ACS Authentication in another (trusted) domain bij ACS Agent

Similar Messages

• ACS authenticating Windows DB

  Hi everybody,
  I've a server running ACS for windows 3.3 used for 802.1x authentication. I only have 1 local ACS account (test) and I use an external DB to authenticate other users.
  I asked Windows Domain administrator to create 3 groups:
  - VLAN1 with 2 users
  - VLAN2 with 2 users
  - VLAN3 with 2 users
  I configure "unknown user policy" to check windows db if the user is not locale, and I configured the domain and mapped the ACS groups in the following way:
  - ACS group VLAN1 is mapped to Windows leaf VLAN1 of domain ESMLAB
  - ACS group VLAN2 is mapped to Windows leaf VLAN2 of domain ESMLAB
  - ACS group VLAN3 is mapped to Windows leaf VLAN3 of domain ESMLAB
  /Default DB is mapped to <no-access>.
  The strange thing is that ACS first choice is to use /Default so user don't access the network! I tried to map /Default to VLAN1 and users access the network and was associated to correct VLAN. In this way I check that the ACS correctly connect to DB to authenticate the user.
  Which could be the cause that ACS first seems to use /default instead of the correct mapping? What I forget? Is the windows DB configured correctly?
  Thanks
  Regards
  Roberto

  Mappings are checked from a top-down perspective, so if you have the \DEFAULT domain appearing below the ESMLAB domain then this should be OK. What's probably happening is that ACS is unable to get any of the users windows group mapping properties and therefore doesn't know that they're in the VLANx Windows group. Because of this ACS always maps them through to the catch-all \DEFAULT group and they get no access accordingly.
  As for why ACS can't get the users group mappings from Windows is usually a permissions problem, specifically in what user the CS services are running under on the ACS device, most often even a domain administrator doesn't have the right permissions. You don't mention if ACS is running on a DC or just on a member server. Running it on a DC usually resolves most permissions problems, particularly on an AD.
  You can try the following to set the permissions correctly:
  Instructions for changing privileges:
  1) on the AD, go to Administrative Tools -> Domain Security Policy ->
  Security Settings -> Local
  Policies -> User Rights Assignment and
  a) double click on "Act as part of the operating system"
  b) check the "Define these policy settings" checkbox
  c) Click add and enter : "domain\adminstrator"
  d) Click Ok
  e) double click on "Log on as a service"
  f) check the "Define these policy settings" checkbox
  g) Click add and enter : "domain\administrator"
  h) Click Ok.
  (Note: do the same for "Log on Locally")
  2) Right click on "Security Settings" header and choose "Reload"
  3) log into the ACS Machine with user = domain\administrator (please note that
  the user must be
  administrator and not another Domain Admin user).
  4) Change the ACS Services to run under domain\administrator and restart them
  all.
  If that doesn't work, enable Full Logging under System Config - Service Control page, and restart the ACS services. Then try an authentication request, and check the latest auth.log file under the Program Files\CiscSecure ACS v3.3\CSAuth\Logs, there'll probably be some errors about not getting RAS permissions. You may need to send this to the TAC for further analysis.

• Cisco ACS 5.3 multiple AD domains

  Hello everyone
  I do have a quick question about Cisco ACS 5.3 and multi domain authentication. How is it exactly handled?
  Can I join more than one domain with the ACS server? Or do I still need to configure that bidirectional trust relationship between those AD forests (even with the ACS 5.3)?
  Thanks,
  Markus

  Markus,
  If you are using peap mschapv2 then you can not use LDAP.
  Here is the link when it comes authentication protocol and database support -
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/eap_pap_phase.html#wp1014889
  thanks,
  Tarik Admani
  *Please rate helpful posts*

• Can ACS support multiple Active Directory Domains for 802.1x EAP-TLS?

  Hi
  I'm looking to implement ACS 5.2 using 802.1X, we have two seperate AD domains.
  Now.. this is the tricky part...
  A single switch will need to support both ADs, so if a machine in AD1 is connected, it will be authenticated to the ACS using AD1 and applied to VLAN1, while a machine that is in AD2 will be authenticated to AD2 and applied to VLAN 2.
  I'm looking at machine authentication, not user authentication, so I assume that I will need to import two certs from each AD.
  Can any expert please let me know if they think that this will be possible please??
  Many thanks

  Yes ACS can support multiple AD domains but you will have to configure one as your AD domain and the other as an LDAP database and this will work since you are planning to use eap-tls.
  The question I have is which version of ACS are you using? If you are using ACS 5.x then you can setup and identity store sequence so if the user is not found you can move to the next store and this will prevent you from installing two certificates on every machine.
  You can then setup an authorization rule for the seperate containers on where the workstations are located (this is assuming machine authentication is being used) for the AD database or the LDAP database and then assign the vlan based off that.
  Thanks and I hope this helps!
  Tarik Admani

• ACS 4.0 to NT Domain with NTLMv2 problem.

