Cisco ACS 4.2 + Active directory + peap

Hello guys!
We have acs 4.2 SE + remoteAgent which is located on our DC. WLAN with wpa+wpa2[802.1x auth] has been configured and all working perfectly - domain users trying to connect and gets user\pass prompt, after it auth succesfull and wireless access granted. But its a bit complicated with non-domain users, when they trying to connect to this network they get windows security alert because machine authentication not passed(PC not in domain so ACS can't auth this users). So, if i enable machine authentication under external windows database setting, acs succesfully authenticated station but wont promt for user\password. How can we enable prompting for user\pass while still maintain machine auth ?
Thank you!

I have a scenario for you in active directory when two passwords may be valid:
Old passwords can also work on domain controllers that have not received replication yet from either the domain controller the password was changed on, or the PDC emulator in the domain.
Let's take a scenario where we have a 3 site, 3 domain controller (DC) active directory: Site1 with DC1, site2 with DC2 and site3 with DC3.
The ACS application resides in Site3 and is configured to use DC3 for authentication. We have a user "user1" with a password of "123".
User1 decides to call the helpdesk and changes his password to "456".
The helpdesk uses DC1 to make password changes because they are located in site1. For a period of time (based on replication, which defaults to 3 hours between sites) the 123 password and the 456 password will be
valid.
If the user1 user tries the "123" password it will work until DC3 receives the changed password from normal replication. If user1 tries to use 456, DC3 will flag this as a wrong password, and then check the PDC
emulator of the domain to see if it has received a newer password. The PDC emulator will validate the login, and then trigger an immediate replication with DC3.
Regards,
~JG
Do rate helpful posts

Similar Messages

  • Integration Of Cisco ACS and MS Active Directory !!!

    Hi all,
    We have and Cisco ACS v4.2 on a Cisco Appliance, and we need to integrate it with Active Directory. Can you help me??
    Thanks for your help
    Regards!!!
    Rafael Turriago

    Hi,
    If you have ACS SE and you want to integrate with MS AD, then you need to install Cisco ACS Remote Agent on a PC that belongs to the domain.
    The ACS SE does not "speak" directly to the DCs, but rather to the ACS Remote Agent.
    The Remote Agent is the application responsible to exchange data with the DCs.
    You can find detailed information in the config guide:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp353636.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Cisco ISE 1.3 Active Directory issue

    Hi Folks
    I am having an issue with our Cisco ISE and would love some feedback or a solution. I have to ISE configured to use our Active Directory setup and so far it appears to be functional. I could connect to AD retrieve groups and use AD for authentication. The issue I am experiencing is that when I try to go to the 'Administration >  Identity Management > External Sources page and select our AD instance from the left hand side window the screen locks up and refuses to load.  Any advice?

    hi
    i also had this issue (and one of my collegue also) when using Firefox (version 34 and 35)
    i managed to create the AD server using IE 10 for example, and after it appears correctly with Firefox
    it was before ise1.3patch 1, but i have seen no corrected issue in patch1 release note for this problem
    guillaume

  • Join acs express to active directory domain

    i have a problem joining acs express active directory domain , both are reachable to each other in the same subnet & no firewalls between them , but when i test the connectivity it gives this error:
    " required service unavailable. DNS is setup correctly , and the domain controller is reachable , however , one of the required services, such as ldap,kerberos, or global catalog service is not available. This issue may arise if there is a firewall between AD domain controller, and the ACS Express appliance"

    It is sounds like a bug CSCsw29387 Join AD domain, with one DC down fails. If the ACS Express is trying to join an AD domain in a multi domain controller environment and one of the domain controllers is down, the ACS Express will fail to join the domain.

  • Cisco ACS 5.3, Active Sessions are over limit e-mail alert.

    I have recently enabled the SMTP alert function in ACS 5.3. It seems to work well for most of the alerts. One thing though, the active sessions are over limit warning that comes up every so often. I know it is not impacting operations and it is ACS's way of clearing out sessions that had no accounting stop, but how do I disable this alert from being sent by e-mail from ACS 5.3??? I do not see it anywhere.

    Hi, Thanks for the response. Unfortunately it does not solve my issue. Following the directions causes all logging to stop in the real time logs. There is no username coming through for these phantom authentication requests that I can create a filter or access request for. Is it possible to get more details???
    The issue is that there is noting in the realtime logs for this on on the General tab that an alert has been triggered and therefore and e-mail for the alert. I was looking to see how I can disable the alert itself. there does not appear to be any dummy account these authenticatons are using to trigger this alarm in the logs I can see.

