ACS support Kerberos User Database?

Hi,
I've a customer currently having kerberos user database. I proposed to him to implement ACS to enable 802.1x on wireless client. Can ACS support or integrate with Kerberos User Database? If yes, any user guide which list out the steps on doing so?
I searched through Cisco website but failed to find any info related to the integration of ACS with Kerberos User Database.
Thank.
Delon

For network users who are authenticated by a Windows user database, Cisco Secure ACS supports user-changeable passwords upon password expiration. You can enable this feature in the MS-CHAP Settings and Windows EAP Settings tables on the Windows User Database Configuration page in the External User Databases section.

Similar Messages

  • ACS and Windows 2000 user database communication port

    Could my Windows 2000 SP4 + ACS v3.23 can install any new Windows 2000 service pack ?
    I'm affraid to infect ACS Service.
    So, I want to install firewall on this server to block malicious traffic.
    However, my ACS used external user database Windows 2000 for authentication.
    Who can tell me What protocols or port list they are communication?
    I have to avoid these traffic on my firewall.

    Hi cheng
    I think you can install any servie pack without problem and the SP4 is the latest one for WIN2000 and you server already has this SP
    For your second question you need to specify many protocols according to your active directory config in this link you can find a list of this protocols and the best way is to make debug or logging or use a siniffer to know the exactly protocols flow between your ACS and AD server
    http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx
    Best Regards

  • Supported devices/users on Cisco ACS 4.2

    Hi,
    Does anyone know how many devices/users does Cisco ACS  4.2 support ?
    I need to know this information for a very large deployment.
    Regards,           

    Hello,
    The following items are general answers to common system-performance questions. The performance of ACS in your network depends on your specific environment and AAA requirements.
    •Maximum users supported by the ACS internal database—There is no theoretical limit to the number of users the ACS internal database can support. We have successfully tested ACS with databases in excess of 100,000 users. The practical limit for a single ACS authenticating against all its databases, internal and external, is 300,000 to 500,000 users. This number increases significantly if the authentication load is spread across a number of replicated ACS instances.
    •Transactions per second—Authentication and authorization transactions per second depend on many factors, most of which are external to ACS. For example, high network latency in communication with an external user database lowers the number of transactions per second that ACS can achieve.
    •Maximum number of AAA clients supported— ACS has been tested to support AAA services for approximately 50,000 AAA client configurations. This limitation is primarily a limitation of the ACS memory.
    System Performance Specification.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp827669
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • ACS User Database Export

    Is it possible to export the user database stored in the Cisco Secure ACS Database to some file. I need to see all the user accounts and their group assignments etc to be able to do reporting on this.
    Any ideas?

    yes... csutil -d will dump the db.
    look at aaa-reports (www.extraxi.com) they can import the dump file and run reports off it.

  • ACS 4.2.1.15 External User Database 'Authen DLL '

    Having CSACSE-1113-K9 with ACS 4.2.15.
    I want to confiure windows user database under extrenal user database but i get an error  (attached) 'An error has occured while processing the Authen DLL Configure pagebecasue an error occured....'
    External User Database----->database configuration --->Windows Database------>Configure.
    I tried to stop the services and start agian but the same issue.
    Th eappliance is secondary (backup) ACS. On the primary it is working fine.
    Any help would be appreciated.
    Regards,
    BJ

    Hi Abdul,
      Can you check if the remote agent on the windows server box is running the same 4.2.1.15 version as well.
    Like if  ACS -4.2.1.15   then make sure that remote agent is also 4.2.1.15
    or
    if ACS is running 4.2.1.15 patch 2 then remote agent should also be 4.2.1.15 patch 2
    Let me know if the version is same and if not then install the remote agent correctly and try again.

  • Export and Import are not supported on 10g databases for users logged

    Hi
    I having the below written error, when i want to export or import my database. I having Standalone system using windows xp.
    Role Error - Export and Import are not supported on 10g databases for users logged in with the SYSDBA role. Logout and login using a different role before trying again.