  I am trying to authenticate users from a VPN Concentrator (3030) to our NT Domain. We are not running AD yet but we are required to use NTLMv2 authentication on the Domain.
  I want to use ACS4.0 to authenticate Radius w/Expiry from the VPN concentrator and let ACS handle the NTLMv2 part.
  In ACS I have defined my Domain in the External Users Database, I have defined the Unknown User Policy to use the Windows Database, and I have defined the Group Mapping to point to the default group.
  When I run the Authentication test from the VPN setup screen I get a failed request.
  In the CSAuth log I am getting:
  AUTH 02/16/2006 15:13:42 E 0376 1572 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
  AUTH 02/16/2006 15:13:42 E 0376 1572 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
  With NTLMv2 turned off and running ACS 3.2 this setup is working (My production network) My only reason for upgrading to ACS4.0 was the NTLMv2 portion.
  Does anyone have any advise? thanks!

  Please make sure you read this Field Notice:
  http://www-tac.cisco.com/Support_Library/field_alerts/fn62167.html
  Note that, despite the Windows URL mentioning only 2003 server, the 2000 server also supports NTLMv2. Therefore, the following scenarios apply:
  - DC on Win 2003 SP1 - don't require any hotfix since it's included in SP1
  - DC on Win 2000 SP4 - don't require any hotfix since it's included in SP4
  - DC on Win 2003 - require hotfix KB893318

• Force acs v.5 to join domain with a certain Domain Controller

      Hi everybody,
  I try to join an ACS v. 5.3 to the domain.  For my acs in Location A, I can join without problems using my account. When I try to join the ACS in location B to the same domain with the same account, it doesnt work.
  I looked at the debug log files for the ad client, and noticed, that the ACS in location B goes to a certain Domain Controller. However, I would have expected the ACS to contact another DC, which is located on  the same location as the ACS ... this doesnt happen.
  My question:  How does the ACS determine what DC to contact ? Is it possible to force the AC to join by connecting a certain DC ?
  Thanks for any help or ideas ?!?
  Ida              

  Hi,
  Please check your sites and services in your DNS configuration to see if the right Domain controllers are being sent to the ACS when it attempts to connect to the domain. This feature is critical and will optimize the connections that the ACS chooses in order to join the domain.
  The way this works is that ACS attempts to resolve some dns records for global catalog servers and domain controllers to the dns server configured in the initial installation script. Then the dns makes a decision based on the source ip address of the dns query and thinks that the ACS is at a specific site and returns the result of which DCs and GCs are configured in that specific site.
  let me know if that helps.
  Tarik Admani
  *Please rate helpful posts*

• ASA- ACS authentication

  I have an ASA, an ACS appliance, Active Directory, and RSA securID. SSL users should only authenticate with AD, while IPSec users should only authenticate with RSA. Not yet using anyconnect.
  here is my scenario:
  ACS -- AD - Dynamic users are created in ACS when authenticated with their AD domain login/password
  ACS -- AD - AD Group mapping to put user in the correct ACS group
  ASA SSL - matches username in ACS group to display customized SSL bookmarks
  all looks good
  ACS -- RSA - static users in ACS assigned to RSA group in ACS configured for authentication with external RSA DB
  ASA IPSec - Authenticates with ACS
  Question: How does the ASA or ACS know to authenticate IPSec users ONLY via RSA and SSL users only via AD?
  What do I have to do to not allow a windows user to simply enter their AD login/password into thei IPSec client and login. I could see this become common with users who dont have their keyfob handy or forget to use it.
  Thanks!

  You need to look at NAP feature in acs,
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NAPs.html#wp1128143
  A NAP, also known as a profile, is essentially a classification of network-access requests for applying a common policy. You can use NAPs to aggregate all policies that should be activated for a certain location in the network. Alternatively, you can aggregate all policies that handle the same device type, for example, VPNs or Access Points (APs).
  Regards,
  ~JG
  Do rate helpful posts

• WLC 4400 and multiple authentication servers e.g. RADIUS, ACS

  WLC 4400 and multiple authentication servers e.g. RADIUS, ACS
  Can the WCL 4400 be set up to use multiple RADIUS servers? The user accounts for accessing wireless would use a RADIUS server. The administrative accounts for the WLC would reside on an ACS server.

