=1
  [244] Session End

  Hi Larry,
  You can map AD group memberships to specific group policies on the ASA, you can find that configuration here:
  - http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html
  Let me know if further assistance is required!
  Please proceed to rate and mark as correct the helpful Post!
  David Castro,
  Regards,