Cisco ACS 5.3 multiple AD domains

Similar Messages

• ACS 4.2 multiple AD domain authentication

  I have acs 4.2 for windows installed on a windows server 2003 box, because of a merger I need to now authenticate against 2 different domains, there is a bidirectional trust between the two domains and the dial-in permission has been set in ADUC but whenever I try to authenticate a user it says dial-in permissions needed in the acs failed authentication log. I think it's an AD issue but i can't know for sure as i'm not a windows guy, any suggestions?

  Hi Jeremy,
  The 2003 box where you have installed ACS, is this server part of both domains which you wanted the users to be autheticated?
  Have you enabled the dial in permission on the ACS as well as per the screenshot below?
  Regards
  Najaf
  Please rate when applicable or helpful !!!

• Cisco ACS 5.4.0.46.6 - Cannot join to domain

  I am not able to join Cisco ACS to domain.  I get the error "wrong domain".  Nslookup resolves the domain correctly.  ACS troubleshoot adcheck shows the below error
  ADGC     : Check Global Catalog servers
                 : There is no GC in site "INGUA"
                 : It is recommended that a GC exist in each site.
  Checked with AD team and they confirm that GC does exist at this site. It is a Windows 2008 R2.  I am able to telnet to the required ports from the ACS console.  Tried applying the latest patch.  Tried re-imaging the ACS server.  Still the issue remains.  Any help appreciated.
  Cisco Application Deployment Engine OS Release: 2.0
  ADE-OS Build Version: 2.0.3.063
  ADE-OS System Architecture: i386
  Copyright (c) 2005-2011 by Cisco Systems, Inc.
  All rights reserved.
  Hostname: ZINGUA6001
  Version information of installed applications
  Cisco ACS VERSION INFORMATION
  Version : 5.4.0.46.6
  Internal Build ID : B.221
  Patches :
  5-4-0-46-6

  Hi Minakshi,
  I perform the update before your post and I test without deregister all server.
  So far, all was good.
  I had no issue and the update tooks me very less time without following the full UPGRADE procedure.
  The command had also a rollback for the update, so I take the risk.
  This is certainly not the case for upgrade but update seems to easier.
  Kind regards.
  Steve

• Domain controller configuration in Cisco ACS 4.2

  Hi all,
  We are having a long pending ticket one of our customer has raised with us.
  Problem is related to cisco ACS version 4.2.
  Customer has raised a concern that while authenticating with the ACS requests are reaching to Secondary domain controller instead of Primary domain controller.
  We do not have the access of the physical server, but our server team have.
  We do have the Gui page access by http://<ACS IP>:2002
  In our ACS external data base is configured with the domain name, there is no IP related information for the Domain controller. I think that can be confiured in physical server. In short, we are having windows server and running ACS software on top of that.
  How can we proove this to the customer that requests for Network device authentication is going to Primary domain controller and not to the secondary domain controller.
  Please help us out. We tried before with Server team and given some command like %logonserver% and was indicating Primary domain controller IP. Is there any other way to prove this.
  Regards,
  Kalpesh Modi

  The  logs receiving is not in proper format .unable to understand the details in logs .Please find the below example
  "Feb 20 12:48:40 ACS0   CSCOacs_Passed_Authentications: 0000412469 3 0 2012-02-20 12:48:40.225 +04:00 0188387558 5200 NOTICE Passed-Authentication: Authentication succeeded, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=868, Device IP Address=x.x.x.x, UserName=frad.cole, Protocol=Radius, RequestLatency=24, NetworkDeviceName=dxb-palmj-pop-s93-bds1a, User-Name=frad.cole, NAS-IP-Address=x.x.x.x, NAS-Port=0, Service-Type=Administrative, Framed-Protocol=X.75 Synchronous, Framed-IP-Address=x.x.x.x, Login-IP-Host=x.x.x.x, NAS-Identifier=Dxb-PalmJ-POP-S93-BDS-1A, NAS-Port-Type=-1, NAS-Port-Id=slot=0\;subslot=0\;port=0\;vlanid=0, AcsSessionID=OACS0/109447559/11612656, AuthenticationIdentityStore=AD1, AuthenticationMethod=PAP_ASCII, SelectedAccessService=Radius Rules, SelectedAuthorizationProfiles=JUNIPER-Activation-Ent, SelectedAuthorizationProfiles=Radius-CiscoAVPair-lvl-1, IdentityGroup=IdentityGroup:All Groups:Migrated_Group:Enterprise-Activation, Step=11001 "
  Is there any other setting to get the logs in proper fromat .
  Do we need to change the "Facility Code:Local 6" to some other values .
  Kindly advice .

• Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed

  Hi,
  I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
  ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
  Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
  I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
  tacacs-server key 7 "xxxxxxxxxxxxx"
  aaa group server tacacs+ tac_admin
    server xx.xx.xx.xx
  aaa authentication login default group tac_admin local
  aaa authentication login console group tac_admin local
  aaa accounting default group tac_admin

  Hi,
  Since the ACS is receiving the request.
  Could you please ensure that In ACE on every context (including Admin and other) you have  following strings:
  tacacs-server host x.x.x.x key 7 "xxx"
  aaa group server tacacs+  tac_admin
     server x.x.x.x
  aaa authentication login default group  tac_admin local
  aaa authentication login console group  tac_admin local 
  aaa accounting default group x.x.x.x
  On ACS side for group named "Network  Administrators" you should configure in TACACS settting:
  1. Shell  (exec) enable
  2. Privilege level 15
  3. Custom attributes:
             shell:Admin*Admin default-domain
      if you have additional  context add next line
            shell:mycontext*Admin  default-domain
  After  loging to ACE and issuing sh users command you should see following
  User             Context                                                                  Line     Login Time   (Location)        Role   Domain(s)   
  *adm-x        Admin                                                                    pts/0   Sep 21 12:24  (x.x.x.x)    Admin   default-domain
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts.

• Integration Of Cisco ACS and MS Active Directory !!!

  Hi all,
  We have and Cisco ACS v4.2 on a Cisco Appliance, and we need to integrate it with Active Directory. Can you help me??
  Thanks for your help
  Regards!!!
  Rafael Turriago

  Hi,
  If you have ACS SE and you want to integrate with MS AD, then you need to install Cisco ACS Remote Agent on a PC that belongs to the domain.
  The ACS SE does not "speak" directly to the DCs, but rather to the ACS Remote Agent.
  The Remote Agent is the application responsible to exchange data with the DCs.
  You can find detailed information in the config guide:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp353636.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• ACS 4.0 to NT Domain with NTLMv2 problem.

  I am trying to authenticate users from a VPN Concentrator (3030) to our NT Domain. We are not running AD yet but we are required to use NTLMv2 authentication on the Domain.
  I want to use ACS4.0 to authenticate Radius w/Expiry from the VPN concentrator and let ACS handle the NTLMv2 part.
  In ACS I have defined my Domain in the External Users Database, I have defined the Unknown User Policy to use the Windows Database, and I have defined the Group Mapping to point to the default group.
  When I run the Authentication test from the VPN setup screen I get a failed request.
  In the CSAuth log I am getting:
  AUTH 02/16/2006 15:13:42 E 0376 1572 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
  AUTH 02/16/2006 15:13:42 E 0376 1572 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
  With NTLMv2 turned off and running ACS 3.2 this setup is working (My production network) My only reason for upgrading to ACS4.0 was the NTLMv2 portion.
  Does anyone have any advise? thanks!

  Please make sure you read this Field Notice:
  http://www-tac.cisco.com/Support_Library/field_alerts/fn62167.html
  Note that, despite the Windows URL mentioning only 2003 server, the 2000 server also supports NTLMv2. Therefore, the following scenarios apply:
  - DC on Win 2003 SP1 - don't require any hotfix since it's included in SP1
  - DC on Win 2000 SP4 - don't require any hotfix since it's included in SP4
  - DC on Win 2003 - require hotfix KB893318

• ACS 4.0 TACACS+ - Two Domains

  Hi All,
  Just troubleshooting an issue here...I have two forests....with top level domains...DomainA1 and DomainB1...
  The Cisco ACS is installed on a server inside DomainA1..
  Users like JohnSmith.DomainA1 and JaneSmith.DomainB1 are able to authenticate off the Cisco ACS Server, which in turn passes this to the Windows AD just fine.
  Users within the child domains of DomainB1 fail authentication....so a user like DomainB1.ChildDomain.MarkSmith...
  I've confirmed that we have a trust between the two forests (ie DomainA1 and DomainB1)..
  Does that carry over to the child-domains of the other forest (DomainB1)?
  Do I need a trust between the specific child-domains to the domain that the Cisco ACS server is installed on?

  Based on the bug below, you might need trust between the domains.
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCth47968

• Cisco ACS check for AD

  Hi,
       Is there any way to check that the Users were authenticated by AD through cisco ACS 4.2, I have deploy the Cisco ACS 4.2 with WLC 5500, now i have to check whether the user are authenticated by ACS or AD kindly guide me how i check it.
  all users were connected and authenticated having domain user.
  i am confuse whether ACS authenticate users from internal database or from AD.
  Kindly help me..... ill b very thankful to you.....
  M.Bilal Iqbal

  Ok if you have a user set up in ACS in a group and it is marked "windows" its getting sent to AD to get authenticated. Did you check your pass logs ? There is a field called database. This should show you if the user is ACS or AD. If its AD it will have the name of your domain (that was set up in ACS).

• Limitations of Cisco ACS server

  I want to ask about limitations of Cisco ACS server 3.3 .
  I use ACS server for Radius authentication, and has a limit 80 authentications per second. But at peak time i need 150-200 authentications per second. Is this a software limitaion or changed due to hardware performance?
  Can i also solve this problem with a High Availability configuration.

