ACS and Windows Domain / AD

Similar Messages

• 802.1x and Windows Domain Controller with ACS

  Wow, I am having a tough time getting my ACS and the Domain controller to work with 802.1x PEAP. Can somebody explane to me how to set up the domain controller (Active directry) to get a PEAP cert? Some other questions. If I am using PEAP and 802.1x how does my computer get a cert. from the CA if the port is disabled by 802.1x? And How do I set up my domain controller to work with ACS to authenticate users. I have been beating my self to death to figure this out. Any help would be ausome. I am really stuck on trying to make this work.
  Thanks a ton in advance
  Justin

  I as a Cisco customer would like to see answers to our questions based on some real world experience or something you've noticed in a lab environment.
  By simply posting links is not very helpful. The reason most of us come to this site and post our questions, is because we already went to the Cisco website and found the explanation to be vague. In the future, please post answers to our question, intead of referring us to a link.
  Thank you,
  John...

• Machine authentication by certificate and windows domain checking

  Hi,
  We intend to deploy machine?s certificate authentication for wifi users.
  We want to check certificate validity of the machine, and also that the machine is included on the windows domain.
  We intend to use EAP-TLS :
  - One CA server.
  - each machine (laptop) retrieves its own certificate from GPO or SMS
  - the public certificate of the CA is pushed on the ACS as well as on each of the machine (laptop)
  - ACS version is the appliance one
  - one ACS remote agent installed on the A.D.
  - when a user intends to log on the wifi network :
  - the server (ACS appliance) sends its certificate to the client. This client checks the certificate thanks to the CA server certificate he already trusts, results : the client also trusts the ACS?s certificate signed by the CA server .
  - the client sends its certificate to the server (ACS appliance). This ACS checks the certificate thanks to the CA server certificate he already trusts, results : the ACS also trusts the client?s certificate signed by the CA server but the ACS also checks that this certificate isn?t revocated (the ACS checks this thanks to the CA server CRL ? certificate revocation list).
  Am I right about these previous points ?
  And then my question is : is it possible to check that the machine is also included in the windows domain ?
  That is, is it possible for the ACS to retrieve the needed field (perhaps CN ?? certificate type "host/....") and then perform an authentication request to the A.D. (active directory) thanks to the ACS remote agent ? We want to perform only machine authentication, not user authentication.
  Thanks in advance for your attention.
  Best Regards,
  Arnaud

  Hi Prem,
  Thanks for these inputs.
  I've passed the logs details to full, performed other tests and retrieved the package.cab.
  I've started investigating the 2 log files you pointed.
  First, we can see that the requests reach the ACS, so that's a good point.
  Then, I'm not sure how to understand the messages.
  In the auth.log, we can see the message "no profile match". I guess it is about network access profile. For my purpose (machine authentication by certificate), I don't think Network Access Profiles to be mandatory to be configured.
  But I'm not sure this NAP problem to be the root cause of my problem.
  And when no NAP is matched, then the default action should accept.
  We can see the correct name of the machine (host/...). We can see that he's trying to authenticate this machine "against CSDB". Then we have several lines with "status -2046" but I can't understand what the problem is.
  I don't know what CSDB is.
  I've configured external user database: for this, I've configured windows database with Remote Agent. The domain is retrieved and added in the domain list. And EAP-TLS machine authentication is enabled.
  I copy below an extract of the auth.log.
  I also attach parts of auth.log and RDS.log.
  If you have any ideas or advices ?
  Thanks in advance for your attention.
  Best Regards,
  Arnaud
  AUTH 04/07/2007 12:25:41 S 5100 16860 Listening for new TCP connection ------------
  AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::CreateContext: new context id=1
  AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PdeAttributeSet::addAttribute: User-Name=host/nomadev2001.lab.fr
  AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::SelectService: context id=1; no profile was matched - using default (0)
  AUTH 04/07/2007 12:25:41 I 0143 1880 [PDE]: PolicyMgr::Process: request type=5; context id=1; applied default profiles (0) - do nothing
  AUTH 04/07/2007 12:25:41 I 5388 1880 Attempting authentication for Unknown User 'host/nomadev2001.lab.fr'
  AUTH 04/07/2007 12:25:41 I 1645 1880 pvAuthenticateUser: authenticate 'host/nomadev2001.lab.fr' against CSDB
  AUTH 04/07/2007 12:25:41 I 5081 1880 Done RQ1026, client 50, status -2046

• ACS Two Windows Domains

  The ACS server can be configured to work with two windows domains? to authenticate users that belong to the domain called "a" and "b", the protocol to authentificate it is 802.1X in a Wireless Enviroments (WLC4400+ACS4.2+Two Windows Domain).

