Authenticate windows users via ACS

Hi,
Expert insight required for Cisco ACS, Is it possible to authentication windows user via ACS & apply ACL policies over network devices.
I would appreciate valued inputs.
Regards,

Yes, it's possible to authenticate windows users via ACS and push DACL via radius.
Seems you are looking for DACL. Here is a document that can help you to understand the same
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a9eddc.shtml#user
Let me know if you need any further help.
Jatin Katyal
- Do rate helpful posts -

Similar Messages

ACS 4.2 failure to authenticate windows users

Hi all , we have a bit of a problem which we cannot seem to resolve.
The ACS can authenticate people using local database , it can also authenticate a single user (using windows database) if you are fast after the service is restarted , however after a few secounds, it fails to authenticate any users , the error we are seeing on the logs appear as authentication failure type : internal error. Also on the log files, the authentication request from the user does not appear in the correct group, it is thrown into the default group.
Any ideas on where we should look to the problem?

Hi,
Its running on windows 2003 server, is running as the system account.
Auth.log details below on a failed authentication
AUTH 04/09/2009 17:02:13 A 5789 3000 0x69 Worker 0 waiting for work
AUTH 04/09/2009 17:02:13 A 5789 1400 0x6 Worker 3 waiting for work
AUTH 04/09/2009 17:02:13 A 5789 0368 0x4 Worker 1 waiting for work
AUTH 04/09/2009 17:02:23 E 6028 3888 0x0 AllocateThread returned 0
AUTH 04/09/2009 17:02:23 A 5821 3000 0x69 Worker 0 established conn 166 with 127.0.0.1:1879
AUTH 04/09/2009 17:02:23 E 6028 3888 0x0 AllocateThread returned 1
AUTH 04/09/2009 17:02:23 A 5821 0368 0x4 Worker 1 established conn 167 with 127.0.0.1:1881
AUTH 04/09/2009 17:02:23 E 6028 3888 0x0 AllocateThread returned 3
AUTH 04/09/2009 17:02:23 A 5821 1400 0x6 Worker 3 established conn 168 with 127.0.0.1:1883
AUTH 04/09/2009 17:02:24 A 5853 0236 0x51 Worker 4 error/timeout, forcing API disconnect of connection 165.
AUTH 04/09/2009 17:02:24 A 5887 0236 0x51 Worker 4 closing conn 165 endpoint. Handled 2 messages.
AUTH 04/09/2009 17:02:24 A 5789 0236 0x51 Worker 4 waiting for work
AUTH 04/09/2009 17:02:30 E 2100 4080 0x6d External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1783L)