  Hi
  ACS performance is a very complex issue and depends largely on
  1) auth protocol (anything eap is SLOW)
  2) backend (anything external is SLOW)
  3) server CPU
  We did some performance tests a few years ago and could get up to 1000 auths/sec for MSCHAP against internal DB.
  AD authentication/group mapping can take several seconds to complete.
  ACSs big problem is limited concurrency when authentication time is high. There are some bottlenecks that effectively limit the number of concurrent authentications to 20. This is the max number of tcp/ip connections between CSRadius/CSTacacs and CSAuth. Inside CSRadius there are 50 dedicated authentication threads multiplexing requests over the 20 tcp/ip connections to CSauth. Messages to CSauth are blocking - so 20 simultaneous authentications that took 1 second would cap performance to 20 auths/sec.
  EAP-TLS and now EAP-FAST are really really slow becase they send multiple rounds over RADIUS using challenge/response marshalled between the device and the 802.1x supplicant.
  Putting ACS onto a quad CPU server wont reduce back-end external db latency or increase concurrency.
  The only way to increase performance is to add more servers... and then you'll also have to get into load balancing :(
  IMHO Cisco needs to make a low cost "ACS on a blade" and have one in each device. Have the config pushed down from a central database.
  Darran

• Cisco ACS 5.4 Eval on Vmware Workstation demo

  I have a project to review CISCO ACS v5.4 for my client, not having a real ESxi server i opted using workstation.
  I have the vm built using 150gb file and am able to run the setup for domain and ip addressing as well as firewall settings and services.
  using a c2811 for ntp source and routing to other laptops in my lab.
  I am unable to web into the acs server to access anything
  Can someone please point me in the right direction on what I am missing besides an actual ESXi server.
  Regards,

  Followed this thread and I think i have it, its in process and hopefully i can get it going.
  https://supportforums.cisco.com/message/3714114#3714114

• Cisco ACS 1121 version 5.3 - Logging

  Hi There
  I'm new to Cisco ACS 5.X. From what I have read, the Cisco ACS can act as a Logging Server. Does this mean, all the syslog messages from all the other ACS and network devices can be stored by ACS? I'm a bit confused on this part.
  Lastly, I understand that Cisco ACS has many or maybe 2 instances? When do we use these instance? What is this instance?
  Regards,
  Ram

  In the distributed deployment, you should specify one acs server as the Logcollector. All other servers send logs to the Logcollecter.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/logging.html
  In distributed deployment, each acs server is one instance. So you have one primary instance and multiple secondary instances.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/introd.html#wp1058054
  Sent from Cisco Technical Support iPad App

• ACS Mapping Group @ Trust-Tree (Domain Trust)

  Dears,
  Could ACS mapping group @ AD Domain trust??
  I install abc.com / qqq.com and trust other!
  My ACS install in abc.com domain, but I cannot get qqq.com user information?
  ^ ^
  消息编辑者为：mr.marslin

  The Database Group Mapping feature in the External User Databases section enables you to associate unknown users with a CiscoSecure ACS group for assigning authorization profiles. For external user databases from which CiscoSecure ACS can derive group information, you can associate the group memberships defined for the users in the external user database to specific CiscoSecure ACS groups
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080205a4f.html#wp712817

• LDAP supporting multiple DNS domains

  I have an environment with multiple DNS domains, and am configuring a Directory server (DS 6.3.1) to centralize various OS configuration maps including user authentication. None of the DNS domains have unique data, so I'd like to do something like storing all the real data in one suffix, then somehow have all clients look to that primary suffix. I am aware that the Solaris Native LDAP client wants to bind to a nisDomainObject that matches its DNS domain. I'm just having a hard time believing that I really need to manage all those individual suffixes when they don't have unique data requirements.
  Take as an example the following domains to be supported: foo.example.com, bar.example.com, dev.example.com, qa.example.com, prd.example.com (no hosts are actually in "example.com", they are all in subdomains). Again, all share common configuration data, same user IDs, etc - no unique maps are required.
  I created a suffix, "dc=example, dc=com", set it up with idsconfig. All is well there.
  [A] My first thought is to bind all Solaris clients, regardless of their DNS domain, to the baseDN of "dc=example, dc=com" in order to avoid having a separate suffix for each DNS domain. I tried to do this using "-a defaultSearchPath=dc=example,dc=com" with ldapclient init, but it failed with an error indicating it wants to see the nisDomainObject of its real DNS domain.
  The second though I had, which I don't believe is possible, is to find some sort of a LDAP equivalent of a symbolic link so that I could actually have an object for each DNS domain, but it would simply point back to "dc=example,dc=com". I can't find anything in the documentation which suggests this is possible, but I'd love to be wrong!
  [C] Perhaps this could be somehow done with a rats nest of SSDs, but that really seems unwieldy, right? I plan on using a fair amount of the available objects, so it would be many SSDs per suffix. Yuck.
  Can anyone comment on my above thoughts, or provide how they would go about supporting multiple DNS domains that have common configuration data?
  Thank you,
  Chris

  Ok, I answered my own question. Turns out it's pretty easy. Just use the "-a domainName=example.com" option with `ldapclient` then make sure that the FQDN of the LDAP server is available (or use its IP address). My problem was that the ldapclient overwriting nsswotch.conf was clobbering the SSL session because I used the FQDN which couldn't resolve.
  This leaves an interesting condition of having the output of "domainname" not match the DNS domain. I'm testing now to see if this causes any unexpected issues with our environmnet, but I suspect it's not a problem.

• Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login