ACS - LDAP or AD

Hi PPL,
Currently i have 4 ACS's synced with AD.
Due to security concern we thinking of going to LDAP.
I can't find exactly what i'll lose/gain on each method.
Can someone provide more information ?
Thanks!

Chen,
You lose the ability to failover to more than two servers in your deployment. If your ACS are spread across all datacenters you do not have the ability to configure seperate ldap servers for each DC as well. ACS and AD operations rely on sites and services so that the closest DC based on this configuration is preferred.
If password management for remote access vpn (anyconnect) is desired you need MS-CHAP to accomplish this, LDAP does not support this protocol.
Also if you are using 802.1x, there are only a few eap authentication methods referenced here that support LDAP.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html#wp1014889
Tarik Admani
*Please rate helpful posts*

Similar Messages

ACS - LDAP TCP Keepalive (v5.2)

reposting as with subject including v5.2:
Hello
I have an ACS 4.2.1.15 patch 3 and Novell Netware LDAP Server separated by a Firewall. The Firewall's default tcp session timeout is 3600 seconds.
When no LDAP-Request is made for over one hour, the Firewall drops the connection from its table. The Problem is, that the ACS-Server thinks the connection is still open. When it tries to send an LDAP-Query this results in retransmissions and finally a RST... On the User side the Authentication attempt fails (timeout).
I tried to enable TCP Keepalives on the Windows-Server side, but this has no effect on the LDAP-Connections used by ACS.
Is there any possibility to enable Keepalives in ACS?
Thanks in advance for any help!
Average Rating: 0 (0 Votes)
Reply
Outline View
Javier Henderson
159 posts sinceMar 12, 2010
1. Dec 28, 2010 5:54 PM in response to: Zentraler Informatikdienst
Re: ACS 4.2 - LDAP TCP Keepalive
You are seeing the effects of bug CSCti03338 which I filed a few months ago, though it is supposed to be fixed on 4.2.1(15) patch 3. Please open a TAC case so we can look into this in detail.
ACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP Keepalive
Average Rating: 0 (0 Votes)
Report Abuse
Reply
Juergen Meier
2 posts sinceSep 28, 2010
2. Jan 17, 2011 5:46 AM in response to: Javier Henderson
Also ACS 5.2 (was: ACS 4.2 - LDAP TCP Keepalive)
Apparently this bug has re-appeared in ACS 5.2 (5.2.0.26). ACS re-uses stale TCP connections many hours after the last TCP packet was sent.
It also uses different TCP connections for LDAP search queries and the subsequent authentication bind requests, so sometimes the search query and sometimes the bind request fails due to the TCP connection been timed-out long ago on all network devices (stateful firewalls, IDS/IPS, load balancers) between the ACS and the LDAP servers.
Further ACS fails to detect stale TCP connections and reports bogus authentication failures back to the NAS.
A new ticket will be filed with TAC today.
ACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP Keepalive
Average Rating: 0 (0 Votes)
Report Abuse
Reply
ROB SCHIERON
5 posts sinceOct 20, 2010
3. Feb 14, 2011 10:29 PM in response to: Juergen Meier
Re: Also ACS 5.2 (was: ACS 4.2 - LDAP TCP Keepalive)
I'm seeing this issue too on 5.2.0.26.1, running LDAP auth through a F5 Load Balancer to a pair of Sun directory servers.
Did you make any progress with your TAC case?
Without using the root patch, this command is useful for finding out what is going on (it's just netstat):
# show tech-support | i ldap | i tcp
ldap            389/tcp
ldaps           636/tcp                         # LDAP over SSL
tcp        0      0 exc2-acscor-1401:53892      acs.ldapunix.co:ldap ESTABLISHED
tcp        0      0 exc2-acscor-1401:53893      acs.ldapunix.co:ldap ESTABLISHED
tcp        0      0 exc2-acscor-1401:53890      acs.ldapunix.co:ldap ESTABLISHED
tcp        0      0 exc2-acscor-1401:53891      acs.ldapunix.co:ldap ESTABLISHED
tcp        0      0 exc2-acscor-1401:53889      acs.ldapunix..co:ldap ESTABLISHED
Also try adjusting "Max. Admin Connections" for LDAP.
From the admin guide:
LDAP Connection Management
ACS 5.1 supports multiple concurrent LDAP connections. Connections are opened on demand at the time of the first LDAP authentication. The maximum number of connections is configured for each LDAP server. Opening connections in advance shortens the authentication time. You can set the maximum number of connections to use for concurrent binding connections. The number of opened connections can be different for each LDAP server (primary or secondary) and is determined according to the maximum number of administration connections configured for each server.
ACS retains a list of open LDAP connections (including the bind information) for each LDAP server that is configured in ACS. During the authentication process, the connection manager attempts to find an open connection from the pool. If an open connection does not exist, a new one is opened.
If the LDAP server closed the connection, the connection manager reports an error during the first call to search the directory, and tries to renew the connection.
After the authentication process is complete, the connection manager releases the connection to the connection manager.
I'd be interested to hear if you have fixed your issue, or if anyone else is facing similar problems load balancing LDAP servers for the ACS.
Cheers
R.