  Hello,
  Under certain conditions, yes. You have to have trust between the domains, and depending on whether you are running the ACS on an appliance or a server, there's certain configurations you have to do to make it work with multi-domain authentication.
  Here are a few links to get you started:
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/new_feats.html#wp1011301
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp353805
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/windows/postin.html#wp1041202
  HTH,
  Faisal
  If you find this post helpful, please rate so others can find the answer easily

• Leap and windows domain logon

  I'm doing some test with an Air 1200 and some 352 Pc card for one of our customers.
  With ACU ver. 4.25.23, I enabled LEAP authentication using the windows user name and password.
  Leap authentication is successful, while windows domain logon not.
  Not to say using a "normal" NIC that logon succeed.
  Sniffing the packets that come out the AP, it seems the domain logon happens... I see the requests/answers between my client and the domain controller...
  However, after canceling the windows domain logon I have normal connectivity with the entire network.
  Someone experienced that? Any help will be greatly appreciated.
  Antonio Tassone

  Sure.
  My attempts to logon in a windows domain using the same user/password for LEAP authentication and windows logon were unsuccessful (either using Win9x or Win NT/2000 on the client), indeed the login dialog box was stuck in something like "searching primary domain controller" or similar (I'm sorry but it's been some month ago).
  Looking the Radius server log, I found an error like " xxxxx DLL rejected".
  Searching the Cisco web site and the forums for that error, I read the advice to make the authentication services on the NT server to run with the privileges of one of the Windows Domain Administrator accounts.
  Following that advice, and with some other tweaking explained in the document I read, I reached my goal.
  I regret I can't be more precise.
  Regards.

• ACS and Windows Server

  I have installed ACS 5.2 on a machine and I am trying to integrate with that Windows Server 2003 ( Active Directory ) . On the ACS when i do test connection it shows me sucess but when i save the setting it gives me Time error . I kept the clock and timezone of Active Directory and ACS server as same but still it gives me error . I read on one of the blog that it is better to configure NTP on a router and then sync both the devices with same NTP .
  Is it necessary to configure NTP or manual config should also work ?

  I have ran into issues like what you are seeing without using NTP. I would suggest setting up NTP and having ACS and your servers sync to that.
  Sent from Cisco Technical Support iPhone App

• ACS and Windows 2000 user database communication port

  Could my Windows 2000 SP4 + ACS v3.23 can install any new Windows 2000 service pack ?
  I'm affraid to infect ACS Service.
  So, I want to install firewall on this server to block malicious traffic.
  However, my ACS used external user database Windows 2000 for authentication.
  Who can tell me What protocols or port list they are communication?
  I have to avoid these traffic on my firewall.

  Hi cheng
  I think you can install any servie pack without problem and the SP4 is the latest one for WIN2000 and you server already has this SP
  For your second question you need to specify many protocols according to your active directory config in this link you can find a list of this protocols and the best way is to make debug or logging or use a siniffer to know the exactly protocols flow between your ACS and AD server
  http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx
  Best Regards

• Cisco Secure ACS and Windows NLB

  Hi,
  I have two ACS servers and have been trying unsuccessfully to setup Windows NLB for them. I can successful setup the NLB but ACS won't respond on the clustered IP. Other services running on the clustered IP will respond so I believe the NLB is working correctly.
  Has anyone had any success with ACS and Microsoft NLB? I can?t find any documentation to suggest that they are incompatible but I think this may be the case.
  Thanks,
  Neil

  Neil,
  ACS is not tested with NLB but if cluster hosts are attempting to communicate with the ACS using their clustered IP then ACS should reply.
  Do you see any hits on acs ? If you sniff the acs interface, what is the source IP address ? Is it clustered ip or clustered host IP ??
  Also on acs --->Network configuration add aaa client with host IP and clustered ip . Now see if acs responds to NLB.
  Regards,
  ~JG

• Parallels Desktop and Windows Domain

  Ive installed Parallels 3 onto my MacBook and am now using Windows XP Pro.
  Ive tried to join my Windows OS to my domain on our Windows 2003 Server but the computer cannot find the domain. I think its something to do with the network connection with the Mac preventing the outward connection.
  Anyone know how to use a Windows Domain through Parallels 3?
  PLease help

  I would suggest changing the network settings in parallels so that your virtual host is getting an IP address straight from your companies DHCP server.
  Dont use shared networking but bridged networking.

• 802.1x with ACS and Windows AD

  Hi
  Im trying to setup 802.1x with ACS 5.2 but am struggling as its very differnet to ACS 4.2.
  I have setup the ACS to be the domain and think i have setup up the External Idnetity Store, however when i try to authenticate a pc using authentication Medthod 'PEAP (EAP-MSCHAPv2), i get a failure reason '22056 Subject not found in the applicable identity store'
  Marco

  Hi Marco,
  i guess you've missed a mapping configuration in the Access Policy Section.
  Create a Access Service name it AS-802.1x select User Select Service Type and select Network Access. Select the Policy Structure Identity and Authorization. Select PEAP as allowed Protocol. Click Finish
  You'll see the new service click Identity.
  Select the identity source you've created then save.
  Click on authorization
  Select a default authorization rule permit access and save.
  Create a Service Access Rule name it 802.1x
  Select Protocol Radius as Condition and as Compound Condition select RADIUS-IETF:Service-Type match Framed then select the service you created before.
  then you can try again.
  regards
  alex

• SPNego and Windows domain

  Hi,
  just to make sure: when the windows 2003 domain is MYDOMAIN and not MYDOMAIN.COM or anything with a dot in it (so users logon via MYDOMAIN\username), but the FQDN of the J2EE server is j2eehost.mydomain.com, then MYDOMAIN should be used to create the keytab file, instead of MYDOMAIN.COM, correct?
  Thus host/j2eehost.mydomain.com@MYDOMAIN instead of host/[email protected] is the service principal name?