Irregular failure to authenticate OpenDirectory users via password-based ssh

TL;DR - my Yosemite Open Directory server irregularly fails to properly authenticate users (via password-based ssh).
I recently moved an Open Directory server from an Xserve running 10.6 to a new Mini running 10.10. I archived the OD config on the Xserve and then took it offline. Then I brought the Mini online using the same hostname/IP address, created a new OD master using the archived configuration. Everything seemed to work well, however sometimes the server will not authenticate users via password when logging in with ssh/sftp/scp. This is also true of a few OS X machines that bind to the OD server (i.e. they usually authenticate users properly, but sometimes fail for no discernable reason).
The failures are only for password authentication using ssh. Other mechanisms do not exhibit the auth failures. For instance, AFP and SMB user auth never fails (with proper credentials). Nor do users to a FileMaker Server machine that authenticate via the OD server have problems. Public key based ssh authentication never fails. Local accounts (non-OD, aka "Local Network Accounts") also do not fail using password-based authentication.
The failures are irregular. The only pattern that I can find at all is that sometimes when the failures start happening, they keep happening continuously until...at some point they work properly again. That is, they may fail from 11:15 am to 2:01 pm, and if so, then all of them fail in that time range. Sometimes that time range lasts seconds, sometimes it lasts hours.
The time range failure pattern is host specific. For instance, if password authentication is failing on the main OD server, authentication may be fine on the other bound machines. If authentication is failing on one of the bound machines, then it may be fine on all others and fine on the OD server itself.
The failure pattern does not seem to correlate to any other events or activity on the server (even remotely). CPU utilization never gets above about 15%. Memory utilization is similarly very low. Network traffic is occasionally high, but it does not seem in any way related to the auth failures. There are not other log messages that occur before or after the failures with any consistency.
I've been monitoring the auth failures by attempting to login to the OD server and two other bound hosts once per minute so that I can tell when the auth is failing (before getting calls from the users).
The adaptive firewall is not running on the OD server. Nor is any other firewall.
Below are a comparison of the system.log entries for a failed and successful auth (I've stripped out those lines that are identical in both instances). The log entries have been sanatized as described.
Rebooting the OD server does not affect the bound clients' authentication. Rebooting the OD server is problematic, and I cannot do it often. When I do, sometimes failures start soon after reboot, and sometimes that don't come back for many hours - again, no discernable pattern.
If anyone has any ideas what I can do to discover the source of this problem and come up with a solution, I'd very much appreciate it. Note that I'm aware that I can export all users and group and reconstruct a new, clean OD master, but without the ability to save the passwords, this becomes a large logisitcal problem, and I'm saving it as a last resort (particularly since if it doesn't solve my problem, I will have inconvenienced many users and be right back in the same place).
Thanks for reading.
First failure:
    Feb 11 00:00:20 odserver.myorg.gov kdc[67]: TGS-REQ [email protected] from 127.0.0.1:65373 for host/[email protected] [canonicalize, forwardable]
    Feb 11 00:00:20 odserver.myorg.gov opendirectoryd[67268]: GSSAPI Error: Miscellaneous failure (see text (unable to reach any KDC in realm ODSERVER.MYORG.GOV, tried 2 KDCs (negative cache))
    Feb 11 00:00:20 odserver.myorg.gov sshd[72974]: error: PAM: authentication error for myusername from clienthost.myorg.gov via 10.50.50.50
    Feb 11 00:00:20 odserver.myorg.gov sshd[72974]: Connection closed by 10.50.50.99 [preauth]
Now successful auth:
    Feb 11 01:03:20 odserver.myorg.gov kdc[67]: TGS-REQ [email protected] from 127.0.0.1:63978 for host/[email protected] [canonicalize, forwardable]
    Feb 11 01:03:20 odserver.myorg.gov kdc[67]: TGS-REQ [email protected] from 127.0.0.1:62346 for ldap/[email protected] [canonicalize, forwardable]
    Feb 11 01:03:20 odserver.myorg.gov sshd[73786]: Accepted keyboard-interactive/pam for myusername from 10.50.50.99 port 53361 ssh2
    Feb 11 01:03:20 odserver.myorg.gov NetAuthSysAgent[73789]: GetStatus: connecting to self not allowed
   Feb 11 01:03:20 odserver.myorg.gov NetAuthSysAgent[73789]: ERROR: AFP_GetServerInfo - connect failed 62
I've sanitized the entries as follows, replacing...
My username by myusername
The ssh source host IP address by 10.50.50.99
The ssh source hostname by clienthost.myorg.gov
The server hostname by odserver.myorg.gov
The server hostname (in caps) by ODSERVER.MYORG.GOV
The server IP address by 10.50.50.50

Hello James,
I have not had a chance to look for the Router configuration document, however, for one of my certificate exams I did configure Authentication Proxy on an IOS router. The config for that lab was:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization auth-proxy default group tacacs+ local
aaa session-id common
ip auth-proxy name AUTHPROXY http inactivity-time 60
interface FastEthernet0/0
ip address 192.168.250.19 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/1
ip address 192.168.200.120 255.255.255.0
ip access-group 110 in
ip nat inside
ip virtual-reassembly
ip auth-proxy AUTHPROXY
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 192.168.250.1
ip http server
ip http authentication aaa
no ip http secure-server
ip nat inside source list nat interface FastEthernet0/0 overload
ip access-list extended nat
permit ip 192.168.200.0 0.0.0.255 any
access-list 110 permit ip any any
tacacs-server host 192.168.250.20
tacacs-server key cisco123
end
Please check if the commands are supported on your router as well.
If this ws helpful please rate.
Regards.