reposting as with subject including v5.2:
Hello
I have an ACS 4.2.1.15 patch 3 and Novell Netware LDAP Server separated by a Firewall. The Firewall's default tcp session timeout is 3600 seconds.
When no LDAP-Request is made for over one hour, the Firewall drops the connection from its table. The Problem is, that the ACS-Server thinks the connection is still open. When it tries to send an LDAP-Query this results in retransmissions and finally a RST... On the User side the Authentication attempt fails (timeout).
I tried to enable TCP Keepalives on the Windows-Server side, but this has no effect on the LDAP-Connections used by ACS.
Is there any possibility to enable Keepalives in ACS?
Thanks in advance for any help!
Average Rating: 0 (0 Votes)
Reply
Outline View
Javier Henderson
159 posts sinceMar 12, 2010
1. Dec 28, 2010 5:54 PM in response to: Zentraler Informatikdienst
Re: ACS 4.2 - LDAP TCP Keepalive
You are seeing the effects of bug CSCti03338 which I filed a few months ago, though it is supposed to be fixed on 4.2.1(15) patch 3. Please open a TAC case so we can look into this in detail.
ACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP Keepalive
Average Rating: 0 (0 Votes)
Report Abuse
Reply
Juergen Meier
2 posts sinceSep 28, 2010
2. Jan 17, 2011 5:46 AM in response to: Javier Henderson
Also ACS 5.2 (was: ACS 4.2 - LDAP TCP Keepalive)
Apparently this bug has re-appeared in ACS 5.2 (5.2.0.26). ACS re-uses stale TCP connections many hours after the last TCP packet was sent.
It also uses different TCP connections for LDAP search queries and the subsequent authentication bind requests, so sometimes the search query and sometimes the bind request fails due to the TCP connection been timed-out long ago on all network devices (stateful firewalls, IDS/IPS, load balancers) between the ACS and the LDAP servers.
Further ACS fails to detect stale TCP connections and reports bogus authentication failures back to the NAS.
A new ticket will be filed with TAC today.
ACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP Keepalive
Average Rating: 0 (0 Votes)
Report Abuse
Reply
ROB SCHIERON
5 posts sinceOct 20, 2010
3. Feb 14, 2011 10:29 PM in response to: Juergen Meier
Re: Also ACS 5.2 (was: ACS 4.2 - LDAP TCP Keepalive)
I'm seeing this issue too on 5.2.0.26.1, running LDAP auth through a F5 Load Balancer to a pair of Sun directory servers.
Did you make any progress with your TAC case?
Without using the root patch, this command is useful for finding out what is going on (it's just netstat):
# show tech-support | i ldap | i tcp
ldap            389/tcp
ldaps           636/tcp                         # LDAP over SSL
tcp        0      0 exc2-acscor-1401:53892      acs.ldapunix.co:ldap ESTABLISHED
tcp        0      0 exc2-acscor-1401:53893      acs.ldapunix.co:ldap ESTABLISHED
tcp        0      0 exc2-acscor-1401:53890      acs.ldapunix.co:ldap ESTABLISHED
tcp        0      0 exc2-acscor-1401:53891      acs.ldapunix.co:ldap ESTABLISHED
tcp        0      0 exc2-acscor-1401:53889      acs.ldapunix..co:ldap ESTABLISHED
Also try adjusting "Max. Admin Connections" for LDAP.
From the admin guide:
LDAP Connection Management
ACS 5.1 supports multiple concurrent LDAP connections. Connections are opened on demand at the time of the first LDAP authentication. The maximum number of connections is configured for each LDAP server. Opening connections in advance shortens the authentication time. You can set the maximum number of connections to use for concurrent binding connections. The number of opened connections can be different for each LDAP server (primary or secondary) and is determined according to the maximum number of administration connections configured for each server.
ACS retains a list of open LDAP connections (including the bind information) for each LDAP server that is configured in ACS. During the authentication process, the connection manager attempts to find an open connection from the pool. If an open connection does not exist, a new one is opened.
If the LDAP server closed the connection, the connection manager reports an error during the first call to search the directory, and tries to renew the connection.
After the authentication process is complete, the connection manager releases the connection to the connection manager.
I'd be interested to hear if you have fixed your issue, or if anyone else is facing similar problems load balancing LDAP servers for the ACS.
Cheers
R.

