ISE and Two distinct Windows Domains

Similar Messages

• ISE and authenticating against Windows AD with RADIUS realm that is different from the Windows domain

  Hello
  We are in the process of evaluating the Cisco ISE VMWare appliance with a view to replace our existing FreeRADIUS installation as authentication provider for our wireless network and VPN service. As a part of this we are hoping to migrate our user authentication to Microsoft Active Directory - we have previously authenticated against a different identity store (not MS AD).  Because of this legacy our Windows domain is not the same as our RADIUS realm name - the Windows domain is "win.mydomain" whereas we wish to allow users to authenticate using "username@mydomain" or even "[email protected]" as they are doing today. We are experiencing an issue where authentication requests with the format "[email protected]" will be forwarded to the Windows AD whereas authentication requests with the format "username@mydomain" will fail with the log message "User not found in Active Directory". We do not know if the ISE itself is validating the username and triggering this error, or if the error originates from AD. We suspect the that the ISE is not even asking AD because "win.mydomain" is the domain configured in "Active Directory" in "External Identity Sources".
  Authentication requests against the AD without a realm are successful (that is, using only "username"). With this in mind we located a post on the Cisco support forums that described a process of proxying the request back to the ISE and strip the realm information, but this was specific for the ACS platform. We have attempted to implement this solution but it is still not working as we would have hoped, and we are not entirely certain where the fault might lie. We are currently using PEAP with MSCHAPv2 for authentication in our WLAN where the main problem is. We suspect that the "proxy-to-self" with realm stripping is an issue with PEAP.
  Is there a supported method of achieving our goal, or should we abandon the ISE platform as our scenario is simply not supported?

  Seems like your issue maybe related to DNS, when ISE receives the format [email protected], the dns request is failing. However, there is a setting for alternate UPN Suffixes that can be configured to include domain.com and student.domain.com.
  Here is a windows article that should fix this for you. Once you get this updated please reboot ISE so it rejoins AD. Try your tests again.
  http://technet.microsoft.com/en-us/library/cc772007.aspx
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Imac screen dims and two browser windows flicker.

  Not sure how to explain this, but when I have two browser windows open, at random, they start to flicker and the whole screen gets dim.
  What can I do?
  Thanks

  I just noticed that when it happens, the mouse pointer stays with the hand icon.
  Then when I move it to a window, that window goes dim.
  Can someone explain this?
  Thanks

• Mac OS X 10.6 Setting up and Printing to Windows Domain Printers

  Hi Guys,
  I have a Windows Domain currently running here at work. I am running a print server on one of our Windows 2003 Servers.
  I have successfully joined 4 Mac Pro machines to the domain. They are all logging on to the domain and can access shares etc.
  My problem is that I wish to add the networked printers that appear on the domain print server to the Mac Pros.
  When i go to System Preferences > Print and Fax then click the + button. I see a list of all the printers that are exclusively installed on the Windows Print Server.
  Some are listed in the Add Printer window as Bonjour and some Open Directory. The Bonjour items I can add fine, its the Open Directory ones that are causing me problems.
  How can I add these printers to each machine without manually installing the drivers for each printer on each Mac. Why am I seeing some Bonjour listed printers and some that are not?
  Any help would be very much appreciated

  Some are listed in the Add Printer window as Bonjour and some Open Directory. The Bonjour items I can add fine, its the Open Directory ones that are causing me problems.
  How can I add these printers to each machine without manually installing the drivers for each printer on each Mac.
  The answer depends on what printer description language (PDL) these Windows shared printers support. If they are Postscript then it is possible that a PPD for the printer may already exist on the Mac and so all you need to do is select it from the Print Using menu. And if the PPD is not present then you can still select Generic Postscript. But the thing to note is that since you are sharing the queue from Windows, rather than connecting directly to the printer (as you are doing with the Bonjour printer) then the Mac does not know what the printer is so you still need to manually select the correct printer on the Mac.
  If the printer is not Postscript and requires a proprietary printer language then would have to manually install this driver on every Mac. And even with this driver installed on the Mac there is no guarantee that it will work via the Windows share. Many vendor drivers are written for direct communication to the network printer. Sticking a Windows queue in between stops the Mac driver from communicating with the printer and this in turn stops the Mac from printing. So if you can tell us what printer models you have then we can provide better information.
  Why am I seeing some Bonjour listed printers and some that are not?
  Not all network printers support Bonjour. Often only newer models of business printers support this protocol, while it is more prevalent in consumer printers. And what you are seeing is a multicast coming directly from the printer. So if you don't want the users to bypass your Windows print server and connect directly to these printers, then you may not want them broadcasting their presence.
  But the benefit of the printer using Bonjour is that they are able to communicate with the Mac what they are and this helps with the Mac determining which printer driver to use,  so as you have noted the setup for the Bonjour printer on Mac is easy, because it helps the help with selecting the correct driver.
  Hope this helps with your questions. Please reply if you need more information

