ACS 5.1 against Hybrid AD

Similar Messages

• Two factor authentication ACS 5.x against external Radius and Active Directory

  On ACS 5.x I'd like to authenticate against two external Directories
  Active Directory
  Black Shield Token Server (via RADIUS)
  I found a description the meets mostly my requirements at
       http://blog.pbmit.com/digipass2
  Has somebody an Idea how this has to be implemented on Cisco ACS 5.3?
  In the identity store swwquence there's no way to implement a compound condition (if user authenticated against Directory 1 AND Directory 2 then success)
  Active Directory and Cisco ACS
        This solution attempts to solve the limitation described in Solution 1. Instead of letting the Identikey server communicate directly to the AD, we use the Identikey server only to strip the PIN and OTP from the password and loop the authentication request back to the Cisco ACS to utilize its Identity Store Sequence, which can now be set to both Internal Identity Store and AD.

  just following up to see if there was a solution to this.  I am also interested in setting this type of scenerio out.

• Guest portal using ACS to authenticate against AD

  Running ACS 5.3, I have a Wireless Access policy that authenticates wireless users either by mac address, AD user name or computer name, depending on what AD groups the accounts belong to.  My Network Authorization policy has rules because only certain groups should access certain SSIDs.
  I am trying to get the Guest authentication portal to accept and authenticate AD users belonging to a certain group, but I run into 15039 Selected Authorization Profile is DenyAccess
  Somewhere for some reason my authorization policy is denying access. 
  Needing some assistance in troubleshooting these rules.

  You have to change the Group Map Attribute to "member" and authorization  will work.

• 802.1x wireless authenticaiton against RADIUS authenticator

  Hi all,
  Would like to check out some client side setting on Wireless 802.1x authenticaiton.
  Network setup is using
  - Cisco WLC 7.2 and AP3500,
  - ACS 5.3
  - Microsoft Windows server 2008 hosting AD and CA services (same machine)
  - Client OS is Microsoft Window 7.
  Authentication mehtod would use PEAP-MSChap V2 Combo.
  My question :
  01. In AD environment, should ACS 5.3 be part of the domain computer?
  02. To have secure connectivity, IF the security policy force client to check "Validate server certificate", which certificate it is look for? Is it ACS's identity certifate, that require CA server to sign on the CSR?
  03. Back to client side, should the client also need to import this certificate in trusted root certification authorities?
  Or the client will trust ACS identity certificate against the root CA certificate store at client's trusted root certification authorities, where they have the identical issuer?
  04. Extra question: If no CA environment, would it be sufficient simply export ACS self-signed certificate and import to client computer, and it's trusted?
  Thanks
  Noel

  Hello Noel-
  Please find my answers below:
  01. In AD environment, should ACS 5.3 be part of the domain computer?
  You should not have to make any changes to the ACS machine once you join it to your domain. You need to ensure that the account that you use to join it to the domain has the proper permissions. For more info on that you can check this link:
  http://www.cisco.com/en/US/products/ps9911/products_configuration_example09186a0080bc6506.shtml
  02. To have secure connectivity, IF the security policy force client to check "Validate server certificate", which certificate it is look for? Is it ACS's identity certifate, that require CA server to sign on the CSR?
  Yes, if you want the connection to be secured/encrypted you will need to use a certificate. The certificate can be either a public/paid one. The important part is for that certificate to be pushed to all of the end workstations. This can usually be done via GPO
  03. Back to client side, should the client also need to import this certificate in trusted root certification authorities?
  Or the client will trust ACS identity certificate against the root CA certificate store at client's trusted root certification authorities, where they have the identical issuer?
  See above
  04. Extra question: If no CA environment, would it be sufficient simply export ACS self-signed certificate and import to client computer, and it's trusted?
  See above
  Thank you for rating!

