Integrating windows AD with cisco ACS

Similar Messages

• Cisco aironet 1130g and windows 2003 with cisco ACS

    hi
  i  have configured windows 2003 server with  DNS ,Active directory users and dhcp server.  and configured my cisco 1130g AP .
  i have installed cisco access control server 4.0 because i use LEAP authentication protocol and for the ACS for network configuration i give aaa client ip addresss as AP interface ip and  same shared secret for the AP and ACS,.
  so  when i log to wifi it ask username and password
  problem is lap top cannot have a ip address my dhcp server not issue any ip address .
  my hiper terminal massage is like this when i connect to wifi 
  help ...thank you...

  As I mentioned now several times already, it is the client and ACS which do the PEAP. The Access point doesn't have to be configured for an eap type. What you did on the AP was setting the AP as a radius server which is duplicate work with what you did on ACS.
  So you need on your client to configure either PEAP or LEAP.
  Nicolas

• Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

• Windows Update for Cisco ACS appliance

  Due to the recent security alert from Windows I wish to make sure my systems are updated, but the cisco ACS appiance (cisco 1113) runs a specialized version of win2k with console access disabled. Is there any way get the windows critical security updates, and do I need to?

  If the patch is necessary on acs appliance then they will be releasing it soon.
  As of now we can't apply any windows patch on appliance.

• Integrated Windows Authentication with a WebSphere Cliente

  Hi all,
  I need to write a web service client that connects to a .NET Web Service that is configured to use Integrated Windows Authentication (NTLM).
  I'm using the IBM WebSphere Runtime environment for the client and using the web service client wizard in the RSD 6.0.1.
  When I try to call a method in the .NET web service, I get the error shown below. If I configure the .NET web service to permit Anonymous Access, my client works fine.
  Does anybody know if the WebSphere web services engine supports Integrated Windows Authentication? If so, how can I configure my cliente to pass my credentials? Do people use this type of authentication if the web service will be called by non Windows clientes or is it better to use Basic Authentication with HTTPS or digital certificates?
  I've read that Apache Axis can be configured to use integrated windows authentication (http://people.etango.com/~markm/archives/2005/11/21/using_apache_axis_with_integrated_windows_security.html) by using a different HTTP transport class (CommonsHTTPSender).
  Thanks in advance!
  Craig
  [14/06/06 10:06:56:805 GMT-03:00] 00000031 enterprise I WSWS3243I: Info: Mapping Exception to WebServicesFault.
  [14/06/06 10:06:56:821 GMT-03:00] 00000031 enterprise I TRAS0014I: The following exception was logged WebServicesFault
  faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
  faultString: java.lang.StringIndexOutOfBoundsException
  faultActor: null
  faultDetail:
  java.lang.StringIndexOutOfBoundsException
       at com.ibm.ws.webservices.engine.WebServicesFault.makeFault(WebServicesFault.java:179)
       at com.ibm.ws.webservices.engine.transport.http.HTTPSender.invoke(HTTPSender.java:490)
       at com.ibm.ws.webservices.engine.PivotHandlerWrapper.invoke(PivotHandlerWrapper.java:218)
       at com.ibm.ws.webservices.engine.PivotHandlerWrapper.invoke(PivotHandlerWrapper.java:218)
       at com.ibm.ws.webservices.engine.WebServicesEngine.invoke(WebServicesEngine.java:274)
       at com.ibm.ws.webservices.engine.client.Connection.invokeEngine

  Here's a project ( [http://spnego.sourceforge.net/protected_soap_service.html|http://spnego.sourceforge.net/protected_soap_service.html] ) that shows how to write a soap client that can connect to a soap web service with integrated windows authentication turned on.