• Cisco ISE and forest trusts vs domain trusts

  Hi All,
  Is there any issues with forest trusts with Cisco ISE ?
  I have a customer that had external trusts and ISE was working ok for PEAP MSChapv2 user auth across domains.
  They recently removed external trusts and changed to forest trusts.  Now auth doesn't work.  Initial error was authc ok, authz fail.
  I can search and get lists of AD groups ok for the remote domain. 
  Using the attribute tab, I can't get attributes for users in remote domain.  I'm thinking since I can't see the memberof attribute, none of my authz pollicies will work.
  I have done "leave" and "join" domain again.
  In my lab, I have forest trusts and it actually works ok.  A previous poster talked about kerberos issues across forest trusts ?
  Cheers
  Peter. 

  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf
  Kindly find the steps on the page no.170

• STMS config at two different windows domain

  Hi,
  We are under ECC6 Implementation ,We have i nstalled dev,qa, and prod.
  But as per security reason client placed development in USTDC.com   , and QA and PROD SHAFT.com
  Now when we configure Transport domain in SAP level, how would i configure domain controleer?
  Should i configure two different domains , one for dev. QA and prod for one.
  when we release the request from dev , need to copy cofiles and data files to other domain?
  Please suggest some best.
  Thanks
  Kristene

  If you want this split screen thingy for a single app, do like captfred suggests or see if the app itself supports some sort of splitting, like MS Excel.
  If you want to do this system-wide, maybe you can get what you want by activating and using Spaces: http://support.apple.com/kb/PH4313

• ITunes and two computers - windows

  I recenlty switched to an iPhone when my Droid died.  Love it.  But, I added my music from home computer to my iPhone.  I added iTunes to my work laptop.  When I connect to the work laptop, it deletes all my music on my iPhone that I sync from home.   The work laptop only has "purchased" music, not all of my backed up CDs.  How do I change the settings on my account so it doesn't do that? 

  Sync iPod/iPad/iPhone with two computers
  Although it isn't possible to sync an Apple device with two different libraries it is possible to sync with the same logical library from multiple computers. Each library has an internal ID and when iTunes connects to your iPod/iPad/iPhone it compares the local ID with the one the device normally syncs with. If they are the same you can go ahead and sync...
  I have my library cloned to a small 1Tb USB drive which I can take between home & work. At either location I use SyncToy 2.1 to update the local copy with the external drive. Mac users should be able to find similar tools. I can open either of the local libraries or the one on the external drive and update the media content of my iPhone. The slight exception is Photos which normally connects to a specific folder on a specific machine, although that can easily be remapped to the current library if you create a "Photos" folder inside the iTunes Media folder so that syncing the iTunes folders keeps this up to date as well. I periodically sweep my library for new files & orphans with iTunes Folder Watch just in case I make changes at one location but then overwrite the library with a newer copy from the other. Again Mac users should be able to find similar tools.
  As long as your media is organised within an iTunes Music or Tunes Media folder, in turn held inside the main iTunes folder that has your library files (whether or not you let iTunes keep the media folder organised) each library can access items at the same relative path from the library folder so the library can be at different drives/paths on different machines. This solution ensures I always have adequate backups of my library and I can update my devices whenever I can connect to the same build of iTunes.
  When working with an iPhone earlier builds of iTunes would remove any file not physically present in the local library, even if there was an entry for it, making manual management practically redundant on the iPhone. This behaviour has been changed but it will still only permit manual management with a library that has the correct internal ID. If you don't want to sync your library between machines on a regular basis just copy the iTunes Library.itl file from the current "home" machine to any other you want to use, then clean out the library entires and import the local content you have on that box.
  tt2