  • ACS SHAREPOINT AZURE ACTIVE DIRECTORY

    Hi, 
    I am trying to get this scenario working, I have a Sharepoint front end and a service webapi backend, I have my web API protected using AAD as IDP. And because Sharepoint only supports SAML 1.1 I had to use ACS to be the federation provider as ACS gives SAML1.1.
    Now my question is how can I get a JWT token to access my backend from Sharepoint which has access to the SAML1.1 token which it got when user initially authenticated himself. 
    Any help will be really appreciated as I have been stuck on this for 4 days or so.
    Thanks,
    Bala
    Bala

    Looks like it is working fine. Steps 1) User redirected to ACS when logs into sharepoint configured with ACS as the provider. 2) Chooses AAD as the IDP 3) logs into AAD, gets redirected back to ACS and gets the SAML 1.1 token. 4) Now when I redirect my browser
    from inside sharepoint to AAD requesting a token for the user requesting an Authorization code I get it from AAD.
    Here the bit I think why it does work is my browser has the cookies that have fedAuth cookies which AAD had issued in the first place. Can someone confirm that it is actually the case. For now I think it is working this way for me.
    Bala

  • Can ACS support multiple Active Directory Domains for 802.1x EAP-TLS?

    Hi
    I'm looking to implement ACS 5.2 using 802.1X, we have two seperate AD domains.
    Now.. this is the tricky part...
    A single switch will need to support both ADs, so if a machine in AD1 is connected, it will be authenticated to the ACS using AD1 and applied to VLAN1, while a machine that is in AD2 will be authenticated to AD2 and applied to VLAN 2.
    I'm looking at machine authentication, not user authentication, so I assume that I will need to import two certs from each AD.
    Can any expert please let me know if they think that this will be possible please??
    Many thanks

    Yes ACS can support multiple AD domains but you will have to configure one as your AD domain and the other as an LDAP database and this will work since you are planning to use eap-tls.
    The question I have is which version of ACS are you using? If you are using ACS 5.x then you can setup and identity store sequence so if the user is not found you can move to the next store and this will prevent you from installing two certificates on every machine.
    You can then setup an authorization rule for the seperate containers on where the workstations are located (this is assuming machine authentication is being used) for the AD database or the LDAP database and then assign the vlan based off that.
    Thanks and I hope this helps!
    Tarik Admani

  • Cisco CSC SSM to Active directory integration issue

    Hi,
    I have configured ASA CSC SSM module for AD integration for user based access control. The domain controller Agent has been installed in AD server. But the Agent is not able to communicate to CSC module. There are errors getting generated in AD and CSC.
    There are no network layer issues between AD server and CSC. All the frewalls have been turned off. I suspect some configuration changes to be done on AD or with the Agent installation file. I have followed the configuration steps recommended by Cisco in configuring AD server and CSC module. I have attached the Log files.
    Please suggest solution for this issue. Thank you.
    With Regards,
    Madhan kumar G.

    Hi,
    Below are the suggestions from TAC engineer, which rectified issue in my case. Hope this helps your scenario.
    Ø  Verify the following
    Ø  1. The client machines should be part of the windows domain
    Ø 
    Ø  2. File Sharing should be enabled on the client machine
    Ø 
    Ø  3."Remote Registry" Service should be enabled
    Ø 
    Ø  4. On the windows firewall, select "Windows Management Instrumentation
    Ø 
    Ø  (WMI)" as exception program to allow in bound WMI calls.
    Ø 
    Ø  Also, make sure the "File and Printer Sharing" is part of the exception list.
    Ø 
    Ø  5. The client is able to ping the Agent and the Domain Controllers.

  • LEAP - ACS Authen. against active directory for users of another domain

    We installed ACS 3.0 on W2000 server, member of a domain. When we tried
    to authenticate users from another domain, but it failed.
    We achieved to find out the problem. First, the server tries to find the PDC of the other domain (DNS request : _ldap._tcp.pdc._msdcs.domain). The DNS
    server answer with the full name and IP address. But afterwards, instead of using the DNS answer, the server make a new request with the PCD name
    and appending its own domain. The DNS request fails, and the user is not authenticated. A workaround consists in chaging the DNS search-list for the server, but I'm intersted if anyone had a better solution, or if the new release (ACS 3.1) solves this issue.

    Your case looks similair to this bug CSCdy18833, the bug has a work around also check it out.

  • CiscoSecure ACS 3.3 and MS Active Directory ?