ACS LDAP authenication - restrict to only certain LDAP users?

I'm configuring Secure ACS v4.2 for TACACS+ authentication/authorization and command logging. I'd like to use my external LDAP user database for authentication.
I have this fucntionality up and working and have one of our 3550 switches able to sucessfully authenticate against ACS with one of my LDAP username/passwords. Command logging and authorization also appear to be working as I can see them in the TACACS+ Accounting/Administration logs on the ACS server.
Is there a way to restrict what LDAP users are allowed to authenticate? For example, out of my 16000 users in LDAP, I only want only a handfull of users to be able to authenticate against the LDAP server via TACACS+ and get into my devices.
Can I create an LDAP filter someplace in ACS that specifies only XXX users can
authenticate against LDAP and to deny all other users?
Oh and we do not use the "group" functionality on our LDAP server. All users are part of the same OU in LDAP and are not seperated out by a different group OU. I know I know.....I could probably do it this way, but since that info doesn't exist in our LDAP server I'm looking for another solution.
I'm running ACS v4.2.0.124.

Sure, add the allowed users to a group in ACS, then use NAR to restrict what devices they can get to. This link might help as well.
http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&topicID=.ee6e1fe&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc25eb6
Hope that helps.

ACS LDAP Integration

Hello Friends,
While i am trying to integrate ACS (10.216.24.25) with the AD server (10.216.12.73), i am getting error.
Following is the capture i got,
The error says, says “bindResponse(1) invalidCredentials (80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurity”
Can you please check it, how to fix this issue?
I am attaching the wireshark capture also.

Hi Rashid,
A very quick way to sort this out could be to first test by browsing the LDAP database with a free LDAP browser such as Softerra:
http://softerra-downloads.com/ldapadmin/ldapbrowser26.msi
Once you'll successfully bind and browse the tree with this browser, you can apply the same settings to ACS.
Regards,
Fede
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Need Help With ACS LDAP setup to Query AD

