ACS 5.6 intergration with Windows AD

Similar Messages

• ACS 4.1 support with Windows Server 2012 Domain controller

  I am upgrading my Domain Controller / Active Directory from Windows Server 2003 to Windows Server 2012.
  In my environment, I am using Cisco ACS 4.1 which is integrated with Windows Server 2003 Active Directory.
  Will ACS4.1 will work fine with my new domain controller (Windows server 2012) or I need to upgrade my ACS too?
  Regards,
  Junaid

  Junaid,
  ACS 4.x code doesn't even support Windows 2008 R2. Your best bet is to migrate the ACS from 4.x to ACS 5.4 Patch 2 or stay with windows 2003 or 2008 (Non-R2).
  ACS 5.4 patch 2 supports Windows 2012 AD.
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/release/notes/acs_54_rn.html
  Regards,
  Jatin
  **Do rate helpful posts**

• LMS 2.6 and ACS 4.2 compatible with Windows 2008 R2 Active Directory?

  Hi,
  We are planning to upgrade CORP Domain from Windows 2003 Active Directory Schema to Windows 2008 R2 Active Directory Schema.
  I wanted to know if the following applications which are installed on windows (domain member servers) are compatible with windows 2008 server R2 schema?
  CiscoWorks LAN Management Solution 2.6
  Cisco Secure Access Control System 4.2
  Cisco Fabric Manager 1.5
  Any help is much appreciated!

  - CiscoWorks LAN Management Solution 2.6 - Not supported and this software is EOS-EOL.
  www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_end-of-life_notice0900aecd80532c07.html
  - Cisco Secure Access Control System 4.2 - Not supported either:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/windows/install.html#wp1041324
  - Cisco Fabric Manager 1.5 - Was not able to find anything for version 1.5 and not really familiar with this product.  However, according to the below not even version 4.2(7d) supports 2008:
  www.cisco.com/en/US/docs/switches/datacenter/mds9000/sw/fm/release/notes/20325_10.html#wp657668

• ACS 5.2 Sync with Windows 2008 AD but cannot see the Groups

  Hi Pals,
  Recently I've been working with the ACS 5.2 (Installed on VMWare). At the beginning I was using a Win Server 2003 Enterprise edition AD, and there was no problem with the AD and the CA Authority. Because some of my customers use Win Server 2008 I change the AD platform to Win Server 2008 Enterprise edition  (x64).
  I don't really have a great experience with Win Server Platforms and, for what I've seen, the Win Server 2003 Services deployment is easier than the Win Server 2008 is.
  So, when I used the Win server 2003 I could not only synchronize the ACS with the AD but also use some groups created on the AD to perform the Network Access Authentication. When I try to do the same with the Win Server 2008 AD the ACS and the Server get Synchronized but when I want to add the groups for the Authentication purposes there is no one, absolutely nothing... so I cannot do any test.
  Also I looked for information about the compatibility between the ACS 5.2 and the Win Server 2008 platforms and at the end the platforms are compatibles.
  Any Idea??
  Thanks in Advance.
  Jose M Cortes H

  Hi Jose,
  This should generally work.
  From what I could read, you cannot list AD groups when trying to select them under an authentication/authorization rule.
  What about when trying to list them under the AD configuration?
  Users and Identity Stores > External Identify Stores > Active Directory > Directory Groups > select...
  Unfortunately, without more details on a specific error message, it would be hard to tell where the root cause could lie.
  We could collect some initial logs from ACS 5.2, in order to start isolating the issue:
  1. Log in to the ACS command line and enable the following debugs:
  admin# acs-config
  Escape character is CNTL/D.
  Username:
  Password:
  acsadmin(config-acs)# debug-adclient enable
  acsadmin(config-acs)# debug-log mgmt level debug
  acsadmin(config-acs)# debug-log runtime level debug
  2. Recreate the issue a couple of times by trying to list the AD groups in the authentication rule and even by trying to list them under
  Users and Identity Stores > External Identify Stores > Active Directory > Directory Groups > select...
  3. Take note of the time stamp when you recreate the issue and then collect the ACS support bundle from the Monitoring & Report Viewer, under
  Troubleshooting > ACS Support Bundle
  Please be sure of collecting the support bundle while checking the following options:
  Include full configuration database = Unchecked
  Include debug logs = All
  Include local logs = All
  Include core files = All
  Include monitoring and reporting logs (all categories checked) = Include files from the last 1 day
  Also, please communicate the time stamp when the issue is observed, so that we can track it faster in the logs.
  Regards,
  Fede
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Intergration with Windows 8.1 Photos App Share Charm