• WAAS 4.1.15b and two windows domain

  Hi
  I have two data centers and two windows domains (lets call them X and Y)- in data center X I have to WAE - CM and Core, in date center Y I have one configured as Edge and Core as well (peple in data senter Y have to access to resources in doman X).
  In all remote offices are WAEs configured as Edge. Ale WAE are added to domain X.
  All prepositions in domain X works fine.
  I have created secound CoreCluster for domain Y, added WAE in date center Y as Core and one WAE in remote office as Edge to this CoreCluster, but preposition doesn't work.
  On Edge WAE In logs /local1/logs/actona/RxLogging.log i can find only this:
  [2010-03-25 14:35:58,765][ INFO] - Preposition ID  929205 started on \\serverY\testfolder\.
  [2010-03-25 14:39:59,303][ INFO] - Prpositioned files under \\serverY\testfolder\ (task 929205): File server disconnection - scanned 0 files, up
  dated 0 files, 0 bytes 0 directories.
  [2010-03-25 14:39:59,323][ INFO] - Preposition ID  929205 failed, reason: Completed with error(0 files with errors).
  I can ping this serverY from this WAE.
  The question is:
  Is it possible to create preposition for two windows using this infrastructure ?
  ps. I have to use lagacy services.
  I hope that this is not so complicated
  Thanks in advance
  james

  James,
  Thanks for the log files.  In the Tx.internal.log file, there is the following entry:
  2010-04-15 12:08:28,952  WARN (actona.cifs.fsclient.FileSystemClient:1799) TP-1 -  Terminating caller due to disconnect: error=13caller=TYPE_START_SESSION [cookie=null]
  This message and error code means that the WAFS Core was unable to open a socket to the origin file server you are trying to preposition content from.  Can you please verify the following from the CLI of the WAAS device running the WAFS Core service:
  Verify name resolution - dns xchn.i.shadm
  Verify IP connectivity - ping xchn.i.shadm
  Verify TCP connectivity - telnet xchn.i.shadm 445
  Thanks,
  Zach

• Ise and windows CA cert issues during tls

  Hi All,
  We are having some issues when doing eap-tls during onboarding. The setup is to have a single ssid network. Clients initially gets connected via peap and after onboarding it is eap-tls. The environment is a 2 tier CA hirearchy having a root-ca (offline) and intermediate CA (this is the AD domain enterprise CA and scep server). ISE cert was signed by the intermediate CA for https and eap. Also imported the certificate chain from the intermediate CA to ISE cert store (converted from .p7b to .der). It also has the scep RA certificate and scep communication between ise and scep server looks ok.
  The issue is during the onboarding process (tested with windows xp) after the redirection to guest poral, windows SPW wizard starts and prompts to confirm the user certificate. This keeps on prompting after 'ok' is clicked and does not proceed further. The 'view certificate' shows the following error " The issuer of this ccertficate is not found". ISE shows the following errors in authentication details (jpg attached). Windows SPW logs shows that it keep on retrying authentication.
  The issuer of the client cert which is the intermediate CA cert is already in the ISE certificate store. Therefore shouldn't that client get this issuer CA details from ISE and ISE should be able to authenticate client during onboarding to start the tls connection? Do we have to import seperate certs for root-ca, Intermediate ca in ise store instead of the chain?
  Does anybody had this issue with ISE in a hirearchical CA environment?
  Thanks in advance.

  Review this link
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html#wp1044440

• ACS and Windows Domain / AD

  Hi All,
  In my environment there are two Windows Domain - Doamin A and B. ACS is configured on member server in domain B and hence Windows Authentication for users in Domain B is working fine. However I'm unable to see domain A in Configure Domain List on ACS server in Windows Domain configuration menu.
  Please note, there is one way trust between domain A and B with Domain A trusting Domain B.
  Is there a way I can use the same instance of ACS to authenticate the users in Domain A as well? If YES, can you please guide me with some pointers - thanks.
  I'm using ACS and Windows AD elements to authenticate users for SSL Web VPN on ASA 5540.
  Apprecaite quick help on this.
  -Satishcp

  Unfortunatley we are not using the Cisco Secure ACS Appliances, rather its ACS Ver 3.3 running on Windows 2000 Server (member server in Domain B).
  My guess Remote Agents for Windows / Solaris works with Appliances alone.