• ACS Admin Access

  Hi,
  Is it possible to have the ACS Software authenticate against external DB's for admin level users administering the box... Thanks, AJ

  Had thought this eas the case. Thankyou for the speedy response. Has been so long since using ACS had gone a little rusty. AJ

• Best practice for real time requierement

  All,
  I am trying to find out what is the best practice for reporting against real time data ?
  is it while using
  1 - webi against universe/bex query on the top of hybrid cubes ?
  2 - Crystal report directly against the ECC data ?
  3 - using another solution such as Data Fedrator ? or something different ?
  I am looking to know if anyone got such req and also to share their experience 
  did they get some huge challenge against hybrid cubes ?
  Thanks in advance for your help
  Philippe

  Well their first requierement was to get real time data .. if i am in Xcelsius and click refresh then i want it to load my last data ..
  with live office , i can either schedule a crystal report and get the data delayed or use the option from live office to make iterfresh as right now .. is that a correct assumption ?
  I was talking about BW, just in case they are willing to change the requierement to go from Real time to every 5 min
  Just you know we are also thinking of the following option:
  1 - modify the virtual provider on the  CRM machine to get all the custom fields needed for the Xcelsius Dashboard
  2 - Build some interactive report on the top of these Virtual Provider within CRM
  3 - get the link to this report , it is one of the Report feature within CRM
  4 - design and build your dashboard on the top of it
  5 - EXport your swf file to the cRM web ui
  we are trying to see which one is the best one
  Philippe

• Authorization based on scheduling

  I'm looking for a solution to help me schedule resources in our network lab.  I want to require staff to schedule a resource, and then have ACS do authorization against whether or not a user has scheduled the resource.  The peice I dont know about is the whole calendar/reservation piece.
  I've seen this kind of scheduling for conference rooms in Exchange.  I'm wondering if setting up a "conference room" type resource in Exchange would have users assigned to the resource for a particular time period in such a way that Cisco ACS could do authorization against the resource validating the username to validate login access for the resource.  I'm not worried about forcing a logout at the end of the timeframe, the initial authorization would be sufficient.
  Does anyone have the exposure to know if this approach could be made to work, or is there a better approach that I havent considered....I'm a bit new in this group.  Thanks in advance.
  Per

  Hi Per,
  What ACS are you using? what is the protocol?
  you can try that with ACS 5.x
  Hope that helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you feel your query is resolved.Do rate helpful posts.

• Differentiate between wireless lans

  We are using ACS 5.2 as a radius server for our wireless network. Our current wireless lan is wpa2 with 802.1x enabled. ACS is checking against AD. We would like to setup a new wireless ssid for internal staff that we would grant permission to use. It would be less firewalled, and the staff member needs to sign a form to use it. So two questions..
  1. How do we differentiate between the ssids when the radius requests come in? When someone trys to connect to the internal staff ssid and trys to auth, how can we separate that out from the rest of the wireless connections?
  2. How do we only grant permission to certain people? We would want to add the username to the internal users group, but have the password auth against AD instead of typing one in.
  Thanks for any help you guys can give.

  Hi,
  When a RADIUS request arrives to the ACS it contains the ssid the user is trying to connect to.
  Please  take a look at this document where it explains that the ssid name in  present on the RADIUS attribute 30 called-station-ID:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml.
  Using ACS 5.x, you need to create a rule that compares that attribute with the ssid name you want to filter.
  Please take a look at the screenshot example:
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• How to authenticate a Non domain member laptop with AAA

  Dear all,
  I do have problem in resolving issue for AAA, the scenario is like if a user connect his laptop with a cisco Switch, and the computer is not a member of domain, we do like to allow internet and get an ip from DHCP server only to those users who;s computers are member of active directory. do let me know how is it possible? support will be appreciated.
  Regards
  Ibrahim

  Hi Ibrahim,
  Do you use CiscoSecure ACS?
  If so, this is possible, using AAA/dot1X on the switch and configuring ACS to authenticate against Active Directory.
  There are lots of configuration examples available here:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_configuration_examples_list.html
  Specifically the wired dot1x; nac: ldap integration with acs; cisco secure acs for windows with eap-tls machine authentication.
  Although some of these are for wireless, I can't see why the principle can not be applied to wired.
  Also there are posts on the learning network:
  https://learningnetwork.cisco.com/thread/2221
  https://learningnetwork.cisco.com/thread/12897
  Regards, Ash.