• Unable to integrate WLC with cisco ACS

                   Hi,
  I am not able to integrate Cisco Tacas with WLC
  Below are the error logs in Juniper firewall
  WLC IP: 10.210.126.133
  Cisco ACS: 10.116.45.131
  Date/Time
  Source Address/Port
  Destination Address/Port
  Translated Source Address/Port
  Translated Destination Address/Port
  Service
  Duration
  Bytes Sent
  Bytes Received
  Close Reason
  2013-11-04 16:31:03
  10.210.126.133:49098
  10.116.45.131:49
  10.210.126.133:49098
  10.116.45.131:49
  TCP PORT 49
  2 sec.
  591
  428
  Close - TCP FIN
  2013-11-04 16:31:03
  10.210.126.133:51759
  10.116.45.131:49
  10.210.126.133:51759
  10.116.45.131:49
  TCP PORT 49
  2 sec.
  525
  326
  Close - TCP FIN
  2013-11-04 16:31:09
  10.210.126.133:51759
  10.116.45.131:49
  10.210.126.133:51759
  10.116.45.131:49
  TCP PORT 49
  9 sec.
  475
  238
  Close - TCP FIN
  2013-11-04 16:31:09
  10.210.126.133:49098
  10.116.45.131:49
  10.210.126.133:49098
  10.116.45.131:49
  TCP PORT 49
  9 sec.
  519
  318
  Close - TCP FIN
  Pls suggest further whether any changes needs to be done in any end
  Cisco ACS Srver
  11/04/2013
  16:31:01
  Author failed
  ads.shalder
  DCN-BANG2&BANG5-RW
  127.0.0.1
  Service denied
  service=ciscowlc protocol=common
  10.210.126.133
  ads.shalder
  No
  1
  10.210.126.133
  Pls suggest further
  Br/Subhojit

  Hi,
  we are getting this error on WLC side debug
  (Cisco Controller) >*tplusTransportThread: Nov 05 09:51:32.683: Forwarding request to 10.116.45.131 port=49
  *tplusTransportThread: Nov 05 09:51:32.689: tplus auth response: type=1 seq_no=2 session_id=5b675ca1 length=16 encrypted=0
  *tplusTransportThread: Nov 05 09:51:32.689: TPLUS_AUTHEN_STATUS_GETPASS
  *tplusTransportThread: Nov 05 09:51:32.689: auth_cont get_pass reply: pkt_length=25
  *tplusTransportThread: Nov 05 09:51:32.689: processTplusAuthResponse: Continue auth transaction
  *tplusTransportThread: Nov 05 09:51:32.700: tplus auth response: type=1 seq_no=4 session_id=5b675ca1 length=6 encrypted=0
  *tplusTransportThread: Nov 05 09:51:32.700: tplus_make_author_request() from tplus_authen_passed returns rc=0
  *tplusTransportThread: Nov 05 09:51:32.700: Forwarding request to 10.116.45.131 port=49
  *tplusTransportThread: Nov 05 09:51:32.705: author response body: status=16 arg_cnt=0 msg_len=0 data_len=0
  *tplusTransportThread: Nov 05 09:51:32.705: Tplus authorization for ads.shalder failed status=16
  WLC hardware is: AIR-CT2504-K9V01
  Br/Subhojit

• Connecting to a Windows Network with Cisco AnyConnect

  Okay so I am beyond stumped here and hope you can help. So I am able to connect to my companies VPN using Cisco AnyConnect with no problem. The network admin can see me in, and I can even access Web based resources. My problem comes when I am trying to ping the domain controller and our DNS server and cannot. In addition when I go to use RDC to connect to our Terminal Server no love.
  No for the very weird part. When I do a traceroute to the TS server by name I am getting DNS resolution. So it appears that I am able to hit the DNS server, but not able to ping it for some reason. I have tried everything I can think of short of binding my computer to the network. Any ideas are very welcomed!!!!
  Thank you all in advance,
  Mike

  I am assuming that the windows and Mac appear on the same subnet of your local LAN?
  If the PC's are having difficulty finding the Mac and the Mac has a static IP, I would add that listing to your local "hosts" file, the entry would go below your local IP found in that file such as:
  127.0.0.1
  192.168.1.5 maciscool (where maciscool=NETBIOS name you entered in the Advanced section of Network under WINS), and/or under "Sharing" at the top box entitled "Computer Name:", if it doesn't work with maciscool.local, try removing the ".local" from the computer name. Older versions of whenders had difficulty with upper/lower case machine names, if it is currently lower case, make it UPPERcase.
  The local hosts file used to be found under c:\window\system32\drivers\etc, have no ideal where they hid it under Vista but probably the same place.
  Windows should search local "hosts" file before going to WINS, before going to DNS, since you most likely don't have a Windows domain with a WINS server it won't look there and of course it won't find computers on your local LAN via DNS, so by adding those to your local hosts it acts as a mini DNS server to resolve machine names and addresses.