    Actually i ma new to EM...
    When I want to Import any thing He is asking abt the HOST CREDENTIALS
    I can't undrstatnd wht he is asking????
    Host Credentials
    * Username          
    * Password          
              Save as Preferred Credential
    It Genrate the below error
    Error - ERROR: Wrong password for user

  • Export User-Database between ACS-Server

    Hi everyone ,
    an ACS 2.3 is running under Unix with 3000 based user. The job is, to migrate the user-database to a new ACS-Server under Windows.
    On the unix-version 2.3 there is no way to export the database to external.
    The only way, i hope, is to mirror the old and the new server as redundant server and if the database is mirrored on both server, than the database is ready for export.
    Is this correct?
    Is there an other way?
    Thanks for your input.
    Ralf

    The migration should go to version 3.1 or 3.2 .
    Ralf

  • ACS User database Backup

    Is it possible to have the ACS user database in an excel sheet

    Hi,
    You can open .dmp file in notepad but that will not provide any info as its not user readable.
    You need to export the lsit of users in .txt extension
    here is the command that you need to run from the command prompt where ACS is installed
    start > run> cmd > go to this dir
    C:\Program Files\CiscoSecure ACS v4.2\bin>net stop csauth
    CSUtil.exe -u user.txt
    C:\Program Files\CiscoSecure ACS v4.2\bin>net start csauth
    Then you can easily access user.txt file in notepad.
    HTH
    JK

  • Intergrating ACS with user database in windows DC

    Please,
    I just installed and configured ACS on window 2003 server on my network. The next task is to integrate the user database in my DC with the ACS. I need you to tell me in steps what else that need to be done.The documentaion is not specific.
    (I heard about 'remote agent' please what is this,and is it required?)

    I think you can map your DC groups to ACS group
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/qg.html#wp940538
    M.

  • ACS Appliance - Local User Password Changing Options

    I am configuring a pair of 1113 appliances running ACS 4.2. The client wants to only user local user accounts stored in the ACS database for AAA on devices and LMS and Ops Manager logins. There are configurable password aging settings for users and groups. The question that I have is how are the users notified that their passwords are expired and ow can they change them? The customer uses only ssh for device management. Is the UCP utility still a requirement if an appliance is used as opposed to a standard Windows ACS installation. I also came across this bug:
    SCsj50218 Bug Details
    Password expiry feature should be support for users local to ACS
    Symptom:
    ACS currently does not support password expiry / password management feature for locally configured users.
    Conditions:
    users are configured locally on ACS as opposed to an external database such as active directory.
    Workaround:
    user external database / server where user profiles are setup.

    ACS supports Password Aging for Device-hosted Sessions-Users must be in the CiscoSecure user database, the AAA client must be running TACACS+, and the connection must use Telnet. You can control the ability of users to change passwords during a device-hosted Telnet session.
    You can also control whether Cisco Secure ACS propagates passwords changed by this
    feature.
    UCP is used in both appliance and window.
    Regards,
    ~JG
    Do rate helpful posts

  • RSA SecurID and Cisco ACS integration for user(s) with enable mode

    I thought I had this problem figured out but I guess not.
    I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
    router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
    I use tacacs+ authentication for logging into the Cisco router
    such as telnet and ssh. In the ACS I use "external user databases"
    for authentication which proxy the request from the ACS over
    to the RSA SecurID Server. I installed RSA Agents with
    sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
    to be "RSA_SecurID" group. In the "External user databases" and
    "database configurations" I assign SecurID to this "RSA_SecurID"
    group.
    Everything is working fine. In the "User Setup" I can see dynamic
    user test1, test2,...testn listed in there as "dynamic users". In
    other words, I can telnet into the router with my two-factor
    SecurID.
    The problem is that if test1 wants to go into "enable" mode with
    SecurID login, I have to go into "test1" user setting and select
    "TACACS+Enable Password" and choose "Use external database password".
    After that, test1 can go into enable mode with his/her SecurID
    credential.
    Well, this works fine if I have a few users. The problem is that
    I have about 100 users that I need to do this. The solution is
    clearly not scalable. Is there a setting from group level that
    I can do this?
    Any ACS "experts" want to help me out here? Thanks.

