AAA/Identity/Nac :: ASA5510 Entry For LDAP Object That Refers To Domain Controller
Feb 14, 2013
On our ASA5510 in the area AAA Server Groups, there is an entry for LDAP and an object that refers to our 2003 Domain Controller. This DC has LDAP over SSL enabled and I can see the DN and Password for a domain user account.I've created two new DC's, both R2 2008 but when I enable these in the same way it says it could not authenticate, ERROR auth server not responding, AAA group removed.I thought this had something to do with CA being installed on a DC, but it's not running as a service on the DC that was already referred to.
View 2 Replies
ADVERTISEMENT
Feb 28, 2013
I'm trying to configure an ASA5510 with release 9.1(1) in order to authenticate VPN AnyConnect users through LDAP. In a first step the logs shiw me this kind of error:
[-2147483632] Session Start
[-2147483632] New request Session, context 0xadf415d4, reqType = Authentication
[-2147483632] Fiber started
[Code]......
View 0 Replies
View Related
Sep 12, 2011
Within ACS 5.2, does any know of a way to see which specific domain controller a request is sent to?
View 1 Replies
View Related
Sep 5, 2012
I try to join an ACS v. 5.3 to the domain. For my acs in Location A, I can join without problems using my account. When I try to join the ACS in location B to the same domain with the same account, it doesnt work.I looked at the debug log files for the ad client, and noticed, that the ACS in location B goes to a certain Domain Controller. However, I would have expected the ACS to contact another DC, which is located on the same location as the ACS ... this doesnt happen.
My question: How does the ACS determine what DC to contact ? Is it possible to force the AC to join by connecting a certain DC ?
View 2 Replies
View Related
Feb 28, 2010
Is there currently any ACS version working with Windows Server 2008 R2 domain controllers?Our server stuff has recently upgraded the Domain Controllers to 2008r2 and turned off the 2003 servers. This didn't make our ACS 4.1.4 really happy.I've read now serveral posts regarding issues with ACS and Server 2008r2 and hope to find a solution (besides switching to LDAP, yukk).
View 5 Replies
View Related
Jul 17, 2011
I'm trying to determine who's throttling our 'Outside' interface because it's being hogged.Is there an easy way to see what data is assigned to what object on our ASA5510
View 2 Replies
View Related
Jan 26, 2012
I have a requirement to NAT a spare address on the same subnet range as one of the firewall interface - however, because this is not allocated to a physical interface, there is no mac entry in the arp cache. the other end of the link from the firewall is connected to a router which has no idea how to reach this "virtual address" - again because there is no entry in the arp cache I have tried to put a static arp entry into the firewall but this doesn't appear to work either. Should I be using a mac address form a physical interface or can I create a dummy mac for this - If the router can't see the ip address, then users will not be able to target this address - so that the firewall can NAT to the real outside address.I have tried routes to null0 on the router and static arp entries on both devices but the user just times when trying to connect to 10.2.7.11 (nat to 10.2.32.11)
View 6 Replies
View Related
Feb 24, 2013
I have a WLC 4404 with LWAPs, the customer has a microsoft LDAP and all users are joined to the domain and he wants the users to be authenticated against their domain accounts and this should be done automatically so that when users login to windows they are also authenticated and joined the WLAN.so how we can do that with the simplest way, without Radius server using only the LDAP and wwithout envolving any certificates.also i need to know when i add LDAP server to the WLC, how can i know that this LDAP is properly inegrated with the WLC?
View 8 Replies
View Related
Feb 24, 2011
I have a clientless VPN configured for webmail on an ASA 5510. However for some reason it also displays in the drop down of the Anyconnect client, and consequently if you try and connect you do not get redirected to the webmail page. Does any know how i can either remove the entry from the drop down of the Anyconnect client, or force the webpage to open if connection is granted via the AnyConnect client?
View 1 Replies
View Related
May 18, 2011
I have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.
I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.
On the directory groups page I have entered the groups according to the required format. cn=groupname1,ou=groups,dc=abc,dc=com
I have a rule based result selection under group mapping. I have two rules in the format below.
Conditon
LDAP:Externalgroups groupname1
Result
Identitygroup1
I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.
View 3 Replies
View Related
Dec 8, 2010
Does the LDAP authentication work across W2K3 Active Directory domains and multiple ASA5510 firewalls? Or do I need to setup another type of authentication? If I use another type of authentication can I get specific portals with special bookmarks based on login account?
View 4 Replies
View Related
Apr 28, 2013
We have 5508 controller (redundant) & would like to configure Staff vlan to get authenticate with active directory.i am new to the controller device & want to configure controller with active directory (windows 2012).
5508 controller (Active & Standby) with 48 Access Point.(configuration Done) Guest Vlan (only for internet Access) controller based web authentication configured.
Staff Vlan ( inside & outside ). Need to configure with LDAP authentication?