  Yes, that is correct. You can set acs to use both radius and tacacs.
  For this you need to add WLC twice in acs-->network configuration. But you need to keep host name different.
  eg 1) Host name WLC --->IP x.x.x.x -->Auth using -->radius
  2) Host name WLC1--->IP x.x.x.x --->Auth using -->Tacacs.
  You need to set up tacacs commands on WLC along with radius commands.
  Regards,
  ~JG
  Please rate helpful posts

• LDAP authentication in AD (users from other trusted domain)

  Hi
  I have two domain: my - DOMAINA.LOCAL and other trusted - DOMAINB.LOCAL
  I use LDAP authentication in AD for authentication users (AnyConnect).
  Now, I need to authenticate few users from other trusted domain (DOMAINB.LOCAL).
  I do not want direct connect with the domain contoller in the trusted domain.
  My domain controller (DOMAINA.LOCAL), can authenticate users from other trusted domain (if I use username "DOMAINB\userindomainb"), if I try to connect by RDP client to some server (for example, to my domain controller).
  But if I try to test aaa-server authentication from ASA
  I get error.
  I think, I must use username like "DOMAINB\userindomainb" but this not work.
  Help me please.
  Thanks!
  My config:
  aaa-server ADA protocol ldap
  aaa-server ADA (inside) host 10.0.0.1
   ldap-base-dn dc=domaina, dc=local
   ldap-scope subtree
   ldap-naming-attribute sAMAccountName
   ldap-login-password *****
   ldap-login-dn cn=Cisco ASA, ou=ServiceAccounts, ou=Services, dc=domaina, dc=local
   server-type microsoft

  Hello!
  I see in console (debug LDAP):
  Request for [email protected] returned code (10) Referral
  Does ASA support authentication via LDAP referrals?
  I read old thread:
  https://supportforums.cisco.com/discussion/11132591/cisco-asa-and-ldap-authentification
  And see: CSCsj32153  Symptom:the ASA/PIX doesn't currently support LDAP Referall searches. 
  But I use:
  Cisco Adaptive Security Appliance Software Version 9.2(3)
  Device Manager Version 7.3(3)
  Compiled on Mon 15-Dec-14 05:10 PST by builders
  System image file is "disk0:/asa923-smp-k8.bin"
  Thanks!

• Can Cisco Device Manager Support ACS Authentication?

  Background:
  My company has approximately 500+ devices all across the country (mainly 2801's, 2924's, 2950's, and 2960's) and approx 3 people that have a real idea of how to configure the devices, and 2 or 3 that have a general clue about how to do it. I am in the process of moving all of these devices to use ACS authentication for signing into the device. While I am doing this I am establishing a strong password for the secret password to provide as a backup.
  Problem:
  My supervisor would like the cisco device manager to be available to the people that don't have the in depth cli experience. However in my testing, it will only accept the strong password for its authentication, and does not try the ACS server for authentication. Is this possible?

  Hi,
  Actually, there is a difference as from where the authentication is picked from for HTTP authentication,
  With HTTP v1 server, same method list is picked, that is used by VTY lines.
  With HTTP v1.1 server, but before the integration of fix for bug CSCeb82510, the method list defined for console is checked.
  After the fix of the above mentioned bug, we have some different sent of commands that we can use.
  I would suggest you to give this a try,
  aaa authentication login CONSOLEandHTTP tacacs+ local
  aaa authorization exec CONSOLEandHTTP if-authenticated
  ip http authentication aaa
  line con 0
  login authentication CONSOLEandHTTP
  authorization exec CONSOLEandHTTP
  For detail please refer,
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml
  Regards,
  Prem

• ACS database not functioning after changing secondary acs ip.

  Hi.. im having 2 ACS 3.1 server. ACS01 (Primary) & ACS02 (Secondary). Recently we have moved ACS02 to another site and changed its ip address.
  When we do database replication from ACS01, we received error message saying that ACS02 has denied replication request.
  Any idea whats may be the problem ?