    We just got and installed CiscoSecure ACS 3.3 on a domain controller for our MS active directory domain.
    ACS seems to work with AD in the sense that it uses the usernames and passwords contained in AD for users. However I noticed it does not seem to popluate ACS with the users, instead you have to go in to ACS and add each user with the username from AD, and then just tell it to use the windows database for password authentication.
    Is this correct or am I missing something in my setup that is preventing users from being populated in ACS?
    Also, can you not use AD groups for ACS permissions? For example one of the things we are doing is defining certain groups for access to routers, switches and firewall commands. I have been able to do this manually in ACS by defining a group and setting the permissions as well as the command authorization set. However it does not seem very practical to have to go in manually to ACS to add a user to an ACS group. I thought since ACS works with active directory it would also use AD groups. So we could assign a user to a group in AD and it would then utilize the defined ACS permissions for that group.

    I think you are a victim of the AD Aware as opposed to AD Integrated. CiscoSecure is AD Aware, it can use the AD database for Password authentication (a very simple implementation of single sign-on). But the local database is used for everything else. From my point of view this is a good thing.
    If the AD Admin, Network Admin and Security officer are all the same person, then I agree with you.
    From your message you seem to be using ACS to secure your Cisco devices (routers/switches), I would not want people who manage AD to be able to give network device access to anyone they choose. Nore do I trust AD admins to understand network security. Normally the network people are very small subset of IT organization, so this should not be a big problem. Also, the real component that you are using to secure the devices is TACACS+ (hopefully) or RADIUS because the devices are not AD Aware themselves.
    If you need for every user that is in AD to be a user in ACS, there is import/export support for both for inital setup, after that it is up to you to keep the databases synchronized. You can do this with routine import/exports, but I advise against it.
    If you are using ACS to manage a Dial or IPSec environment, I agree this is a pain, but do you really want everyone to be able to dial-in or VPN into your network without coming to you for access? Don't you want to be able to disable/expire peoples access for devices and remote access without calling the AD admin?
    For the kind of things you want, you need an AD Integrated product like Exchange or you can try some of the vendors at listed at http://www.microsoft.com/windows2000/partners/adall.asp
    FYI - This is my understanding of the product, I'm sure there are a lot of people out there that know more then me, so feel free to correct me.

  • Cannot Retrieve Active Directory Groups

    Hi All
    I recently connected my ACS deployment to Active Directory 2003. However when I try to add the active directory groups for group mapping, i.e. navigating to Users and Identity Stores > External Identity Stores > Active Directory > Directory Groups Tab and click select.
    My GUI on IE just loops and does not display anything(it does not freeze). On Firefox I receive "The connection was reset" error.
    Any ideas?
    Thanks in Advance

    Do you have the proper AD permissions set for the AD account used to join ACS to the domain?
    Note: AD account required for domain access in ACS should have either of these:
    Add workstations to domain user right in corresponding domain.
    Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ACS machine's account is created before joining ACS machine to the domain.
    Thank you for rating helpful posts!

  • How to ACS 5.0.0.21 Expresss integrate with Active Directory Standar 2003 and authenticate PEAP MSCHAPV2

    Hi:
    My name is Ivan, I have a trouble
    I have a ACS 5.0.0.21 express, and i have to integrate with Active Directory (AD)  2003 Standar. I should authenticate the users of the Domain in the LAN with PEAP MSCHPAV2, using the follow:
    Cisco WLC 4402 + Cisco ACS 5.0.0.21 + Active Directory
    I need to know if i should to install a certificate in the ACS 5.0.0.21 or some agent remote install  in the AD.
    I put in the ACS a external database with the AD, and i already select the users on the domain in the ACS Express.
    Please could you tell me all the steps to autenticate the users on the Domain using the ACS Express and the Active Directory,
    I would like to know wich are the configuration that i have to do in my ACS express to authenticate using PEAP MSCHAPV2
    Regards
    Ivan

    See the below URL - multiple config guides on what you want to do:-
    http://www.cisco.com/en/US/products/ps6366/prod_configuration_examples_list.html
    HTH>

  • Looking for successful auth debug between cisco 1113 acs 4.2 and Active Directory