  I can not find any documentation on this anywhere, so excuse me if this is in a guide somewhere.
  I want my application to run whenever the user opens the native 'photos' app, then goes to the share option in the charms menu. My current computer says 'You don't have any apps that can share this content.' I want my application to appear there.
  I would like to do this in C#, but can use whatever is best.
  Mediocre Access 2010 | (Baby) Beginner C Sharp | OK at Active Directory (2012) | Fragmented understanding of DNS/DHCP | Laughable experience with Group Policy | Expert question asker on MSDN Forums

  Hi,
  According to your description, you want your app can receives content shared from another app. If so, you have to declare that it supports the Share contract. This contract lets the system know that your app is available to receive content. If you're using
  a Visual Studio template to create your app, here's how you support the Share contract:
  Open the manifest file. It should be called something like package.appxmanifest.
  Open the Declarations tab.
  Choose Share Target from the Available Declarations list and click
  Add.
  For more information, please see the link:
  https://msdn.microsoft.com/en-us/library/windows/apps/xaml/hh871369.aspx
  And see the
  Sharing content target app sample
  Best Wishes!
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place. <br/> Click <a
  href="http://support.microsoft.com/common/survey.aspx?showpage=1&scid=sw%3Ben%3B3559&theme=tech"> HERE</a> to participate the survey.

• ACS Server MAC Authentication with Windows Database

  Has anyone setup an ACS Server 3.2 for MAC authentication using Windows as the authentication. The documentation I found shows how to set it up using the CiscoSecure database. Any help would be appreciated.

  Here is the link for setting up MAC authentication using CisoSecure database. There may not be a solution for my setup, but maybe I'll keep hacking away at it and find a resolution.
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00800b3d27.shtml

• Cisco Secure ACS 4.1 with Windows Database

  I have ACS 4.1 integrated with Windows Database (check mark in allow Remote DialIn).
  When we terminate a employee do I have to also delete their ACS User Profile?
  If I delete the user in AD will they automatically delete the user in ACS?
  Where can I read more about this?

  Hi,
  If you delete the user in AD, then it would not authenticate the user even if the dynamic mapped user exists in the ACS database, as the password would not be verified from the AD for the user.
  The dynamically mapped user entry would still exist in ACS and would not get deleted if the user is deleted from AD.
  tnx
  somishra

• ACS 4.1 External DB with Windows 2008 AD

  I have the following scenario:
  - ACS ver 4.1.1.23 on Windows 2003 Standard with SP2, Domain controller server
  - The main AD database is running on Windows 2008
  Does anybody knows if I still need to upgrade from 4.1.X.Y to 4.2.X.Y to be able to authenticated users against Windows 2008 AD database?
  Or I only need the 4.2 upgrade when the ACS is installed on a Windows 2008 server?
  Thanks in advanced.
  Oscar Perez

  If ACS is on member server you need to upgrade it to 4.2 patch 9 to make acs work with 2008 DC.
  2008 DC support is included from 4.2 patch 4 but I recommend to go for patch 9.
  Regards,
  ~JG
  Do rate helpful posts