Authenticate windows users accessing os x client using open directory?

I need to setup an OS X client machine (10.4.6) so that windows users (XP) can access folders based on their open directory credentials. (Using OS X server, open directory, windows PDC). If I turn on windows sharing in system preferences on the mac, it will only share local home folders to users with local accounts - not what I need. Any ideas? thanks.

Thanks! So now I see Open Directory, but it seems like it should be listed under the Server app with all the other services...
Anyhow, I seem to remember a way to administer the users and groups. This app shows me the status of the services, logs, settings. The Server app, if I click on Add Users button, then click "connect to it" to supposedly connect to the directory server, it won't take my credentials. I always get "Cannot authenticate to server. Please authenticate by entering the name and password of a user account in this server's directory."
Connect anonymously doesn't seem to do anything, it doesn't even dismiss the dialog.
So what am I missing?

ACS 4.1 failure to authenticate Windows users.

Hello.
We are running Cisco Secure ACS for Windows version 4.1(1)b23p5 on a Windows 2000 member server.
Starting from today, ACS fails to authenticate users.
Using the same external user (andrea-meconi) I can verify successfull and failed authentication.
This is the AUTH.log for a genericRADIUS request...
AUTH 25/02/2013 15:30:24 I 0396 3900 External DB [NTAuthenDLL.dll]: Starting authentication for user [andrea-meconi]
AUTH 25/02/2013 15:30:24 I 0396 3900 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user andrea-meconi
AUTH 25/02/2013 15:30:24 E 0396 3900 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1783L)
AUTH 25/02/2013 15:30:24 I 0396 3900 External DB [ODBCAuthDll.dll]: Starting 1 odbc workers
AUTH 25/02/2013 15:30:24 I 0396 3900 External DB [ODBCAuthDll.dll]: DLL initialised OK
AUTH 25/02/2013 15:30:24 I 0571 3900 AuthenLoadLibrary: Loaded DLL for External ODBC Database
AUTH 25/02/2013 15:30:24 I 1645 3900 pvAuthenticateUser: authenticate 'andrea-meconi' against External ODBC Database
This is the log for an EAP request...
AUTH 25/02/2013 16:23:56 I 1645 4568 pvAuthenticateUser: authenticate 'venezia\andrea-meconi' against Windows NT/2000
AUTH 25/02/2013 16:23:56 I 0396 4568 External DB [NTAuthenDLL.dll]: Starting MSCHAP authentication for user [venezia\andrea-meconi]
AUTH 25/02/2013 16:23:56 I 0396 4568 External DB [NTAuthenDLL.dll]: Got WorkStation CISCO
AUTH 25/02/2013 16:23:56 I 0396 4568 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user andrea-meconi
AUTH 25/02/2013 16:23:56 I 0396 4568 External DB [NTAuthenDLL.dll]: Windows authentication SUCCESSFUL (by RVVMDCC01PW)
AUTH 25/02/2013 16:23:56 I 0396 4568 External DB [NTAuthenDLL.dll]: User mapped to ACS group id [20]
Windows AD running now on Windows 2008 server, migrating from 2003.
Any idea?
Thanks.
Andrea

Windows authentication FAILED (error 1783L)
The above error indicates that the migration happened over night. In order to resolve this issue you need to upgrade your ACS to atleast ACS 4.2.0.124 patch 4 or above.
Supported Operating Systems section
--Windows Server 2008, Standard Edition
--Windows Server 2008, Enterprise Edition
--Japanese Windows Server 2008, Standard Edition, Service Pack 2
--Japanese Windows Server 2008, Enterprise Edition, Service Pack 2
NOTE: No version of ACS 4.x support 2008 R2. Only ACS 5.2 support it.
Regards,
Jatin Katyal
- Do rate helpful posts -

Can my AD connected server use kerberos to authenticate windows users?