I have 2 Win 2003 ADs, one of them is configured and working under Windows Database (using remote agent) configuration. I am trying to setup the second AD with Generic LDAP setup. I want to know what exactly I should use in the fields UserObjectType and Class, and GroupObjectType and Class for Windows 2003 AD. All Cisco documents give example of Netscape LDAP syntax. I was told by our server admin. what to put under Admin DN, CN=myid,OU=mygroup,OU=myorg,DC=mydomain,DC=com
I have both user & group directory subtree fields filled with DC=mydomain,DC=com.
I am using the ip address for Primary LDAP server, and port is 389, LDAP version 3 is checked.
Is any of these DC, OU, etc. case sensitive?
With all entries that I have tried, when I go to map a group, I am getting error "LDAP server NOT reachable. Please check the configuration". My ACS can ping the domain controller's IP address fine.
Please help. Thank you in advance,
Murali

Murali,
These references may help...
http://download.microsoft.com/download/3/d/3/3d32b0cd-581c-4574-8a27-67e89c206a54/uldap.doc
http://www.microsoft.com/technet/archive/winntas/plan/dda/ddach02.mspx?mfr=true
http://technet.microsoft.com/en-us/library/aa996205.aspx
Regards,
Richard

Authentication ACS LDAP PEAP ?

Hello
Could you tell me if its possible to do 802.1X authentication with LDAP server using PEAP MS-CHAP v2 (Machine autentication) ?
in fact, with Windows external database, its work fine.
We use only machine authentication with vlan assignement over PEAP.
Another think, we wan't to use Mac authentication Bypass for printers or other laptop... but we wonder if it could be work with an external Windows database or LDAP ?
Thanks for your help

No this isnt possible as LDAP servers do not support MSCHAP v1 or v2.
You'd need something that can carry a plain text password inside the EAP tunnel - like EAP-GTC

LDAP Connectivity ACS

Hi,
I have a requirement to change the server that the ACS Appliance( 2 x running primary / secondary) (5.2) using as an external identity store. I previously changed the server Host name under External Identity Stores\LDAP\ Server connection Tab. The issue was that when I performed a test bind it was successful BUT under the Directory Groups Tab I lost the Group name entries - only recovering them as I exited the config without saving anything.
So my question is how do I change the server connection and re instate the directory Group list ? There are a number of entries and I need them all back in with minimal disruption to the network. There must be an easier way than entering them all manually ?
Thanks,
Pete

Any changes in server connection like ip or credential would not be allowed unless you remove all the refrences from the ACS config because the connection is built based on that information.
However, you can create more than one LDAP instance in ACS 5.2. By creating more than one LDAP instance with different IP address or port settings, you can configure ACS to authenticate by using different LDAP servers or different databases on the same LDAP server.
Each primary server IP address and port configuration, along with the secondary server IP address and port configuration, forms an LDAP instance that corresponds to one ACS LDAP identity store instance.
ACS 5.3 does not require that each LDAP instance correspond to a unique LDAP database. You can have more than one LDAP instance set to access the same database.
Regards,
Jatin

PEAP-GTC on Win 7 and 8 platforms (LDAP authentication doesn't work)

Hi all!
Customer is using Open LDAP as directory services.
We're setting Cisco Wi-Fi network with following authentication scheme:
Wireless LAN Controller - Cisco ACS 5.3 - Open LDAP
According to the documents ACS - LDAP supports only EAP-TLS and PEAP-GTC methods.
We need to perform username/password authentication. It works good on Apple and Android devices. But id doesn't want to authenticate Windows 7 clients.
We're unchecking "Validate Servers certificate" in WLAN settings of Win 7 client, but it still doesn't work.
It seems, that Windows doesn't support PEAP-GTC method. Are there any workaround to solve the issue?
I might assume, that there could be some software plug-ins (supplicants) that can be installed on Windows and give support of PEAP-GTC. But in this case customer will face serious organizational issues of provisioning new devices.
Please advice!
Thank you!
Yuriy

In order to see PEAP EAP-GTC option on the client, you need to install EAP-GTC supplicant on the client machine.
Check this:
http://www.cisco.com/en/US/docs/wireless/technology/peap/technical/reference/PEAP_D.html#wp1007967
Jatin Katyal
- Do rate helpful posts -