    That is not what I want. I want user "test1" to be able to do this:
    C
    Username: test1
    Enter PASSCODE:
    C2960>en
    Enter PASSCODE:
    C2960#
    In other words, test1 user has to type in his/her RSA token password to get
    into exec mode. After that, he/she has to use the RSA token password to
    get into enable mode. Each user can get into "enable" mode with his/her
    RSA token mode.
    The way you descripbed, it seemed like anyone in this group can go directly
    into enable mode without password. This is not what I have in mind.
    Any other ideas? Thanks.

  • R/3 User database Migration to LDAP

    Dear all,
    I would like to ask for your suggestion about migration from using user database in R/3 to using LDAP as users data source.
    Currently we are using SAP R/3 as user data source since infrastructure in LDAP side will be deployed to the large user groups which includes just small group using SAP and the LDAP live date will be later than portal Live date.
    In next few years, we plan to use LDAP as datasource for portal to consolidate and use the
    same source of users.
    I would like to ask for your advice that in which specific areas that we would have to be
    careful to handle it.
    So far, I can determine only:-
    - User Naming Convention.
    - Prepare LDAP in QA and DEV environment to also support testing.
    If anyone has experience with such scenarios, kindly advise.
    Thank you

    Hi
    Hi,
    SSO
    <a href="http://help.sap.com/saphelp_nw04/helpdata/en/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm">SSO</a>
    <a href="http://help.sap.com/saphelp_nw04/helpdata/en/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm">SSO To SAP system</a>
    <a href="http://help.sap.com/saphelp_nw04/helpdata/en/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm">Single Sign-On with SAP Logon Tickets</a><a href="http://help.sap.com/saphelp_nw04/helpdata/en/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm">Single Sign-On with User ID and Password</a>
    Connectiing to LDAP
    http://help.sap.com/saphelp_nw04s/helpdata/en/12/7678123c96814bada2c8632d825443/frameset.htm
    Anonymous
    http://help.sap.com/saphelp_nw04s/helpdata/en/cd/1aad4abcb98c4597f9e395a6b62f43/frameset.htm
    Federated Portal.
    I have never worked so cant tel much about that.
    In the above three if you have nay problem you can reach , i guess u have my mail id also.
    Thanx
    Pankaj

  • IChat - Host does not support Kerberos authentication

    Hi all,
    I have been trying but with no success to set up an iChat server on 10.6. Our OS X server is bound to AD and will hopefully be using AD to authenticate the iChat clients. I have followed Apple's guide on commenting out the <!-- <cram-md5/> --> section of the c2s.xml file which hasn't solved our problems. Open Directory isn't running as a master it is connected to another directory (our AD directory), and as a test I set up a Wiki server on the same box and this does allow us to authenticate against AD.
    The error message we are receiving in iChat is "The host example.com does not support Kerberos authentication. The client is set to use Kerberos, the username format is [email protected] all I think the correct settings.
    Under iChat General Settings on the server the Host Domain is example.com, SSL Certificate: No Certificate, Authentication: Any Method, and Enable XMPP server-to-server federation is enable for all domains.
    This is our jabber fullstatus:
    jabber:state = "RUNNING"
    jabber:readWriteSettingsVersion = 1
    jabber:logPaths:PROXY_LOG = "/private/var/jabberd/log/proxy65.log"
    jabber:logPaths:MUCSTDLOG = "/var/jabberd/log/mu-conference.log"
    jabber:logPaths:JABBER_LOG = "/var/log/system.log"
    jabber:proxyState = "RUNNING"
    jabber:currentConnections = "0"
    jabber:currentConnectionsPort1 = "0"
    jabber:currentConnectionsPort2 = "0"
    jabber:pluginVersion = "10.6.100"
    jabber:serviceMode = "CHATSERVER"
    jabber:domainName = "example.com"
    jabber:mucState = "RUNNING"
    jabber:servicePortsAreRestricted = "NO"
    jabber:servicePortsRestrictionInfo = emptyarray
    jabber:hosts:arrayindex:0 = "example.com"
    jabber:setStateVersion = 1
    jabber:startedTime = "2010-10-07 16:12:01 +0100"
    jabber:jabberdState = "RUNNING"
    This is our changeip -checkhostname:
    Primary address = 192.168.1.20
    Current HostName = ichat.example.com
    DNS HostName = ichat.example.com
    The names match. There is nothing to change.
    dirserv:success = "success"
    Any help with this would be much appreciated, and I can supply further logs details if needed. I have used example.com to protect our domain name but i kept the format identical.
    Cheers,
    Chris