View 9 Replies
View Related
Apr 7, 2013
Does the ASA treat an object-group with a network-object containing a range of IP addresses as a netmask? For example, I can apply this configuration without the ASA throwing any errors though the configuration calls for a 'net mask':
object-group network test
network-object 192.168.0.0 192.168.63.255
?
network-object-group mode commands/options:
A.B.C.D Enter an IPv4 network mask
sh run ob id test
object-group network test
network-object 192.168.0.0 192.168.63.255
I found that in the documentation it requires a netmask as oppose to a range. Is this a bug in the code? I am running code version 8.0(5)23 on a 5520. If this is not a bug how does the ASA treat this type of configuration when applied to an access list? When I ran a quick packet trace and denied access from that range it looks like the ASA doesn't read that configuration properly.
View 5 Replies
View Related
Jul 16, 2012
My network looks like this:
[RADIUS] --- [C881] --- [SG200 Switch] ---[WinXP]
One of SG200 interfaces is set as a Supplicant ant it authenticates in RADIUS (FreeRADIUS) server via C881 router. WinXP and other PC clients authenticate in RADIUS via SG200. Now: Authentication works perfectly. Ports open as they're supposed to. I'm able to reach RADIUS from SG200 and vice versa but there is a problem with WinXP. When i connect it to SG200 it authenticates, port opens and I'm able to reach RADIUS or any host on the left hand side but only for 300 seconds. After that period of time C881 looses WinXP from its ARP table and any communication fails. I cant even reach C881's interface facing SG200. Then i type:
c881(config-if)#dot1x port-control force-authorized
C881 learns WinXP's MAC and IP again and all gets back to normal. When I type
c881(config-if)#dot1x port-control auto
after 300 seconds C881 forgets WinXP again and communication brakes down.
How is it possible that a router forgets MAC of host its continuously "talking" with?
Have you ever seen this kind of behaviour? I tried with two other software revisions on C881 and resoult is always the same. Bug or feature?
View 5 Replies
View Related
May 16, 2011
I am having a problem getting an ASA running 8.3 to authenticate an SSL VPN directly against an LDAP on Windows Server 2003. I have changed the read access on the Active Directory to allow Annonymous to read it. I think I am missing something on the ASA config. I have the Server Group specified with the address of the correct server but nothing else really configured.
View 1 Replies
View Related
Jun 19, 2011
this is ASA5520 associate with 8.4(1). very simple scenario , three ports: inside . outside . DMZ my problem is how to use network object NAT to perform Regular Dynamic PAT and Identity NAT.
for example, this is my configuration
**** first i configured Regular Dynamic PAT****
object network myinside
subnet 10.200.11.0 255.255.255.0
nat (inside,outside) dynamic interface
**** then , i met problem when i want to make identity NAT between inside and DMZ****
**** if i add below CLI , the first nat line will be replaced ****
**** SO IF I ADD THIS****
[code]......
View 4 Replies
View Related
Sep 13, 2011
is it possible to validate the ACS Application Accounts against an external repository like LDAP? I have found that LDAP can be used only as Identity store to authenticate users on AAA clients and Network devices.
View 0 Replies
View Related
Mar 2, 2011
I have a problem with LDAP authentication. i have an Cisco Asa5510 and windows 2008 R2 server. i create LDAP authentication.
aaa-server LDAPGROUP protocol ldapaaa-server LDAPGROUP (inside) host 10.0.1.30 server-port 389 ldap-base-dn dc=reseaux,dc=local ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn CN=user,OU=Utilisateurs,DC=reseau,DC=local server-type microsoft
but when i test, i have an error (user account work directly in server)
test aaa-server authentication LDAPGROUP host 10.0.1.30 username user password *****
INFO: Attempting Authentication test to IP address <10.0.1.30> (timeout: 12 seconds)ERROR: Authentication Rejected: Unspecified
View 11 Replies
View Related
Jun 22, 2011
provide me Step by Step procedure for integrating LDAP with ACS 5.2 .
View 1 Replies
View Related
Nov 18, 2012
In my office we are using two networks , one is 16.x.x.x and another on is 15.x.x.x . 16.x.x.x having the domain controller. 15.x.x.x is only connected with Workgroup. my question is it possible to add 15.x.x.x network system into 16.x.x.x network . I tried to add but it gave error message "Domain Controller can not be contacted". Generally we cant add it into the domain i know that. is there anyway to connect the 15.x.x.x systems into 16.x.x.x domain using router in the network.
View 1 Replies
View Related
Jun 19, 2011
Type: Error
EventID: 1054
Description: Windows cannot obtain the domain controller name for your computer network. The specified domain either does not exist or could not be contacted. Group Policy processing aborted.
Dad's work laptop (XP) will no longer connect to any wifi at all. I removed the Intel PRO/set wireless utility so it would default to windows, enabled the Wireless Zero Config. It will acknowledge the network, attempt to get an IP address from the network for 1 minute, then it rotates down to the next network SSID in queue (I have 3 SSID's in our house). When it reaches the end, it just goes back to the "Windows is not connected to any wireless networks" message.