    Hello,
    Does anyone have a successful authentication debug using cisco 1113 acs 4.2 and Active Directory?  I'm not having success in setting this up and would like to see what a successful authentication debug looks.  Below is my current situation:
    Oct  6 13:52:23: TPLUS: Queuing AAA Authentication request 444 for processing
    Oct  6 13:52:23: TPLUS: processing authentication start request id 444
    Oct  6 13:52:23: TPLUS: Authentication start packet created for 444()
    Oct  6 13:52:23: TPLUS: Using server 110.34.5.143
    Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
    Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: socket event 2
    Oct  6 13:52:23: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
    Oct  6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 26 (0x1A)
    Oct  6 13:52:23: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
    Oct  6 13:52:23: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
    Oct  6 13:52:23: T+: user: 
    Oct  6 13:52:23: T+: port:  tty515
    Oct  6 13:52:23: T+: rem_addr:  10.10.10.10
    Oct  6 13:52:23: T+: data: 
    Oct  6 13:52:23: T+: End Packet
    Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: Would block while reading
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: read entire 28 bytes response
    Oct  6 13:52:23: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
    Oct  6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
    Oct  6 13:52:23: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
    Oct  6 13:52:23: T+: msg:  Username:
    Oct  6 13:52:23: T+: data: 
    Oct  6 13:52:23: T+: End Packet
    Oct  6 13:52:23: TPLUS(000001BC)/0/46130160: Processing the reply packet
    Oct  6 13:52:23: TPLUS: Received authen response status GET_USER (7)
    Oct  6 13:52:30: TPLUS: Queuing AAA Authentication request 444 for processing
    Oct  6 13:52:30: TPLUS: processing authentication continue request id 444
    Oct  6 13:52:30: TPLUS: Authentication continue packet generated for 444
    Oct  6 13:52:30: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
    Oct  6 13:52:30: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
    Oct  6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 15 (0xF)
    Oct  6 13:52:30: T+: AUTHEN/CONT msg_len:10 (0xA), data_len:0 (0x0) flags:0x0
    Oct  6 13:52:30: T+: User msg: <elided>
    Oct  6 13:52:30: T+: User data: 
    Oct  6 13:52:30: T+: End Packet
    Oct  6 13:52:30: TPLUS(000001BC)/0/WRITE: wrote entire 27 bytes request
    Oct  6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:30: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
    Oct  6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:30: TPLUS(000001BC)/0/READ: read entire 28 bytes response
    Oct  6 13:52:30: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
    Oct  6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
    Oct  6 13:52:30: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
    Oct  6 13:52:30: T+: msg:  Password:
    Oct  6 13:52:30: T+: data: 
    Oct  6 13:52:30: T+: End Packet
    Oct  6 13:52:30: TPLUS(000001BC)/0/46130160: Processing the reply packet
    Oct  6 13:52:30: TPLUS: Received authen response status GET_PASSWORD (8)
    Oct  6 13:52:37: TPLUS: Queuing AAA Authentication request 444 for processing
    Oct  6 13:52:37: TPLUS: processing authentication continue request id 444
    Oct  6 13:52:37: TPLUS: Authentication continue packet generated for 444
    Oct  6 13:52:37: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
    Oct  6 13:52:37: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
    Oct  6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
    Oct  6 13:52:37: T+: AUTHEN/CONT msg_len:11 (0xB), data_len:0 (0x0) flags:0x0
    Oct  6 13:52:37: T+: User msg: <elided>
    Oct  6 13:52:37: T+: User data: 
    Oct  6 13:52:37: T+: End Packet
    Oct  6 13:52:37: TPLUS(000001BC)/0/WRITE: wrote entire 28 bytes request
    Oct  6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:37: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 33bytes data)
    Oct  6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:37: TPLUS(000001BC)/0/READ: read entire 45 bytes response
    Oct  6 13:52:37: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
    Oct  6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 33 (0x21)
    Oct  6 13:52:37: T+: AUTHEN/REPLY status:7 flags:0x0 msg_len:27, data_len:0
    Oct  6 13:52:37: T+: msg:  Error during authentication
    Oct  6 13:52:37: T+: data: 
    Oct  6 13:52:37: T+: End Packet
    Oct  6 13:52:37: TPLUS(000001BC)/0/46130160: Processing the reply packet
    Oct  6 13:52:37: TPLUS: Received Authen status error
    Oct  6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: timed out
    Oct  6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: No sock_ctx found while handling request timeout
    Oct  6 13:52:37: TPLUS: Choosing next server 101.34.5.143
    Oct  6 13:52:37: TPLUS(000001BC)/1/NB_WAIT/46130160: Started 5 sec timeout
    Oct  6 13:52:37: TPLUS(000001BC)/46130160: releasing old socket 0
    Oct  6 13:52:37: TPLUS(000001BC)/1/46130160: Processing the reply packet
    Oct  6 13:52:49: TPLUS: Queuing AAA Authentication request 444 for processing
    Oct  6 13:52:49: TPLUS: processing authentication start request id 444
    Oct  6 13:52:49: TPLUS: Authentication start packet created for 444()
    Oct  6 13:52:49: TPLUS: Using server 172.24.5.143
    Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
    Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: socket event 2
    Oct  6 13:52:49: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
    Oct  6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 26 (0x1A)
    Oct  6 13:52:49: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
    Oct  6 13:52:49: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
    Oct  6 13:52:49: T+: user: 
    Oct  6 13:52:49: T+: port:  tty515
    Oct  6 13:52:49: T+: rem_addr:  10.10.10.10
    Oct  6 13:52:49: T+: data: 
    Oct  6 13:52:49: T+: End Packet
    Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: Would block while reading
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 43bytes data)
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: read entire 55 bytes response
    Oct  6 13:52:49: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
    Oct  6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 43 (0x2B)
    Oct  6 13:52:49: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
    Oct  6 13:52:49: T+: msg:   0x0A User Access Verification 0x0A  0x0A Username:
    Oct  6 13:52:49: T+: data: 
    Oct  6 13:52:49: T+: End Packet
    Oct  6 13:52:49: TPLUS(000001BC)/0/46130160: Processing the reply packet
    Oct  6 13:52:49: TPLUS: Received authen response status GET_USER (7)
    The 1113 acs failed reports shows:
    External DB is not operational
    thanks,
    james