• ACS Two Windows Domains

  The ACS server can be configured to work with two windows domains? to authenticate users that belong to the domain called "a" and "b", the protocol to authentificate it is 802.1X in a Wireless Enviroments (WLC4400+ACS4.2+Two Windows Domain).

  Hello,
  Under certain conditions, yes. You have to have trust between the domains, and depending on whether you are running the ACS on an appliance or a server, there's certain configurations you have to do to make it work with multi-domain authentication.
  Here are a few links to get you started:
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/new_feats.html#wp1011301
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp353805
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/windows/postin.html#wp1041202
  HTH,
  Faisal
  If you find this post helpful, please rate so others can find the answer easily

• My Ipod touch will not synch all songs in my library - on my windows 8 laptop. Doesn't matter if the songs are checked or not - only some songs will synch to the IPOD. I have multiple devices and two accounts.

  My IPOD touch will not synch all songs in my library. Library is on a windows 8 laptop. Checking the songs does not matter. I have multiple devices (ipod, IPhone 4 and 5, IPad 2) and two ITunes accounts.

  All songs play on the laptop windows 8. The second Ipod touch we have - all songs synch to it and play.
  But the first Ipod touch we bought - only half (or so) of the songs synch. So I assume there is an issue with the newer Ipod touch. The songs not synching are songs I added to the library from CD's.

• I have two pc, one with windows 7 professional and another with windows 8.1. I'm the only owner and user of both. One works with 32 bits and the other (windows 8.1) , 64 bits. Can I use acrobat standard XI in both pc's being the only usuary?

  Just in case. I have two pc's one with windows 7 professional (32 bits) and another with windows 8.1 (64 bits). Can I use, with one license, as I'm the owner and only user, acrobat standard XI?. Thank you in advance
  Francisco

  Yes, the license allows 2 installs for the owner's personal use. You can check this in the license agreement if you wish.

• Can I use my 2TB WD My Book Essential for the Time Machine feature on the MacBook as well as two other Windows computers (one running 7 and one with Vista)?

  Can I use my 2TB WD My Book Essential for the Time Machine feature on the MacBook as well as to store information from two other Windows computers (one running 7 and one with Vista)?

  Yes you can but you need to partition the drive into at least 2 separate drives.
  To do that you need to use a Windows PC to do the first partitioning. Say you split the drive into two partitions each 1TB (or close to 1TB) each.
  Partition fand format both partitions on a Win PC as one NTFS and the other FAT32.
  Then move it to the Mac and Reformat the FAT32 partition Mac Extended (Journaled) with a GUID Partition Table.
  I have that same drive and that is what I did originally with it. I now have it just for the Mac as I have other externals for the Win systems.
  Good Luck.

• Upgraded to Yosemite and Windows 8.1 Pro in Bootcamp, can no longer drive retina display and two external monitors simultaneously?

  Greetings
  I just upgraded from Mountain Lion and Windows 7 Ultimate (Bootcamp) to Yosemite and Windows 8.1 Pro on a late 2012 MBP 13" Retina. Prior to the upgrades, I was able to drive the retina panel and two external monitors simultaneously when operating directly in Bootcamp. Now, I can only drive 2 of the 3 simultaneously though all three are recognized under Graphic Properties. I simply cannot find any option or profile under Graphics Properties or Options or Personalization to run all three screens.
  My hardware hasn't changed and this worked prior to the updates. I have no issue on the Mac OSX can run all three. I also have no issue doing it in Windows under Parallels Desktop 10. It is just when I boot directly into Bootcamp that this happens. What am I missing?
  Thanks,
  G.

  Great point, Loner T.  It was late when I was working and I thought about this afterwards also.
  The issue was that in Windows=>Control Panel=>Display, under "Change Display Settings", the three screens showed but "Extend Display"  was not selected for one of the screens. It was simply off. I can't believe I danced around this w/o picking it up sooner. In fact, it has happened in the past that for some reason a display loses this setting.
  As an aside, thanks again for all of your help and terrific input to upgrade both the Mac and Windows operating systems. As I was going from Windows 7 Ultimate to Windows 8.1 Pro, one thing I did come across that made life much easier was to upgrade first to Windows 8 so I could keep my apps. The jump from 7 to 8.1 would otherwise migrate my personal files, but not programs and require a lot of time to reinstall all. This was completely avoided by going to Windows 8 first.
  Thanks, again, and very much appreciate the work that you do here.
  Best,
  G.