• Cisco 3502i to allow Windows 8 only

  Hello
  I am setting up a test AP for Windows 8. Is there a way that i can restrict access to this AP by Windows version or by MAC
  address of the select wireless devices being used for the test.
  I have controller(s), AIR-CT5508-K9, that the AP associates to.
  I also have an WCS to manage controllers
  Finally an VM wireless ACS to authenticate against.

  You can create WLAN with MAC auth.
  This describes the steps direcly on the WLC
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008084f13b.shtml
  From WCS create templates for similar action an apply to controllers
  Sent from Cisco Technical Support iPad App

• Anyone got ACS SE 4.2.1 authenticating against server 2008 R2 via LDAP?

  Hi, I'm working on a new network implementation where the customer has ACS SE and wants to use AD for machine based authentication of wired 802.1x clients.
  As the support for 2008 R2 server (64-bit OS used here) using remote agent is not yet released they are attempting to set this up using an LDAP connection. The final goal is to use certificate based authentication, and I have had a message indicating this authentication type may not work due to an issue with binary comparison, so we started with basic username/password accounts first.
  So far the ACS is populating its external user database fields with the domains setup on AD, but user authentication is failing.
  Briefly we started with basic username/password usng MD5-CHAP on XP to an account configured on ACS, that worked fine. Then set up the external user database to use an LDAP connection to AD, and an unknown user policy, this dosent work. It looks like the issue could be do with the LDAP attributes not being set correctly.
  Has anyone used LDAP as an authentication mechanism against 2008 R2 based AD and got it working?

  Aacole,
  The above error message says that your external database that is LDAP doesn't support EAP-MD5 and that is quite true.
  You may check the below listed link for protocol and database compatibility.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp824733
  Since you are using LDAP its only supports EAP-GTC.
  Do let me know if you need any further suggestions.
  Regds,
  JK
  Do rate helpful posts-

• ACS 5.1 Authentication against AD problem

  I have a pair of ACS 5.1 virtual appliances in a master/slave configuration, running build 5.1.0.44.  We have it configured to authenticate TACACS against Active Directory, but have run into a problem with the account of one my colleagues.  His account password recently expired and since changing it he is no longer able to authenticate on devices pointing to the master ACS server, but has no issue with devices pointing to the slave ACS server.  Several other users have changed their passwords in AD and have not encountered this problem.
  ACS View shows the following error in the TACACS+ authentication log:  "24421 Change password against Active Directory failed since it is disabled in configuration".  The account we use to connect to active directory does not have permission to send password changes, so I have disabled changing passwords in the AD identity store configuration.  As a test, I enabled password changing and instead saw this error:  "24407 User authentication against AD failed since user is required to change his password". 
  I've had him change passwords numerous times, try different SSH clients, and different PCs.  I also had him lock his account out, and then try logging on and instead was presented with this error: "24415 User authentication against AD failed since user's account is locked out".  So it seems that ACS is correctly querying AD but seems to be caching the fact that his account has expired.
  The only difference between the two ACS servers are that they are querying different AD servers.  I've gotten our AD team to reset his password, check that his account is not locked on a particular AD server, and that replication is functioning.  I've also restarted the services and cold started the ACS virtual machine to no effect.  I have yet to try clearing the AD configuration and re-entering it.
  show logging application acs reveals the following:
  ActiveDirectoryClient,19/10/2011,08:46:25:307,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
  ying to reconnect.,ActiveDirectoryClient.cpp:2429
  ActiveDirectoryClient,19/10/2011,08:46:25:311,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
  led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
  ActiveDirectoryClient,19/10/2011,08:49:27:468,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
  ying to reconnect.,ActiveDirectoryClient.cpp:2429
  ActiveDirectoryClient,19/10/2011,08:49:27:475,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
  led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
  ActiveDirectoryIDStore,19/10/2011,08:49:27:475,ERROR,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,ActiveDirectoryIDStore::onPlainAuthenticateAndQueryEvent - User password expired but change
  password configuration is disabled - authentication failed,ActiveDirectoryIDStore.cpp:525
  I am aware that I can upgrade to 5.1.0.44.6 and intend to do so (although CSCsr81297 concerns me as we make extensive use of AD for authentication), but I don't know that there is any guarantee that this will fix it.
  Any ideas on what might be the cause, and how I can fix this?
  Thanks!

