Cisco AAA/Identity/Nac :: 802.1x With ACS 5.2 And Windows AD
Aug 7, 2011
Im trying to setup 802.1x with ACS 5.2 but am struggling as its very differnet to ACS 4.2.I have setup the ACS to be the domain and think i have setup up the External Idnetity Store, however when i try to authenticate a pc using authentication Medthod 'PEAP (EAP-MSCHAPv2), i get a failure reason '22056 Subject not found in the applicable identity store'
View 2 Replies
ADVERTISEMENT
Jun 8, 2011
I searched cisco documents where as all the documents are having example of ACS 4.0 but i am very keen to know with ACS 5.0 integrated with AD. Any document especially with ACS 5.0 , it would be great for me to understand the ACS 5.0 set-up.
View 4 Replies
View Related
Apr 30, 2012
getting a cert off of a 2008 R2 CA and imported correct in to ACS 4.2? I've had and have seen other have the problem with creating a web server certificate from R2 (1024 bit) and putting it in ACS 4.2 only to have HTTPS/SSL no longer work correctly. I haven't even tested the intended purpose of the cert (EAP-TLS) yet, so who knows if that works. I've also seen through searching where some one was able to take a 2003 CA web server template and put it into R2 and it work, but I know longer have 2003 available?
View 1 Replies
View Related
Sep 9, 2012
my current setup: Windows XP machines authenticating wireless using 802.1X to a Cisco ACS 5.3 that redirects the request to Microsoft Active Directory. All the statements that I make below are what I have gathered from reading on forums, some of them might be incorrect.
In the ACS Under “External Identity Stores” and “Active Directory”, there is a check box called “Enable Machine Access Restrictions” if it is checked and the Aging time is set to 8 hours and a Windows XP machine authenticates using it’s Domain credentials it will gain access to the network but if that computer is not rebooted after the 8 hours is up, Windows XP will not send it machine credentials again, it will only send the user/pass of the user and will loose access to the network. The problem we have is that most of the users do not shutdown their computers when they go home, they hibernate the computers thus when they come back to the school the 8 hours aging time on the ACS has expired. The ACS expects to see the Windows XP machine send it’s domain credentials again but from every forum I have read on, Windows XP will not send it again until it get rebooted (FYI, Windows 7 will send the proper info, thus they work just fine). In the mean time I have changed the aging time to 8760 hours but this should only be temporary because it is a security risk to have the aging time set so high. Moving forward what are my options to make this work properly?
-Is there a way to fix Windows XP?
-Is there a recommendation on how to bypass this issue but still give us decent security?
-Is setting the aging time so high, a non security issue?
-I guess worst case scenario, the customer can try to educate all the students and staff to reboot their machines every morning?
View 4 Replies
View Related
Jun 11, 2009
we are trying to restore an ACS SE backup into an ACS Windows but we get the message error: "The backup file selected is either not a Cisco Secure V4.2 backup file or it has been corrupted". The version/patch level is the same in both 4.2(0.124). I think that is possible (restore SE in W2000), isn't it?.
View 3 Replies
View Related
Oct 6, 2011
how to upgrade fromACS 4.0 to 4.2.1 with data restoring .
Currently i am running with 4.0 i need to upgrade to 4.2.1 windows.
View 1 Replies
View Related
Jun 4, 2013
I have the message error in my ACS 5.4 after migrate the versión (5.3 to 5.4)
View 2 Replies
View Related
Feb 5, 2013
I am having some issues when I tried to configure TACACS+ authentication / authorization for NCS via ACS 4.2 with external DB(windows AD) and i am getting some errors from NCS:
257777: loopback: Feb 06 2013 13:02:43.279 +0800: %XMP-7-DEBUG: %[ch=com.cisco.xmp.usermgmt][mid=10015]: [The
query is :select p from XmpUser p where p.username='s102069' and policyPartition = 'root']
[Code].....
View 0 Replies
View Related
Aug 21, 2012
I have seen couple of people with win7 cannot authenticate to ISE: 12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate.I've thought of this: Maybe get a 3rd party cert (go daddy) and have that installed in ISE.I know i do have to make a CSR Cert.Sign.Request that matches cn=primary.ise.mydomain, would I also need a cert for secondary?