    Hi James,
    We get External DB is not operational. Could you confirm if under External Databases > Unknown User           Policy, and verify you have the AD/ Windows database at the top?
    this error means the external server might not correctly configured on ACS external database section.
    Another point is to make sure we have remote agent installed on supported windows server.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp289013
    Also provide the Auth logs from the server running remote agent, e.g.:-
    AUTH 10/25/2007 15:21:31 I 0376 1276 External DB [NTAuthenDLL.dll]:
    Attempting Windows authentication for user v-michal
    AUTH 10/25/2007 15:21:31 E 0376 1276 External DB [NTAuthenDLL.dll]: Windows
    authentication FAILED (error 1783L)
    thanks,
    Vinay

  • Autheticating useing Cisco ACS 4.2 integrated with Active Directory 2003

    How do i check that users are Autheticated useing Cisco ACS 4.2 integrated with Active Directory 2003, any one help me in this thanks

    You can't actually see the user's membership from ACS. All you can do, create group-mapping under external database >> group mapping section. This would give you an option to map external (AD) group with an Internal group.The group memberrship need to be modified under Active Directory.
    Once user is succussfully authenticated and learned as a dynamic user in ACS user setup database, it would be mapped with an ACS internal group based on group mapping we did.
    Let me know if you have any doubts.
    Regards,
    Jatin

  • Cisco ACS 4.2 integration with Active Directory

    Hello,
    I´m new in the administration of ACS, we have recently implemented on server ACS version 4.2
    for manager all users authorization for our Network.
    We are in one environement which have an Active Directory, group and users.
    Now, i´m just able to creat a new user in ACS and work with on the Client SWITCH, what i need to do, is to integrate my ACS 4.2 with Active Directory.
    for work with the user and Group that a register in my AD.
    Someon can help me please?

    You can't actually see the user's membership from ACS. All you can do, create group-mapping under external database >> group mapping section. This would give you an option to map external (AD) group with an Internal group.The group memberrship need to be modified under Active Directory.
    Once user is succussfully authenticated and learned as a dynamic user in ACS user setup database, it would be mapped with an ACS internal group based on group mapping we did.
    Let me know if you have any doubts.
    Regards,
    Jatin

Maybe you are looking for

  • HT1420 How can I see a list of which computers I have authorized?

    How can I see a list of which computers I have authorized? 

  • Desktop Issues

    OK, has anyone had the problem of their desktop extending off of the right side of the display. My desktop extends so far to the right that the last icon on the display is the battery/power icon. The date and spotlight are not visible. The mouse can

  • Wmode="opaque" causes poor video playback in IE

    Hey all, Website in question: http://www.lavalleprinting.com/newweb/defaultsample.asp In building a new website for my company, I've created a page where javascript drop-down menus are intended to expand over/in front of a .flv video. wmode="opaque"

  • There was an unexpected end of file error

    I am currently using DNG Converter 8.1 and converting NEF files from a Nikon D600. Occacionally I get an error message on some of the files.  "The was an unexpected end of file error"  It only happens on some of the ffiles but I can not figure out wh

  • SOLUTION!! Nokia N8 Not Charging or Not Turning On

    ATTENTION NOKIA N8 USERS!!! If you encounter the thing that the Nokia N8 won't charge and worst, if the battery was drained and the N8 shutted down and won't charge or power on, try the following steps. 1. Connect the charger supplied with the N8 to