    From the console:
    08/10/2010 13:00:52 com.apple.launchd.peruser.2027651558[416] ([0x0-0x16a16a].com.apple.iChat[2873]) The USER environmental variable changed out from under us!
    08/10/2010 13:00:52 com.apple.launchd.peruser.2027651558[416] ([0x0-0x16a16a].com.apple.iChat[2873]) In a future build of the OS, this error will be fatal.
    08/10/2010 13:00:52 com.apple.launchd.peruser.2027651558[416] ([0x0-0x16b16b].com.apple.iChatAgent[2875]) The USER environmental variable changed out from under us!
    08/10/2010 13:00:52 com.apple.launchd.peruser.2027651558[416] ([0x0-0x16b16b].com.apple.iChatAgent[2875]) In a future build of the OS, this error will be fatal.
    08/10/2010 13:00:52 iChatAgent[2875] [Warning] JConnection: Error: Error Domain=XMPPErrorDomain Code=122 UserInfo=0x10020b680 "The host corepublishing.co.uk does not support Kerberos authentication."
    The iChat server log shows this at the same time:
    Oct 8 13:00:52 ichat jabberd/c2s[1051]: [7] [::ffff:192.168.2.170, port=50624] connect
    Oct 8 13:00:52 ichat jabberd/c2s[1051]: [7] [::ffff:192.168.2.170, port=50624] disconnect jid=unbound, packets: 0

  • IDM 7.1 does not support MySQL repository database?

    In the IDM 7.1 release notes it states a note under the requirements
    Identity Manager supports the following repository database servers...
    NOTE Identity Manager supports MySQL in a development environment only.
    MySQL is not supported in a production environment.
    Can someone comment on this. This is new.

    Note that the support for MySQL also extends to the SPE functionality; you can run a MySQL script to allow you to build a development instance without having to have an Oracle instance, thus saving money in the dev environment. However, in production, installations relying on the SPE transactional functionality in IdM would almost always use Oracle over MySQL. So far, no SPE customer we know of is running MySQL in production, thus the stance of development only, not production.
    As for the IN versus JOIN; JOIN works as construct if the sought after value appears in more than one column/table within the database (Orders.EmployeeID = Employee.EmpID). As IdM has a datasparse design and tends to do more lookups from the user interface, there is a need to rely on IN to try and find the desired records. IN is a perfectly legal basic SQL command that is supported across all databases (thus not a bug). To fork the code to handle MySQL differently (if the lookup is feasible with a join) would defeat the purpose of using standard SQL to access the repository.

  • Is it possible to configure Safari to support Kerberos ticket forwarding?

    I work in an environment that authenticates with Kerberos.  I would like to be able to use Safari in this environemnt but I am forced to use other browsers that support ticket forwarding.  It seems that Safari does support Kerberos authentication according the to this support artical http://support.apple.com/kb/HT5385?viewlocale=en_US&locale=en_US.  However, it fails to explain how to enable ticket forwarding.

    rdar://6644527: Kerberos ticket forwarding doesn't work in Safari
    FirefoxAuth - User Guides Wiki

Maybe you are looking for