  Consider these points when you implement the Cisco Secure database replication feature:
  1) ACS only supports database replication to other ACS servers. All ACS servers that participate in Cisco Secure database replication must run the same version and patch level of ACS.
  2)The primary server transmits the compressed, encrypted copy of its database components to the secondary server. This transmission occurs over a TCP connection, with port 2000. The TCP session is authenticated and uses an encrypted, Cisco-proprietary protocol.
  3)Only suitably configured, valid ACS hosts can be secondary servers. To add a secondary server, configure it in the AAA Servers table in the Network Configuration section of this document. When a server is added to the AAA Servers table, the server appears for selection as a secondary server in the AAA Servers list under Replication Partners, on the Cisco Secure database replication page.
  4)The primary server must be configured as an AAA server and must have a key. The secondary server must have the primary server configured as an AAA server and its key for the primary server must match the primary servers own key.
  5)Replication to secondary servers takes place sequentially in the order listed in the Replication list under Replication Partners, on the Cisco Secure database replication page. 6)The secondary server, which receives the replicated components, must be configured to accept database replication from the primary server. To configure a secondary server for database replication, refer to the Configuring a Secondary Cisco Secure ACS Server section of this document.
  7)ACS does not support bi-directional database replication. The secondary server, which receives the replicated components, verifies that the primary server is not on its Replication list. If not, the secondary server accepts the replicated components. If so, it rejects the components.
  8)To replicate user-defined RADIUS vendor and vendor-specific attribute (VSA) configurations successfully, the definitions to be replicated must be identical on the primary and secondary servers. This includes the RADIUS vendor slots the user-defined RADIUS vendors occupy. For more information about user-defined RADIUS vendors and VSAs, refer to the User-Defined RADIUS Vendors and VSA Sets section of the document Cisco Secure ACS Command-Line Database Utility.

• SQLServer Reporting Services 2005 Prompts for Credentials for a trusted domain user

  Currently the report is running in the domain AAA. Users in the domain AAA are using the report.
  Another new domain BBB and an user XXX is now created and  BBB\XXX has been given Browser access. Domain AAA and BBB are trusted domains.
  After this when the user BBB\XXX logs in and access the report, before loading the report, credentials dialog is prompted, once credentials of BBB\XXX is entered, the report is loaded.
  Why the report prompts for this additional credential dialog for the trusted domain user?

  Hello,
  Did you have get two textboxes in the report parameter panel (in the left side of the "View Report" button)? The issue is occurred when the credential of the datasource is configured with “Prompt for credentials”. Please check if you configured the credential
  with "Stored Credential" of the datasource.
  Please refer to the following thread to configure the credential.
  http://social.msdn.microsoft.com/Forums/sqlserver/en-US/1564cd7a-6b7a-40f1-9f98-5c766ebfc63e/datasource-userid-and-password-being-asked-eachtime-when-report-is-generated?forum=sqlreportingservices
  Regards,
  Alisa Tang
  Alisa Tang
  TechNet Community Support

• WDS doest not start - 0x6fc Error Trusted Domain

  Hey guys,
  first of all, i am not a native Speaker but hope that you could understand my english.
  In our Environment we have two 2 Deploymentserver and since yesterday we can not install Clients because we can not start the WDS Service. Here are some Informations about our Environment: Both Servers are virtual Machines which have Windows Server
  2008 R2 Standard running. The Computers got the WDSServer Role and the MDT 2013. We installed hundreds of Clients with them but since yesterday the WDSServer Service is not running. In the past we had the Problems with the Trusted Domain error sometimes, but
  the only Thing I had to do was to rejoin the Servers to our Domain, but this Solution does not work yet.
  I found many Solutions here in the Forum or in other Forums. The folowing Solutions i already tried:
  - Rejoined the Domain. Did not work
  - Checked all Trusted Domains for Problems. Deleted two Trusted Domains which are offline.
  - run dcdiag on our DC. Everythin seems to be fine.
  - Added the WDSServer Role on another Server. Same Problem here.
  In the eventlog i could find the following entrys:
  Event ID 768: An error occurred while trying to initialize the Auto Add Policy.
  Event ID 261: An error occurred while trying to initialize provider BINLSVC loaded from C:\WINDOWS\system32\binlsvc.dll. If the provider is marked as critical the Windows Deployment Services server will be shutdown.
  Event ID 265: An error occurred while trying to initialize provider BINLSVC. Since the provider is marked as critical, the Windows Deployment Services server will be shutdown
  Event ID 513: An error occurred while trying to initialize provider WDSPXE from C:\WINDOWS\system32\wdspxe.dll. Windows Deployment Services server will be shutdown
  Event ID 257: An error occurred while trying to start the Windows Deployment Services server.
  Event ID 7024: The "Windows Deployment Server" service terminated with service-specific error:
  The Error Number is everytime 0x6fc.
  We did not Change anything in our Domain or something else. The only thing i have done was to add new Drivers to our Image on Monday but the everything was fine with the Deployment. We installed Clients an on Thursday morning both Deployment Servers crashed.
  I really dont know what i can do now. Did anybody have a solution for my Problem or some ideas which could help me?