NEED EXAMPLE AD INTEGRATION CONFIGURATION ON ACS 3.3, 5.3

Hi,
Please give example of Active directory configuration related to radius in Windows server 2003.
The same way need Step by step to AD configuration in ACS.
Please help on this. I searched alot but not getting any exact docs which say both of these things.
I need to configure End User (Wireless or L3 Device) --> ACS --> LDAP for Authentication
Regards,
Sakthivel

Before you integrate ACS 5.x to the AD, ensure that the TimeZone, Date & Time on the ACS matches with that on the AD primary domain controller. Also, define the DNS server on the ACS in order to be able to resolve the domain name from the ACS 5.x. Complete these steps in order to configure ACS 5.x Application Deployment Engine (ADE-OS):
Please follow the below link for step by step configurations because it's not possible to paste here full steps:
http://www.cisco.com/en/US/products/ps9911/products_configuration_example09186a0080bc6506.shtml

Anyone got ACS SE 4.2.1 authenticating against server 2008 R2 via LDAP?

Hi, I'm working on a new network implementation where the customer has ACS SE and wants to use AD for machine based authentication of wired 802.1x clients.
As the support for 2008 R2 server (64-bit OS used here) using remote agent is not yet released they are attempting to set this up using an LDAP connection. The final goal is to use certificate based authentication, and I have had a message indicating this authentication type may not work due to an issue with binary comparison, so we started with basic username/password accounts first.
So far the ACS is populating its external user database fields with the domains setup on AD, but user authentication is failing.
Briefly we started with basic username/password usng MD5-CHAP on XP to an account configured on ACS, that worked fine. Then set up the external user database to use an LDAP connection to AD, and an unknown user policy, this dosent work. It looks like the issue could be do with the LDAP attributes not being set correctly.
Has anyone used LDAP as an authentication mechanism against 2008 R2 based AD and got it working?

Aacole,
The above error message says that your external database that is LDAP doesn't support EAP-MD5 and that is quite true.
You may check the below listed link for protocol and database compatibility.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp824733
Since you are using LDAP its only supports EAP-GTC.
Do let me know if you need any further suggestions.
Regds,
JK
Do rate helpful posts-

ACS v5.1 - LDAP and PEAP

Hi!
I'm trying to authenticate a WinXP client with PEAP.
And since it is only possible to define only one Active Directory in ACS v5.1 ( why on earth is that???), I had to define my other AD domain through LDAP.
But when I try to authenticate, this is what happens:
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Policy-SwitchAccess-Testdomain
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started.
12805 Extracted TLS ClientHello message.
12806 Prepared TLS ServerHello message.
12807 Prepared TLS Certificate message.
12810 Prepared TLS ServerDone message.
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message.
12804 Extracted TLS Finished message.
12801 Prepared TLS ChangeCipherSpec message.
12802 Prepared TLS Finished message.
12816 TLS handshake succeeded.
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store -
22043 Current Identity Store does not support the authentication method; Skipping it.
22056 Subject not found in the applicable identity store(s).
22058 The advanced option that is configured for an unknown user is used.
22061 The 'Reject' advanced option is configured in case of a failed authentication request.
11815 Inner EAP-MSCHAP authentication failed
11520 Prepared EAP-Failure for inner EAP method
22028 Authentication failed and the advanced options are ignored.
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12307 PEAP authentication failed
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
What does this mean? Is it possible that ACS *STILL* does not support PEAP authentication agains LDAP??
The other thing that bothers me, is that the matching rule is Default.
But when I go into the matching Policy to see the hit count, none of the rules (including Default) has increased its Hit Count.. very strange.
Thanks.