• EAP Chaining with Cisco ACS 5.x and the Cisco Anyconnect NAM Client

  Hi Guys,
  Whilst I’m well aware of the limitations of the built in the windows Wireless 802.1x supplicant. Is there a way, using the NAM client to authenticate both a computer and a user simultaneously, when used for authentication to wireless networks?
  As has been posted many times before on this forum, this isn’t possible due to windows not authenticating with the 'computer account' whilst the user is logged in, but with the NAM client it seems possible to do both user and computer authentication based on the options it gives you with EAP-Fast and 'EAP Chaining'.
  Can anyone validate this is possible? I have the design guide for exactly this for Cisco ISE but i need it to work on ACS (5.x).
  Thanks in advance.
  SteveH

  Bobby, I ran into the same issue with the "15015 Could not find ID Store" issue.  It turned out to be an issue with communication between the ACS and AD.  It looked like AD was connected successfully, but until I rebooted ACS, I kept getting the same error.  It was like it couldn't see the AD security groups even though it could scan the AD tree successfully.
  So, try rebooting ACS if you haven't already and see if that resolves the error.

• Integrating Microsoft NAP with Cisco ASA

  Hello everyone,
  I'm quite new to the Cisco world. I wonder if and how it is possible to marry Cisco ASA with Microsoft NAP (in Terms of VPN Enforcement). Does anybody know some helpful documents? Is an ACS Server/Appliance necessary?
  Thanks in advance and kind regards

  Hello Jatin,
  thanks for your reply.
  Microsoft states that authentication via PEAP is necessary for NAP to work:
  "One security feature of PEAP is the transmission of Statement of Health (SoH) messages."
  (see http://blogs.msdn.com/b/openspecification/archive/2009/06/05/peap-phase-2-encapsulation-examples-for-a-client-authenticating-with-ms-chapv2.aspx?Redirected=true)
  However, I found this topic which states that PEAP auth. is not possible with the ASA: https://supportforums.cisco.com/thread/2028742
  Is that true?

• 802.1x with alcatel phone with cisco acs 5.0

  Hi All, can any one  has done the implementation of 802.1x with alcatel phone where pc will be behind the phone and cisco switch ports are configured as trunk. Trunk native vlan is data vlan for pc and trunk carrying voice vlan.
  when trunk mode is enabled I can not configure 802.1x on trunk interface. does any one help me to get rid of this situation..
  Thanks

  Hi,
  Did you find any solution?. Did you tried with the command switchport voice vlan?.
  Regards,
  Mauricio

• Integration of SMS with Cisco LMS 3.2

  Hi,
  Need assistance to confirm if SMS alerts can be integration with LMS 3.2. If yes, could you please walk me though the process.
  Rgds.....Navinder

  No,
  Trap email and syslog are possible from DFM for DFM alerts
  Mail and script are possible from RME syslog handler
  It is easy to create a sms mailgateway though.
  Opensoure software that can sms via a gsm connected to pc is also easy to find.    E;g; gnokii
  Cheers,
  Michel

• RDC to Windows 7 with Cisco Anyconnect Secure Mobility Client

  Hi
  RDC works perfect as long as I dont start a VPN connection. When that happens RDC is closed down.
  Anyone with ideas to fix this?
  Rgds

  Hi,
  Are you trying to remote connect with IP address or hostname?
  Please try alternatively way and see the result.  It might happens that there are some block setting applied during VPN connection. Is the firewall is properly configured with required port enable during VPN connection. Please check related configuration
  and other setting with below article.
  http://windows.microsoft.com/en-in/windows7/why-can-t-i-connect-using-remote-desktop-connection
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Integrated windows authentication with Oracle access manager 10g