  Hi,
  This article provided a good troubleshooting guide:
  Enable WinLogon debug log, then refresh the policy, then find out the problem account name and policy.
  For more information you can refer to:
  Troubleshooting SCECLI 1202 Events
  http://support.microsoft.com/kb/324383
  Hope this helps.

• Full mailbox access from trusted domain

  I have an issue with users unable to login to OWA or ActiveSync using trusted domain credentials. I have two forests, FOREST A and FOREST B. I have a 2-way forest trust between them. I have migrated users from FOREST A to FOREST B, but their mailboxes need
  to stay in FOREST A for the time being.
  I have added Full Mailbox access for their FOREST B accounts, as well as Send As permission.
  Outlook accesses their mailboxes no problem, with no security credential prompts. Sending is also fine. However, OWA and ActiveSync will not accept their FOREST B login credentials, I get the following error:
  The Active Directory resource couldn't be accessed. This may be because the Active Directory object doesn't exist or the object has become corrupted,
  or because you don't have the correct permissions.
  I have a single Exchange 2010 SP2 server in FOREST A. All roles are on this server.
  Why would Outlook clients work but OWA and ActiveSync are failing? Things I have checked:
  DNS suffixes for trusted and trusting domain are set on the Exchange Server
  Trust is in place and functional
  Outlook clients work fine using FOREST B accounts
  Changed OWA authentication options between UPN / Domain\User / logon name only - no options worked
  Checked time sync between DC's and Exchange
  Any ideas?? Thanks.

  HiBobby4300,
  Great checklist from Martin.
  Please try following links to set the msExchMasterAccountSID attribute in the Active Directory Account Forest, for your reference:
  http://www.msexchange.org/articles-tutorials/exchange-server-2003/management-administration/Understanding-External-Associated-Account-Windows-Server-2003-Exchange-2003.html
  Additional, the best way is to configure linked mailboxes. This is a mailbox associated with an external account. More details about
  Create a Linked Mailbox, please refer to:
  http://technet.microsoft.com/en-us/library/bb123524(v=exchg.141).aspx
  Best regards,
  Allen Wang

• Authenticate users from a trusted domain

  Greetings,
  I have two domains, A & B.  Domain A hosts all our user accounts; A\domain users.  In Domain B we host our applications, ie, exchange, IIS, SharePoint.
  I would like to have the default authentication into sharepoint be from users in Domain A using standard claims NTLM.
  Domain B trusts Domain A (1 way)
  Is this possible? How?
  Thank you

  Hello Trevor,
  Thank you for your help.
  I have run the People Picker Tester and found that I am able to connect to the following ports:
  CONNECTED
  tcp/389
  tcp/686
  tcp/135
  tcp/139
  tcp/3268
  tcp/445
  and FAILED to connect to
  tcp/137
  tcp/138
  tcp/3269
  tcp/53
  tcp/749
  tcp/750
  The LDAP test does show a list of all my users from Domain A.  Are all of the failed ports required?  I'm wondering since I did get results from the LDAP test.
  With my new web application and site collection I cannot see any domain A users, although I have not run the two stsadm commands yet, should I be able to or do I need to run the two stsadm commands you previously mentioned?
  My next question is around the two stsadm commands.
  The first command:
  stsadm -o setapppassword -password "SomeValue"
  1) What am I actually doing here? 
  2) Where will this password be used?
  3) Is the password arbitrary or does it need to be a password for the user I will be using in the second stsadm command?
  The second command:
  stsadm -o setproperty -pn peoplepicker-searchadforests -pv "domain:domainb.com;domain:domaina.com,domainauser,password" -Url
  http://webAppUrl
  1) is this command setting my default people picker domain search to Domain A accounts?
  2) for testing I'm going to use my domain a account in the command, is that acceptable?  It just needs to be an account in domain A, correct?