LDAP as an external database never supports PEAP with Mschap. The client should be installed with the EAP-GTC supplicant.
Peap Mschapv2 only works with Active Directory.
Its an LDAP limitation, not ACS- there is no LDAP API to do it.
Supported LDAP server and 802.1x clients:
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/de
vice_support/sdt51.html#wp71123
You may check PEAP FAQ's, please take a look under EAP TYPE comparison chart:
http://www.cisco.biz/en/US/prod/collateral/wireless/ps5678/ps430/prod_qas0900aecd801764fa_
ps2706_Products_Q_and_A_Item.html
Regds,
JK
Do rate helpful posts-

Cisco ACS 5.2 authentication against multiple LDAP servers

Hi Folks,
I have a wireless network that uses ACS 5.2 to handle authentication. The ACS is integrated with an Active Directory LDAP server (my_ldap) and is working correctly at the moment. The authentication flow looks like this:
- User tries to associate to WLAN
- Authentication request is sent to ACS
- Service selection rule chooses an access-policy (wireless_access_policy)
- wireless_access_policy is configured to use my_ldap as identity source.
A sister company is about to move into our offices, and will need access to the same WLAN. Users in the sister company are members of a separate AD domain (sister_company_ldap). I would like to modify the wireless_access_policy so that when it receives an authentication request it will query both my_ldap and sister_company_ldap, and return a passed authentication if either attempt is successful. Is this possible?

Assuming you're already authenticating using your AD binding and AD1 as your identity source, you can add a further LDAP server as another identity source and add this to your identity store sequence in your access policy to authenticate against both.
You can also add multiple LDAP servers and add them both to the identity store sequence (if you're not using AD1).

EAP-TLS Vista Machine Authentication to ACS integrated to non AD LDAP

Hello all,
I've been working on a scenario with ACS 4.2 (trial) for Proof of Concept to a customer of ACS's abilities.
His intended network plan is to use Vista Laptops doing Machine authentication only towards a ACS server integrated with a non-microsoft LDAP server. The mechanism of choice is EAP-TLS.
We've set up the PKI on the right places and it is all up. We do manage to get a user certificate on the PC, authenticate via ACS to the LDAP repository, and everything is good.
The problem that we are facing is when we want to move to do machine authentication, the behaviour is inconsistent. I'll explain:
When the first authentication is done, the EAP-Identity requests are always prepended with a "host/". What we see is that the CN of a certificate is TEST, and the Identity request appears as host/TEST. This is no problem to LDAP, as we can get rid of the "host/" part to do the user matching and in fact it does match. After TLS handshake (certificates are ok), ACS tries to check CSDB (the internal ACS db) and afterwards it will follow the unknown user policy and query LDAP.
All of this appears to be successful the first time.
If we disassociate the machine, the problems start. The accounting STOP message is never sent.
Any new authentication will fail with a message that CS user is invalid. The AUTH log shows that ACS will never try again to check LDAP, and invalidates the user right after CSDB check. In fact if we do see the reports for RADIUS, the authenticated user is host/TEST, but if we check the dynamic users, only TEST appears. Even disabling caching for dynamic users the problem remains.
Does anyone have an idea on how to proceed? If it was possible to handle the machine authentication without the "host/" part, that would be great, as it works.
My guess is that ACS is getting confused with the host/, as I'm seeing its AUTH logs and I do see some messages like UDB_HOST_DB_FAILURE, after UDB_USER_INVALID.
IF someone can give me a pointer on how to make this work, or if I'm hitting a bug in ACS.
Thanks
Gustavo

Assuming you're using the stock XP wifi client.
When running XPSP3, you need to set two things:
1) force one registry setting.
According to
http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
You need to force usage of machine cert-store certificate:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
"AuthMode"=dword:00000002
2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
- show available wireless networks
- change advanced settings
- wireless networks tab
- select your SSID, and then hit the "properties" button
- select authentication tab, and then hit "properties" button
- search for your signing CA, and check the box.
I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
please cross reference to
https://supportforums.cisco.com/message/3280232
for a better description of the whole setup.
Ivan