  Hi SSo guys,
  Our project requirement is as follows:
  We have two applications Ebiz 11.5.10.2 and OBIEE10g and we are supposed to integrate IWA for both the applications
  so as per the below note OAM integration with IWA only works for the applications using IIS.
  So can we protect both the applications in OAM 10g and point those applications to two html pages say http://IIS hostname/ebiz and http://IIS hostname/OBIEE and protect those two resorces in OAM suing IIS webserver?
  As per the note :
  Doc ID 1072204.1 specify
  Excerpt from this doc:
  #-begin-
  OAM accomplishes IWA by using an OAM Webgate on the IIS Web Server that uses a hidden feature of external authentication to get the REMOTE_USER header variable value and map it to a DN for the ObSSOCookie generation and authorization. Behind the scenes, the IIS WebGate utilizes the UseIISBuiltinAuthentication parameter, by default, this value is false. IWA can only be achieved when this attribute is set to true on an IIS WebGate. This is not a valid parameter for any other OAM WebGate.
  #-end-

  It should be this way:
  Ebiz:
  1. Integrate OAM with OASSO
  2. Register OASSO and OID with Ebiz11.5.10.2
  3. Protect the resource in OAM
  4. Verify if authentication is successful for this resource.
  Obiee:
  1. Integrate OBIEE with OAM
  2. Verify if authentication is successful for this resource.
  IWA:
  1. Install IIS webser and webgate
  2. Create authentication scheme which protects / of IIS web server.
  Create a Form Authentication Scheme(this scheme should protect OBIEE and EBiz resource) which will have challenge redirect to IIS web server where IWA is configured and / is protected.
  Login Flow:
  1. User tries to access ebiz or obiee resource.
  2. Form Authentication Scheme will challenge redirect to IIS web server where IWA is configured.
  3. As IWA is configured. User will be automatically get ObSSOCookie.
  4. User gets redirected back to the requested resource.
  There is a My oracle support doc which talks in details about this setup.

• Integrating windows authentication with Sun ACCESS MANAGER

  Hi,
  I have implemented sun access manager and successfully protected an application (ABC). At present iam using the SDS as the authentication and authorization directory. I login in to the machine using the network username and password which is on AD.
  I want to integrate my authentication/authorization mechanism from SDS to AD. so that when i login into the machine and open application ABC it should not ask me for the credentials; instead allow me to the homepage directly.
  How to do this.
  Thanks in advance
  Maruthi

  Hi!
  Maybe this helps you, it describes how to setup AM and policy agent to handle basic authentication protected sites. While the article is about sharepoint it should work for any application.
  http://developers.sun.com/identity/reference/techart/sharepoint.html
  Christoph

• [Cisco ACS 5.2] Windows XP - EAP-TLS error

  Hi,
  We used RADIATOR with Cisco WLC and Cisco AP in our WiFi architecture.
  We just replaced RADIATOR with Cisco ACS 5.2 .
  Few computers with Windows XP SP3 have this error : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client
  Description:
  While  trying to negotiate a TLS handshake with the client, ACS expected to  receive a non-empty TLS message or TLS alert message, but instead  received an empty TLS message. This could be due to an inconformity in  the implementation of the protocol between ACS and the supplicant. For  example, it is a known issue that the XP supplicant sends an empty TLS  message instead of a non-empty TLS alert message. It might also involve  the supplicant not trusting the ACS server certificate for some reason.  ACS treated the unexpected message as a sign that the client rejected  the tunnel establishment.
  Resolution Steps :
  Ensure  that the client's supplicant does not have any known compatibility  issues and that it is properly configured. Also ensure that the ACS  server certificate is trusted by the client, by configuring the  supplicant with the CA certificate that signed the ACS server  certificate. It is strongly recommended to not disable the server  certificate validation on the client!
  Most of the computers (hundreds of Windows XP and Windows 7) got no problem.
  ACS says "it is a known issue that the XP supplicant sends an empty TLS  message instead of a non-empty TLS alert message".
  If it was a known issue, we would have this error for other computer but we don't have (fortunately )
  Wireless profile is sent to computers using GPO so they trust ACS server certificate...
  Do you know how to correct this issue on XP supplicant? I dont find this issue on Google
  Thanks for your help,
  Patrick

  Patrick,
  One way to troubleshoot is to physically have one of the laptops and see if unchecking the box that validates the server certificate fixes the issue. I have seen the same issue as you are seeing before and I would like for you to verfiy that.
  If that doesnt fix the issue then we will have to proceed to taking a wireshark of the client and running a few debugs on the ACS.
  Thanks,
  Tarik Admani