If I use LEAP as a preferred protocol then it doesn't ask for cert and users are authenticated successfully.I know they have to say do not validate cert and all that but sometimes it doesn't popupt to them they just can't get on.Again maybe going wtih 3rd party certs will make it easier while benefiting from using PEAP?
View 5 Replies
View Related
Mar 20, 2012
Currently on 5.3.0.40.2 when a invalid password is attempted via TACACS or RADIUS to the AD identity store is locks the account out on the first failed attempt. The AD policy is lockout after three attempts. Is there a way to fix this issue so the account is not locked out with only one failed attempt? I see options for local password policys in ACS but nothing for the identity store. For what its worth this happened also with ACS 4.X deployment before we moved to ACS 5.3.
View 17 Replies
View Related
May 9, 2011
we currently have 4x ACS 4.1 (1) build 23 windows based and we are going to migrate to ACS 5.2 appliance 11211.the first pair we are using simply local authentication for multiple vendor firewall and routers, with one custom radius vendor-specific attributes, with now she exec.the second pair we are using for wireless clients authentication through AD, with dynamic mapping.
in order to migrate what would be the most suitable migration, whether to use Migration utility or export those ACS objects and import them into the new ACS 5.2.
View 1 Replies
View Related
Mar 1, 2011
I have installed the Cisco ACS 4.2 in a server running Windows 2003 Server, and this server is member server of the domain. The ACS is working whit a Wireless Platform 4400, and authenticating to the Wireless Users using PEAP and Digital Certificate. But now, the windows platform will be upgraded to Windows 2008. My doubt are the following:
1. The ACS running in a windows 2003 server, will authentificate users in the new windows 2008 domain?
2. At the beginning, the ACS and the Windows domain was 2003. Now whit the change of the version of windows domain, What happens whit the configuration of the acs server as member server? I need reconfigure the member server configuration in the ACS Server?
View 4 Replies
View Related
Jul 18, 2012
Does cisco provides updates for underlying windows server in ACS SE 1113 ? Patch updates are available for ACS 4.2 , but how can we update underlying windows server , Does patches for ACS is enough to secure underlying windows server .
View 4 Replies
View Related
Nov 4, 2012
We have some users who use AnyConnect regularly; the tunnel is terminated on a 5520 ASA. The tunnel group is currently set up to send RADIUS aaa requests to the ACS server, which in turn is set up to query Active Directory. This is working perfectly for all AnyConnect users except for one person. authentication worked fine for this person as well before we switched from an old Steel Belted Radius server that used to be doing the same thing basically, it handled the RADIUS requests but did a look up into Active Directory. So that part of it has not changed. So now when this user tries to log in he gets these the Windows event logs.
Date : 11/02/2012
Time : 21:13:39
Type : Information
[code].....
I've looked though the ASA configuration and it is using a valid certificate and everything, signed by GoDaddy etc…. It won’t' let me look at the certificate authority configuration because it says it can't be configured when in a failover pair. I don't really think the problem is at the ASA at this point, because all other users are authenticating correctly. (And so was this user before switching to ACS)Also in the ACS logs it says the user used the wrong password and that is why authentication is failing, but they are using the correct password. So now I am looking into issues with the users account in particular. Something that I think may be worth noting is that this user has a very large access token (one of the largest in the entire organization) belonging to over 98 groups (not including all the sub groups). I'm wondering if having a very large access token could be throwing ACS off for some reason.
View 3 Replies
View Related
Nov 29, 2011
I have a problem when I try to install ACS 4.2 on Server 2003 R2. When I start the ACS setup, i recive an error message saying:
View 6 Replies
View Related
Jan 9, 2012
We use a combination of Cisco ACS and Cisco catalyst 3560 switches for network authentication and authorization. Clients (Windows XP) have a certificate installed which will grand access to the network and put them in the correct VLAN. So far, so good. Some users are testing with Windows 7 in the same set-up as above and run into strange behaviour. The problem is that after a random timer the machine gets de-authenticated and nothing besides a reboot works to get the computer authenticated again (from a Windows point of view). It looks like this only happens to users who are using a certificate to authenticate, Windows 7 MAC bypass users have no such problems. If it occurs, the following logging appears in ACS: [code] We are using ACS 4.2(0) Build 124 and 3560-48PS switches with IOS 12.2(55).