Hi,
I have installed our brand new Xserve with leopard and set it up so that it is connected to a directory service (AD). I have check to see if it kerberized and it does appear so.
What I want to do is provide SSO for our users when they visit our intranet. Our users will be using Windows XP Pro clients. I have tried using basic authentication but this requires the user to enter their network username and password to authenticate. When I try setting the realm security to be Kerberos it doesn't work.
Can this be done and if so what am I doing wrong? Surely I am not the only person trying to integrate a mac server into a windows environment and provide windows clients with a seamless experience!
Please help anyone!!!!

Ok, we managed to solve this!!!
It was to do with Active Directory. You need to set the xserve in Active Directory to be trusted for delegation (all kerberos services) and voila! Sorted!

VPN filter per remote access user (via ACS)?

Hello everyone,
I'm deploying IPSec Remote Access VPN for my company. I have Cisco ASA 5540 (8.0.4) and Cisco Secure ACS. I have successfully configured the system with authentication by ACS.
The question is, I want to apply filter policy for per user. I know that there's a method called vpn-filter. If I use local authentication, I can apply ACL to user attribute.
eg.
access−list 103 extended permit tcp 10.1.49.2 255.255.255.0 host 10.1.1.10 eq 3389
username testvpn attributes
vpn−filter value 103
But users are configured on ACS, so how can I apply vpn-filter policy to the user? I dont really want to apply vpn-filter to group-policy.
Please help me to find a method. Thank you very much.
Regards,
Hiep Nguyen.

Hi,
I think this is what you are looking for
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a9eddc.shtml
You will need to setup the IETF like this
filter-id=acl_name
There is a good example right there (better than mine) let me know how it goes.
Mike

Authenticate users by Windows group using ACS

Currently we are using Windows IAS/RADIUS to authenticate users onto out wireless network and it is set to allow users in a certain Windows group to connect.
Is there a way to do this with ACS?
Please note that we are using ACS Solution Engine, not ACS for Windows.
Thanks.

Use Remote Agent for Windows user authentication feature or configure Windows AD as the LDAP on ACS SE.
then configure group mapping, and put the restrictions accordingly.
Regards,
Prem
Please rate if it helps!

ASA WebVPN - restrict access to users in an AD group via ACS

Hi folks.
I'm doing an WebVPN pilot on one of our ASA's (running 7.2.2). Everything is working fine, but I've been asked to restrict access to users that are members of a certain Active Directory group (lets call the group "VPNTEST")
Right now the ASA does radius auth against out ACS 4.x appliance, which has an external database mapping (via the ACS remote agent) to our Windows active directory domain.
Currently there are only two groups in ACS, the Default (which we use for Wireless authentication) and the "Operations" group, which we use for TACACS auth for the network.
I can create a group in ACS that maps to the AD VPNTEST group, but where/how do I restrict WebVPN access to just members of that group? Is it a setting on the ACS or the ASA?

Try using the following to tie users to certain group policies:
Using a RADIUS Server
Using a RADIUS server to authenticate users, assign users to group policies by following these steps:
Step 1 Authenticate the user with RADIUS and use the Class attribute to assign that user to a particular group
policy.
Step 2 Set the class attribute to the group policy name in the format OU=group_name
For example, to set a WebVPN user to the SSL_VPN group, set the RADIUS Class Attribute to a value
of OU=SSL_VPN; (Do not omit the semicolon.)