• Strange Issue with windows Vista

  Hello Friends,
  My user is not able to connect Cisco 5400 with windows vista while the same user is able to connect via windows XP.Dialer settings for both the windows are same .I am using windows dialer for both windows.I am using PAP authentication protocol
  below are the logs on cisco AS 5400 when its not connecting
  ul 4 09:01:46 UTC: As2/01 LCP: ACFC (0x0802)
  Jul 4 09:01:46 UTC: As2/01 LCP: State is Open
  Jul 4 09:01:46 UTC: As2/01 PPP: Phase is AUTHENTICATING, by this end
  Jul 4 09:01:47 UTC: As2/01 LCP: I IDENTIFY [Open] id 2 len 18 magic 0x0BC0640B MSRASV5.20
  Jul 4 09:01:47 UTC: As2/01 LCP: I IDENTIFY [Open] id 3 len 24 magic 0x0BC0640B MSRAS-0-IMRAN-PC
  Jul 4 09:01:47 UTC: As2/01 PAP: I UNKNOWN(12) id 3 len 24As2/01 PAP: Code 12 not expected or invalid <<<<<<<<<<<<<<
  Jul 4 09:01:48 UTC: As2/01 PAP: I UNKNOWN(12) id 3 len 24As2/01 PAP: Code 12 not expected or invalid
  Jul 4 09:01:50 UTC: As2/01 PAP: I UNKNOWN(12) id 3 len 24As2/01 PAP: Code 12 not expected or invalid
  Jul 4 09:01:52 UTC: As2/01 PAP: I UNKNOWN(12) id 3 len 24As2/01 PAP: Code 12 not expected or invalid
  Jul 4 09:01:54 UTC: As2/01 PAP: I UNKNOWN(12) id 3 len 24As2/01 PAP: Code 12 not expected or invalid
  Jul 4 09:01:56 UTC: As2/01 PAP: I UNKNOWN(12) id 3 len 24As2/01 PAP: Code 12 not expected or invalid
  Jul 4 09:01:56 UTC: As2/01 AUTH: Timeout 1
  Jul 4 09:01:58 UTC: As2/01 PAP: I UNKNOWN(12) id 3 len 24As2/01 PAP: Code 12 not expected or invalid
  Jul 4 09:02:02 UTC: As2/01 PAP: I UNKNOWN(12) id 3 len 24As2/01 PAP: Code 12 not expected or invalid
  Jul 4 09:02:04 UTC: As2/01 PAP: I UNKNOWN(12) id 3 len 24As2/01 PAP: Code 12 not expected or invalid
  Thanks in Advance for help
  Regards
  Tarun

  Should it be an ACS appliance, please do the following:
  1. Set logging level to full:
  System Configuration > Service Control > Services Log File
  Configuration: Level of detail = FULL
  2. Reproduce the problem
  3. Note the time-stamp from the problem-reproduction
  4. Collect Package.cab:
  System Configuration > Support > Click on: "Run Support Now"
  --> This will prompt you after a while to download Package.cab to your
  local machine.
  5. Upload Package.cab to SR notes along with the time-stamp of the
  reproduction (step-3 above).

• ACS 4.2.1 AND WINDOWS 7

  HI all,
             We are having some authentication issues with windows 7. The issue some windows 7 machine fails randomly. We are using ACS 4.2.1 MS-PEAP with machine authentication, every now and then a pc fails to authen. And the log always show that: External DB user invalid or bad password. And the user to whom the machine belongs always says that did not change their password! So the error message it clear, but as we are doing machine authentication can the machine change their password on their own? Or can group policy push a password change? Last week, I have the server guys to check for the log in the AD server, the log confirmed that was a password change prior the user try to authen.
  Has any one had experienced this?
  Thanks,
  Jean Paul---

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Hello Jean,
  I am guessing that you are using 802.1x wireless.
  This is a expected behaving because the AD force the computer to change his password every month and if the computer is not on the domain at that moment the computer won't take that change.
  This is a Microsoft issue and unfortunately Cisco does not have any workaround for that.
  Please see links below that explain this situation.
  http://support.microsoft.com/kb/216393/en-us
  http://support.microsoft.com/kb/904943
  Hope this helps
  Erdelgad
  Cisco CSE

• Getting existing wireless solution working with Windows 7 client

  A bit new to this so need some help
  I have been asked to do some innovation around an existing operational wireless solution.
  Setup is;
  1. Wireless client - running Juniper Odyssey client. This authenticates user on logon to Windows using username / SecurID token / pin. Configuration via WAP / TKIP
  2. Cisco Aironet Wireless Access Point
  3. Cisco 4402 Wireless LAN controller
  4. Cisco ACS v4.1 - configured as RADIUS server with connection to external RSA Authentication Manager 6.1
  As part of a transformation programme I have been asked to investigate whether this existing wireless infrsatructure will work with Windows 7 as the client operating system. Also to look whether the wireless functions in Windows 7 will allow the Odyssey client to be removed.
  I am unsure what client if any I need to install on the Windows 7 client in order to try and get this working. Do I need the VPN client from Cisco, the RSA EAP client or will Win 7 allow me to do this.
  Any help appreciated.

  I am still struggling with this concept of suplicants
  I have tried to set this up with the wireless capabilities in Windows 7 to no avail. I see that Windows 7 only supports certin EAP types - how can I find out what my EAP type is on the ACS server?