View 4 Replies
View Related
May 8, 2011
We are in the earlier stages of moving our Domain Controlllers from 2003 to 2008 R2. The remote agents are running in 2003 Domain Controllers. According with Cisco Documentation, I can move the agent to a Windows 2003 Member Server and the upgrade to 2008 R2 Domain Controllers.
View 4 Replies
View Related
Nov 15, 2011
I have done a ADSSO config. Following all the steps in the guide with the specifics steps for windows 7 to modify the krb.txt and the strattomcat.I restart services activate the "Enable Agent-Based Windows Single Sign-On with Active Directory (Kerberos)" option on the NAM.Then, the ADSSO service start on the NAS.I modify the local policy according to the guide allowing all encryption except the one for future use.Then the NAC client say "User unknown" contact your network administrator.
View 3 Replies
View Related
Jan 2, 2011
Recently I've been working with the ACS 5.2 (Installed on VMWare). At the beginning I was using a Win Server 2003 Enterprise edition AD, and there was no problem with the AD and the CA Authority. Because some of my customers use Win Server 2008 I change the AD platform to Win Server 2008 Enterprise edition (x64).I don't really have a great experience with Win Server Platforms and, for what I've seen, the Win Server 2003 Services deployment is easier than the Win Server 2008 is.
So, when I used the Win server 2003 I could not only synchronize the ACS with the AD but also use some groups created on the AD to perform the Network Access Authentication. When I try to do the same with the Win Server 2008 AD the ACS and the Server get Synchronized but when I want to add the groups for the Authentication purposes there is no one, absolutely nothing... so I cannot do any test.Also I looked for information about the compatibility between the ACS 5.2 and the Win Server 2008 platforms and at the end the platforms are compatibles.
View 13 Replies
View Related
Aug 5, 2012
I am using ACS 5.3. I have succesfully configured Machine Authentication for a Windows 7 laptop using EAP-TLS. The ACS is configured with an Active Directory external identity store where the Windows 7 laptop is configured as part of the domain. I'm pretty sure that the ACS was using the AD to authenticate the laptop's name because at first the authentications were failing because I had the Certificate Authentication Profile configured to look at an attribute in the client certificate that was empty. When I fixed that, the authentication suceeded.
I started doing some failure testing so I disconnected the Domain Controller from the network. Sure enough, the ACS shows the Active Directory external store is in the Disconnected State.I then went to my Windows 7 laptop and disconnected the wireless connection and connected it again, expecting it to fail because the AD is down. But it succeeded! My Win 7 laptop is accessing the network wirelessly through a Lightweight AP and 5508 WLC. The WLAN Session Timeout was set for 30 minutes. So even with the AD disconnected, every 30 minutes, the ACS log showed a successful EAP-TLS authentication. I then changed the WLAN Session Timeout to 2 hours 10 minutes. Same thing, every 2 hours 10 minutes, a succesfull EAP-TLS authentication. I really don't know how the authentications are succeeding when the AD is not even connected. Is there a cache in the ACS?
View 7 Replies
View Related
Apr 8, 2009
The ACS can authenticate people using local database , it can also authenticate a single user (using windows database) if you are fast after the service is restarted , however after a few secounds, it fails to authenticate any users , the error we are seeing on the logs appear as authentication failure type : internal error. Also on the log files, the authentication request from the user does not appear in the correct group, it is thrown into the default group.
View 7 Replies
View Related
Dec 13, 2012
I'm having a issue when configuring Cisco ACS 5.2 appliance 1121 to integrate windows 2000 Active Directory as an External Users Database.I'm using an account with administrator privileges on AD (can create computer objects).The ACS register itself successfully to the domain but it doesn't retrieve the AD Groups, even when i change the seach base and filter.At this link says that ACS supports AD over Windows 2003, 2008 and 2008R2 but it doesnt say that not supports Windows 2000.[URL]
View 2 Replies
View Related
Sep 26, 2010
We are still running ACS 4.1 on Window 2003 server. We recently upgraded AD to 2008 although the domain and forest functional level are still 2003. After AD upgrade we now unable to authenticate via ACS Windows Database.
View 13 Replies
View Related
Jul 17, 2012
We having difficulties with installing remote agent on windows 2008 R2 64-bit server and got the attached error.
Our ACS is 4.2.0.124 and remote agents we tried are :Remote-Agent-ACSse-win-v4.2.1.15-K9.zip and Acs-4.2.1.15.9-RA.zip.
[code]...