Failed to authenticate user to ACS 5.1 with LDAP as external identity storage

Hi , I have an ACS and Open-LDAP server running on my company network.
Now, I 'm setting up a new linksys WAP-54G and choose WPA2-Enterprise option with ACS as the radius server.
first thing first, I created new internal user on ACS, and trying to join the wireless network from my computer. I made it....
then, I'm moving on external entity (LDAP Server). I've set up the LDAP configuration and identity sequence, also select it on access service. but when I tried to authenticate from my computer, an error was occurred. I received :
the following error 22056 Subject not found in the applicable identity store (s)
Wonder 'bout this thing, I set up a cisco 1841 router to become AAA client. and surprisingly... it works !!!
so, is there any problem to authenticate from windows platform to ACS (pointing to LDAP) ?
any suggestion ?
thanks

This is the log when using windows 7 as authentication client (Failed) :
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started.
12805 Extracted TLS ClientHello message.
12806 Prepared TLS ServerHello message.
12807 Prepared TLS Certificate message.
12810 Prepared TLS ServerDone message.
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message.
12804 Extracted TLS Finished message.
12801 Prepared TLS ChangeCipherSpec message.
12802 Prepared TLS Finished message.
12816 TLS handshake succeeded.
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store -
22043 Current Identity Store does not support the authentication method; Skipping it.
24210 Looking up User in Internal Users IDStore - xxxxx
24216 The user is not found in the internal users identity store.
22016 Identity sequence completed iterating the IDStores
22056 Subject not found in the applicable identity store(s).
22058 The advanced option that is configured for an unknown user is used.
22061 The 'Reject' advanced option is configured in case of a failed authentication request.
11815 Inner EAP-MSCHAP authentication failed
11520 Prepared EAP-Failure for inner EAP method
22028 Authentication failed and the advanced options are ignored.
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12307 PEAP authentication failed
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
This is the log when using 1841 router as authentication client (succeded) :
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11049 Settings of RADIUS default network will be used
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - LDAPyyyy
24031 Sending request to primary LDAP server
24015 Authenticating user against LDAP Server
24022 User authentication succeeded
22037 Authentication Passed
22023 Proceed to attribute retrieval
22038 Skipping the next IDStore for attribute retrieval because it is the one we authenticated against
24210 Looking up User in Internal Users IDStore - xxxxx
24216 The user is not found in the internal users identity store.
22016 Identity sequence completed iterating the IDStores
Evaluating Group Mapping Policy
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
11002 Returned RADIUS Access-Accept
I realized that Windows is using PEAP-MSCHAPv2 while Router is using PAP-ASCII as it's protocol.
so now, why PEAP-MSCHAPv2 can't authenticate to LDAP ?
is there anything I can do to make it work ?

802.1x auth via ACS through unknown user policy - multiple directories?

A customer has an LDAP directory as well as a Novell NDS directory.
MAC clients authenticate to IPlanet LDAP.
Windows users authenticate to Novell NDS.
Is there any way to use multiple SSIDs and the unknown user policy to authenticate users against their appropriate directories?
Thanks,
Tim

Actually, you can. You can manually add users to the ACS database and specify which external database to use. Take a look at the URL below. It is on adding users to the ACS database using the CSUtil.exe program on the ACS server. The import file that is read allows you to specify which external database type to query for the users authentication.
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/ae.htm#wp365101
Steve

Authenticating LMS 4.x Users via TACACS+ on ACS 4.1

Hello Support,
I tried to authenticate the LMS 4.x Users via TACACS+ on ACS 4.1. But
unfortunately is not working!
On LMS 4.x i have created users and i have defined roles to the users. I have defined the Authentication Mode Setup for
TACACS+ on LMS 4.x.
On the ACS 4.1 I have created a NDG and i have added a AAA client to the NDG.
then i have created the same users on ACS 4.1 that are existing on LMS 4.x. But when i try to login on LMS 4.x, I can NOT login!
Please advice if i'm missing something!

Yes! the Tacacs+ mode is successfully performed! But I can not login.......