• WLC integrating with Windows 2008 AD

  Hi,
  I want to integrate WLC with windows 2008 server. If anybody done this integration i would like to know what are the step i need to do in the Microsoft Side, If you have any document related to MS 2008 integration pls share the information with me.
  Thanks in adavence.
  Regards,
  Sunish

  Can you provide more detail around what you mean by integrate? I don't think a WLC can talk directly to AD (Kerberos, LDAP, or otherwise).
  If what you mean by "integrate" is to be able to authenticate wireless users against AD, then you will need something to proxy that authentication. That is usually a RADIUS server. Cisco ACS and Microsoft IAS and two common RADIUS servers, both of which can talk to AD. Check out the Cisco ACS 4.2 configuration guide for a good example. Here's a link to an older Microsoft article, but it still applies to 2008 (Microsoft IAS is still included with Windows Server).
  http://www.microsoft.com/downloads/details.aspx?familyid=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&displaylang=en

• Prepare my Wireless network for use with Windows 8

  Hello
  My wireless network has the following:
       (2) Wireless ACS 5.2 (upgrading to 5.3 soon)
       (1) Wireless Control System 7.0.172.0
       (10) Wireless Controllers AIR-CT5508-K9 7.0.116.0 (Lic level: base)
  Most of the (150+) AP's are i3502 with some older 1131AG, 1142N, 1242AG
  We are starting to see more devices with Windows 8
  What is best practice for integrating Win 8 devices onto a Wireless network?

  Shaogin
  Thank you for your reply.
  Wireless Control System s/w would need to be upgraded.
  What about the controllers and ACS?

• Syncing iphone with windows 7 contacts - error message outlook.pst not foun

  I have set set up ITunes to sync my Iphone GS with Windows Contacts. When I sync I get an error message :
  The file c:\Program Files\Common Files\System\Mapi\1033\Outlook.pst could not be found
  Sometimes the error message comes up 2 or 3 times.
  Secondly, my Iphone is syncing with something because an old version of my windows address book is now on my iphone. Of course if I add a new contact to Windows Contacts, it does not appear on my iphone.
  I dont have Outlook installed on my PC. It was removed, but I guess I do have an old outlook.pst file from my old times with Windows XP.
  So how does Itunes manage the sync and how can I stop it syncing with my old address book and use Windows Contacts? I have tried resetting my sync history but it did not work.
  I am running Windows7 (upgrade from Vista).

  I am also having issues with syncing my Iphone 3GS with the latest version on Itunes. I have for a long while now been doing just great. My contacts, phone numbers, emails have all synced very nicely, no problems. As soon as I downloaded the new Itunes 9.1 I can no longer sync contacts, and calendars, as usual.
  I tried several things that were suggested to me in the troubleshooting but nothing has helped. It usually tells me that my computer is not set up for syncing, and after arranging that it still doesn't work. As well, it says it cannot find the requested services.
  Please help.
  I am running windows 7, and have been for a while, it's not windows 7, it's the new Itunes upgrade.

• IPod Classic - ok with Windows, not with iTunes

  Hi,
  I have a Classic 160GO iPod.
  Suddenly this problem appeared :
  - no music or pictures were recognized by my iPod, but the disk space was used for "Other"
  - this iPod is not known with iTunes
  - This iPod is known as a removable hard disk, via Windows 7 (Main computer), Windows XP (secondary computer), a linux thing (a friend computer).
  1. I already checked this iPod with the diagnostics mode (see https://discussions.apple.com/message/19048752#19048752)
  result is :
  - reallocs : 0
  - Pending sectors : 32
  My understanding is that my iPod hard disk is ok and valid.
  2. I followed most of the recommended way to repaird the iPod as per Support (8 out of 10)
  NOthing is working.
  I confirm I have installed the latest version of iTunes.
  3. I read the following page : https://discussions.apple.com/message/19158071#19158071 to find the relevant firmware.
  But the iPod Classic 160GO is not in the list.
  My questions
  --> Do you have an idea to solve my problem ?
  --> What could happend i I format my iPod with windows ? It would be only a hard disk after, wouldn't it ?
  --> I f I format, is there a solution to re-install the iPod software (= firmware ?)
  Thank you for your help.

  The iPod hardisk is  looks new from the Reallocs and ON Hours, but, it is rebooting more to get the correct spin for data verification, causing tImeouts,  so the Pending Sector will increase.
  There maybe something, near the iPod environment, that is causing the drive to fail, and overheat, if it has not already been damaged, or maybe it is just one Hardisk, that slipped through poor quality control.
  You can bring the Retract, Realloc and pending number low, by doing low level format, see this article, but your problem of Hardisk rebooting to find a good cluster, wont go away
  Just my thoughts.
  Magnets are the primary cause of hardisk crashes,  I would also suspect, using your handphone, while it is near the iPod would also be bad, see the YouTube video on hardboiled eggs using handphone.