  Hello,
  It is complicated to explain this rule but hopelly you will understand.
  I suggest you to do an identity store sequence that will point to the AD and RSA. this is like the user unknow policy in ACS 4.x
  Once this is done you can create 2 authorization policies 1 based on RSA authentication and another based on AD authentication.
  To give you a better clear example is there any difference between AD and RSA authentication? Do they have the same rights? Please detail what you need to configure besides AD and RSA simultanuos authentication.
  Regards,
  Sebastian Aguirre

• Cisco ACS 5.2 authentication against multiple LDAP servers

  Hi Folks,
  I have a wireless network that uses ACS 5.2 to handle authentication.   The ACS is integrated with an Active Directory LDAP server (my_ldap) and is working correctly at the moment.    The authentication flow looks like this:
   - User tries to associate to WLAN
   - Authentication request is sent to ACS
   - Service selection rule chooses an access-policy (wireless_access_policy)
   - wireless_access_policy is configured to use my_ldap as identity source.
  A sister company is about to move into our offices, and will need access to the same WLAN.    Users in the sister company are members of a separate AD domain (sister_company_ldap).    I would like to modify the wireless_access_policy so that when it receives an authentication request it will query both my_ldap and sister_company_ldap, and return a passed authentication if either attempt is successful.     Is this possible?

  Assuming you're already authenticating using your AD binding and AD1 as your identity source, you can add a further LDAP server as another identity source and add this to your identity store sequence in your access policy to authenticate against both.
  You can also add multiple LDAP servers and add them both to the identity store sequence (if you're not using AD1).

• ACS Authentication against Lotus Notes

  Hi Team, is it possible to authenticate Users via ACS against Lotus Notes, similar to MS AD? Regards, Michael

  I don't think it is possible to use ACS with Lotus notes for user authentication. These are the external databases supported with ACS.
  a) Windows User Database
  b) Generic Lightweight Directory Access Protocol (LDAP)
  c) Novell NetWare Directory Services (NDS) when used with Generic LDAP
  d) LEAP Proxy Remote Authentication Dial-In User Service (RADIUS) servers
  e) Token servers
  f) Open Database Connectivity (ODBC)-compliant relational databases (ACS for Windows)

• ACS cannot Authenticate Aironet Users against Exernal DB (LDAP)

  ACS cannot Authenticate Aironet Users against Exernal DB (LDAP)
  Can anyone point me to a technical explanation of why this is true?
  All I have found so far is one small note in a help file and something that might be related under EAP-FAST explanation.
  I have posed this question to our Cisco account team but no response yet.
  Just need to have a good explanation when explaining to mgmt why we need to have a special setup for WLAN users.

  Hmmm....you should be getting more than that from debug radius and debug aaa authen if your AP is truly attempting EAP authentication. The debugs I generally use for this are 'debug aaa authen', 'debug radius', and 'debug dot11 aaa dot1x all' coupled with gathering the detailed support logs from ACS. A warning about 'debug dot11 aaa dot1x all'....it is VERY verbose and cryptic if you don't have alot of experience looking at it so it may be best to open up a TAC case. With these debugs turned on, you should see an EAPOL logon show up from the client (usually says 'received EAPOL packet...') and then a request for identity from the switch and a response from the client with a username and password. Then a series of RADIUS challenge/response packets will be passed which consists of the server cert being passed to the client for validation and then the client sending the username and password to the server. Then you will finally get an access-reject or access-accept packet from the RADIUS server. The failed and passed attempts logs in ACS can also provide good info as to what the source of the failure may be. Do you get any passed or failed attempts for these authentications?