Failed to authenticate user to ACS 5.1 with LDAP as external identity storage

Hi , I have an ACS and Open-LDAP server running on my company network.
Now, I 'm setting up a new linksys WAP-54G and choose WPA2-Enterprise option with ACS as the radius server.
first thing first, I created new internal user on ACS, and trying to join the wireless network from my computer. I made it....
then, I'm moving on external entity (LDAP Server). I've set up the LDAP configuration and identity sequence, also select it on access service. but when I tried to authenticate from my computer, an error was occurred. I received :
the following error 22056 Subject not found in the applicable identity store (s)
Wonder 'bout this thing, I set up a cisco 1841 router to become AAA client. and surprisingly... it works !!!
so, is there any problem to authenticate from windows platform to ACS (pointing to LDAP) ?
any suggestion ?
thanks

This is the log when using windows 7 as authentication client (Failed) :
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started.
12805 Extracted TLS ClientHello message.
12806 Prepared TLS ServerHello message.
12807 Prepared TLS Certificate message.
12810 Prepared TLS ServerDone message.
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message.
12804 Extracted TLS Finished message.
12801 Prepared TLS ChangeCipherSpec message.
12802 Prepared TLS Finished message.
12816 TLS handshake succeeded.
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store -
22043 Current Identity Store does not support the authentication method; Skipping it.
24210 Looking up User in Internal Users IDStore - xxxxx
24216 The user is not found in the internal users identity store.
22016 Identity sequence completed iterating the IDStores
22056 Subject not found in the applicable identity store(s).
22058 The advanced option that is configured for an unknown user is used.
22061 The 'Reject' advanced option is configured in case of a failed authentication request.
11815 Inner EAP-MSCHAP authentication failed
11520 Prepared EAP-Failure for inner EAP method
22028 Authentication failed and the advanced options are ignored.
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12307 PEAP authentication failed
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
This is the log when using 1841 router as authentication client (succeded) :
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11049 Settings of RADIUS default network will be used
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - LDAPyyyy
24031 Sending request to primary LDAP server
24015 Authenticating user against LDAP Server
24022 User authentication succeeded
22037 Authentication Passed
22023 Proceed to attribute retrieval
22038 Skipping the next IDStore for attribute retrieval because it is the one we authenticated against
24210 Looking up User in Internal Users IDStore - xxxxx
24216 The user is not found in the internal users identity store.
22016 Identity sequence completed iterating the IDStores
Evaluating Group Mapping Policy
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
11002 Returned RADIUS Access-Accept
I realized that Windows is using PEAP-MSCHAPv2 while Router is using PAP-ASCII as it's protocol.
so now, why PEAP-MSCHAPv2 can't authenticate to LDAP ?
is there anything I can do to make it work ?

ACS 5.2 LDAP authentication through groupMembership

Hi all,
I've succesfully configured ACS to authenticate users against our Novell DB through LDAP External Identity Store . With this setup all users having Novell account are authenticated.
There's an extra requirement that only users belong to group "Internet Access Users" can be authenticated. Running debugging on the ACS (5.2), I've been able to see that ACS can extract the user's group properties as bellow:
LDAP-response-search-entry-attr-value=groupMembership=cn=Internet Access Users\,ou=App Groups\,ou=ZENINTH\,o=Company
but I unable to create mapping/rules that filter this extra value. What I did is :
- Under External Identity Stores --> LDAP --> LDAP_Connection --> Directory Attributes, I added Attribute Name = "groupMembership", Type: "String", Policy Condition Name: "LDAP_Connection:groupMembership"
- Under Access Policies --> Internet Access --> Authorization, I create Rule-1 stated that "LDAP-LDAP_Connection:groupMembership contains cn=Internet Access Users", it will permitAccess. The default rules is denyAccess
But it seems it didn't work (never hit Rule-1)
Could anybody shed some lights ?
Thank you very much,

Ok All is working, consider this as solved.
A restart of the ACS service magically fixed whatever was going on.
Cheers

ACS - LDAP or AD

Similar Messages

Maybe you are looking for