ANM device importing and config sync - user name authenticatiing via ACS

Good day,
We have the following issue:
Switches and ACE modules imported into ANM 3.2. Additional modules added and tried to import. Failed. Tried to sync and recieved the following message for Admin context:
- Failed to import ACE configuration: Device discovery failed: cannot find the serial number.
All other contexts also fail to sync.
Thought this may be due fact that the user Id used for import is and AD account and this authenticates via ACS to AD and this has expired and changed since original import. Deleted chassis and re-impoted with same user Id and new password and all works fine.
Have checked the links below, however, I don't beleive these will resolve the issue:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/3.1/user/guide/UG_manage_devices.html#wp1094120
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/3.1/user/guide/UG_manage_devices.html#wp1393377
I beleive this is occuring due the fact that we are authenticating via ACS to AD for all devices (switches and ACE modules) as well as ANM.
So is the only solution here to create a static user account in ACS and add to relevent NDG's for switches and ACE modules?
Also would we have to have the password never expire as I don't see a way to change/configure this password within ANM apart from when the devices are initially imported?
Any input would be greatly appreciated.
Thanking you in advance.
Paul
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}

Dears
kindly your help when i'm trying to import ACE Module i got the following massege .
- Failed to import ACE configuration: Device discovery failed: cannot find the serial number.
does any body have a resolutoin for this error ?.
BR

How can I authenticate a User In Windows Active Directory?

I need to authenticate a user in Windows Active Directory, but I found use the code below will return true if the user name and password are both correct and false if one of them is wrong. But when I input a user name which is not exist in Active Driectory with a blank password, it will also return true. What shall I do? Ask every user must input a password withnot blank?
Please give me some help to solve this problem. Thanks a lot.
Code:
private Context ctx = null;
Hashtable env = new Hashtable ();
boolean isValid = false;
try {
this.setEnvironmentProperties();
String domainName = AuthenticateResources.getString("mydomain.com");
//set the name of domain with the user name
String fullName = name + "@" + domainName;
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL,"ldap://mydomain:389");
env.put(Context.SECURITY_AUTHENTICATION,"simple");
//set user related information
env.put(Context.SECURITY_PRINCIPAL, fullName);
//set user password
env.put(Context.SECURITY_CREDENTIALS, password);
//validate user
ctx = new InitialDirContext(env);
isValid = true;
}catch (AuthenticationException ex){
isValid = false;
catch (NamingException ex) {
throw ex;
}finally{
this.freeContext();
return isValid;

This is usually a problem if Anonymous Binding is enabled. I have faced this in other Directory Servers, but I am not familiar with Active Directory.
I think by default Active Directory disables Anonymous Binding, but you may want to check.

ACS cannot Authenticate Aironet Users against Exernal DB (LDAP)

ACS cannot Authenticate Aironet Users against Exernal DB (LDAP)
Can anyone point me to a technical explanation of why this is true?
All I have found so far is one small note in a help file and something that might be related under EAP-FAST explanation.
I have posed this question to our Cisco account team but no response yet.
Just need to have a good explanation when explaining to mgmt why we need to have a special setup for WLAN users.

Hmmm....you should be getting more than that from debug radius and debug aaa authen if your AP is truly attempting EAP authentication. The debugs I generally use for this are 'debug aaa authen', 'debug radius', and 'debug dot11 aaa dot1x all' coupled with gathering the detailed support logs from ACS. A warning about 'debug dot11 aaa dot1x all'....it is VERY verbose and cryptic if you don't have alot of experience looking at it so it may be best to open up a TAC case. With these debugs turned on, you should see an EAPOL logon show up from the client (usually says 'received EAPOL packet...') and then a request for identity from the switch and a response from the client with a username and password. Then a series of RADIUS challenge/response packets will be passed which consists of the server cert being passed to the client for validation and then the client sending the username and password to the server. Then you will finally get an access-reject or access-accept packet from the RADIUS server. The failed and passed attempts logs in ACS can also provide good info as to what the source of the failure may be. Do you get any passed or failed attempts for these authentications?

Authenticate windows users via ACS

Similar Messages

Maybe you are looking for