View 2 Replies
View Related
Mar 1, 2011
In 2004 I had a small home network of an NT4 domain controller with a 98 client and an XP client and an NT4 workstation laptop.ll was fine with the NT4 server providing a central store and print queue for a networked laser.Over time the laptop has been replaced with a Win7 (which will access the files but really doesn't the NT4 domain.) The Win98 has died and now finally the NT4 sever has gone too.I intend to revert now to a workgroup type set-up and forget about domains (I don't need it really) My problem is if I remove my XP machine from the domain I loose all the program menu, shortcuts desktop etc. which are stored under the domain user name login.Can I retrieve these or at least look at them so I can set up the local XP administrator account with all my familiar stuff.
View 3 Replies
View Related
Jul 5, 2012
I hav windows server 2003 w/ 3 clients on my home network.2 of these machines link w/ server when i formatted & try to link 3rd machine it says "A domain controller for the domain fits.local could not be contacted" this problem I have 2003 server + isa server 2004 + exchange server 2003 installed in one core i3 machine..........
View 9 Replies
View Related
Aug 21, 2012
I am trying to setup a VPN with AnyConnect on my ASA5510 and it works fine. I have setup an AAA server group for my Active Directory with the "NT Domain" protocol". Right now, every user is able to connect with their Active Directory credentials. I would like to restrict access to the Anyconnect VPN to only a few users in AD.
View 1 Replies
View Related
Feb 13, 2012
refers a location that is unavailable.it could beon a hard drive on this computer.
View 1 Replies
View Related
Oct 23, 2012
know about Domino LDAP ? I would like to integrate this LDAP with Cisco ISE.I try to bind this LDAP but it does not show me anything in "Naming Context". So I cannot choose group to map into ISE.I test this on WLC. It is success to do but cannot make the same thing with Cisco ISE.Is this LDAP supports with Cisco ISE 1.1.1 ?
View 3 Replies
View Related
Jul 31, 2012
I have 2 SSIDs on WLCs.I would like to have 1 SSID point to the acs radius using LDAP store and the 2nd SSID point to the acs radius using the host identity store for mac filtering.both scenarios are working, but not together.if I adjust the rule order I can get one SSID, but then the other fails. [code] It seems to me that there should be a simple process to make this happens. I thought if the rule is not matched it would move on to the next rule etc.I might be able to live with first checking ldap and if that fails move on to the local host db, but that seems ineficient. url...
View 3 Replies
View Related
May 8, 2011
I have an CS-ACS appliance with 5.2.0.0.26.3 version. There is not any direct solution for connect ldap client to server. I have 3 servers that have only ldap and for authentication I can not use radius or Tacacs+. I need a solution for this problem. How can LDAP Client connect to ACS when it has only ldap protocol?
View 1 Replies
View Related
Feb 16, 2012
We relocated several servers to our DMZ and, without a domain controller in the DMZ (we plan to put a RODC in the DMZ later when we mvoe to Windows Server 2008), i punch through the standard recommended TCP ports. ports 88,135, 389, 53, etc.) to the internal network located DC. I am double hopping to the DC (I hope thast doesn't matter) as the DMZ located web server communicates to another IP address in the same DMZ network and then I NAT that address to the internal IP address of the DC. Everything seems to be working for the servers we moved to the DMZ but i think i don't have all the necessary TCP/UDP ports punched through because we have found that logging into the DMZ servers is taking an extended amount of time, sitting on the “applying settings” screen. For 2-34 minutes. Also, we noticed that our applciations fols have to now add the fully qualified domain names when making calls to servers that just needed the domain name. When i open the access-list up completely without opening specific TCP/UDP ports, the issue is resolved.
View 4 Replies
View Related
Feb 10, 2011
I am having trouble adding a computer to the Domain Controller. I have a cable modem running into a di-524 router. The router has DHCP and DNS relay disabled. I set the LAN IP Address of the router to 192.168.2.1. The router is connected to a switch with 10 pc's and a server running 2003. The server has an IP Address of 192.168.2.2. I setup a DHCP server inside 2003 with a scope of 192.168.2.100-192.168.2.199. Under scope options the router is set to 192.168.2.1 and DNS Servers is set to 192.168.2.2 (the ip address of the domain controller). When I try to add the computer it cannot contact the domain controller. Is there something wrong with my DHCP config or DNS?
View 3 Replies
View Related
Nov 30, 2011
I am currently planning a Active directory deployment. It will most likely be a new forest, but the domain could become part of a existing forest. I have about 45 Computers with about 85 users. At one time there is about 42 users logging in as there is two shifts. The logons will be done all at once. Do you think two domain controllers will be able to handle the load?
View 9 Replies
View Related
Apr 11, 2012
o create a domain host
View 2 Replies
View Related
Nov 22, 2012
How has file server been affected by promoting your server to a domain controller? and what are file sever actually do?
View 3 Replies
View Related