  Hi Yonko,
  thanks again. Yes I understand why you would assume that there would be a MYDOMAIN.COM domain but it isn't as far as I know (result of upgrades all the way back from NT4).
  I actually forgot to write that the windows logon dialog shows DOMAIN, but the FQDN is AMUCHBIGGERDOMAIN.COM. For example, the logon is COMPANYNAME\username, but the FQDN of all servers (all domain memebers) are <i>host.globalcompanyname.com</i>
  interesting enough, we cannot logon using [email protected]
  None the less, I'll double check using TweakUI.
  Cheers
  Marcel

• CiscoSecure ACS and Windows 2003 AD forest

  I am looking to configure ACS to map users to a ACS group from multiple domains in a single forest. Is there a way to create this mapping so that you don't have to configure a "WAN Team" (for example) group in every domain in the forest that has members? Is it possible to add other domain users to a domain local or universal group and get them to authenticate?
  We are running an ACS 3.3.2 appliance. Right now our main concern is authenticating access to network devices.

  I did verify with TAC that the only current option is to create the groups in each domain individually. The did mention that support for Universal AD groups should be available in the next ACS release, but I haven't been able to get an ETA on that release.

• Problems with 802.1x,ACS and Windows Server 2000

  Hi,
  My components: ACS 3.3 running on a Server with Windows 2000 Server SP4 , 2950 Catalyst (AAA-Client) ,
  Laptop with Windows XP SP2 (802.1x Client)
  I have everything configured according to Cisco documentation, but I am getting one error in the ACS's log.( Failed Attempts active.csv)
  Authen-Failure-Code : EAP-TLS or PEAP authentication failed during SSL handshake
  I have a valide certificate on my Radius(ACS) server and about machine authentication I have a valide certificate on my laptop. (I have installed this certificate before i started to login at the 802.1x port of the switch)
  Does anyone have any idea what the problem is?
  Here is the Config of the Catalyst 2950 if that will help:
  version 12.1
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  hostname ACS-Client1
  aaa new-model
  aaa authentication dot1x default group radius
  enable secret xxxx
  username xxxx privilege xxx password xxx
  ip subnet-zero
  ip ssh time-out 120
  ip ssh authentication-retries 3
  spanning-tree mode pvst
  no spanning-tree optimize bpdu transmission
  spanning-tree extend system-id
  dot1x system-auth-control
  interface FastEthernet0/13
  switchport mode access
  dot1x port-control auto
  dot1x timeout quiet-period 3
  dot1x timeout reauth-period 1
  dot1x reauthentication
  interface GigabitEthernet0/2
  interface Vlan1
  ip address 10.10.3.253 255.255.255.0
  no ip route-cache
  ip default-gateway 10.10.3.254
  ip http server
  radius-server host 10.10.3.1 auth-port 1812 acct-port 1813
  radius-server retransmit 3
  radius-server key radius
  line con 0
  password xxx
  line vty 0 4
  password xxx
  line vty 5 15
  password xxx
  end

  Yes we get to solve this problem. Because it is a only a test senario, we installed everything new, win2000 server SP4,the certificate service and the winXP on the client.
  The config of the switch is ok, we set the reauth-period and quiet-period to default.
  Then we test the whole configuration with the IAS-Radius (MS). After this we install the ACS, following this document:(Certificates were already installed)
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml
  Attention, we used the AEGIS Client not the XP Client!

• ACS and Windows Updates

  Should Windows Updated be allowed to install updates as they come out on a Windows 2003 server running ACS 4.1?

  Joseph
  I do not think that anyone can say that fixes from Microsoft will never break something in ACS. There is the possibility but it is certainly not common.
  I firmly believe that the risk that you would be exposed to by not applying fixes to known Microsoft vulnerabilities is very much greater than the risk that a Microsoft fix will break ACS. I agree with JG that you are better off to apply the fixes from Microsoft to your ACS server.
  HTH
  Rick

• ACS 3.2 for Windows and Windows Active Directory.

  I'm using a member W2K server to run ACS 3.2.
  I'm using ACS and Windows group mapping but my users always go into default group.
  Why?
  Thanks.
  Andrea.

  I'm assuming your ACS \DEFAULT domain has NT Groups mapped to . Use a new Domain Configuration to add your AD and group mappings.
  The group name in ACS must match exactly the same group in AD. ie. If your AD group name is "Engineering" , create a ACS group with exactly the same spelling. Also,avoid certain characters such as @#%&*() in the naming of groups, both in AD and ACS.
  Hope this helps. let us know.
  P