View 3 Replies
View Related
Apr 6, 2011
I have win 2008 server as DC, i have installed acs 4.2 on menber server (win 2003) , but it doesn't work, how to let this one work.
View 6 Replies
View Related
Jun 7, 2011
The problem is that i had configured the ACS appliance with a remote agent to Integrate with Microsoft active directory and I installed that agent on one of our domain controls and it is working fine.
When I installed another agent on anther domain control and add it to the ACS server it appear that the remote authentication service is working on it but when try to make the new agent the primary and the old one the secondary from External database configuration all the domain users authenticated but only to one group which configured in Unknown User Policy.It appeared like it can't read any more groups from active directory.
View 2 Replies
View Related
Feb 24, 2013
We are running Cisco Secure ACS for Windows version 4.1(1)b23p5 on a Windows 2000 member server. Starting from today, ACS fails to authenticate users. Using the same external user (andrea-meconi) I can verify successfull and failed authentication. This is the AUTH.log for a genericRADIUS request...
AUTH 25/02/2013 15:30:24 I 0396 3900 External DB [NTAuthenDLL.dll]: Starting authentication for user [andrea-meconi]
AUTH 25/02/2013 15:30:24 I 0396 3900 External DB [NTAuthenDLL.dll]: Attempting
[Code].....
View 1 Replies
View Related
Jun 6, 2011
I am runing ACS 4.2 on Windows 2003 and for some reasons I need to rename the server name?
View 1 Replies
View Related
Jul 17, 2012
Just upgraded Cisco ISE to 1.1.1 in my lab/demo environment and am now having problems with a basic posture implementation. In short I connect to a wireless SSID and check posture based on the presence of a file. The NAC agent is declaring my host as compliant and granting full network access however about 5 seconds later it it checks for requirements again while placing my host in the temporary network access. At this point it states I am compliant again and 5 seconds later scans again. This behaivour does not stop and continues endlessly until I close the wireless connection. I had no problems with this setup on 1.1.All logs indicate successful compliance and no errors in terms of compliance.
View 33 Replies
View Related
Apr 22, 2011
i have installed system (Windows Server 2003) and i have configure Active directory for testing and configure one user under it ( TEST01)now on the same machine i have installed Cisco ACS 4.2.i'm trying to Authenticate (TEST01) using ACS but it's not working, i can't even see the logs under EVENTVIWER. simple and easy to configure since both AD and ACS is on the same machine.
View 4 Replies
View Related
Oct 5, 2012
We have a Cisco ACS 5.2 deployment (appliance). It has an existing integration with Active Directory. We utilize this with RADIUS to authenticate our wireless users and TACACS for managing our network equipment.The RADIUS reports are useful for other teams (outside my own) to be able to troubleshoot password and account lockouts (everyone forgets to change the password on their phone).I would like to allow this team and other access to view the RADIUS authentications report.
View 2 Replies
View Related
Feb 6, 2012
We have a pair of ACS 4.1 servers (Windows Server 2003 R2). Let's call them ACS1 and ACS2. We don't want either one of them to proxy to any AAA server, including each other. We're using mostly TACACS authentication.
While troubleshooting a general problem, I'm guessing that one of us did this on ACS1:
pressed the Network Configuration button,saw the Proxy Distribution Tableclicked (Default)moved ACS1 from the AAA Servers column to the Forward To column.
So, essentially, we're telling ACS1 to proxy all requests to itself, which doesn't seem to make sense. I don't know for sure whether it should work when configured to "self proxy," but in that state, it does not authenticate anyone and gives merely "Internal error" as the reason.
If I change the configuration so that "ACS2" appears in the Forward To column, and I move "ACS1" back to AAA Servers and restart, ACS1 starts responding correctly to TACACS requests. Of course, ACS1 is just proxying all requests to ACS2, so having two servers isn't doing much good.
I cannot simply remove ACS1 from the Forward To column and leave it empty. The interface complains that it can't forward to zero servers. Of course, on ACS2, there are no servers in the Forward To column, since we never touched the Proxy Distribution Table there.
Is there any way to return the Proxy Distribution Table to its default setup, that is, no servers appear in the "Forward To" column?
We're planning to upgrade to version 4.2 very soon, so this question is mostly academic, unless the same problem exists in 4.2.
For full disclosure, I should mention that the problem we were troubleshooting was loss of connectivity to our Windows Domain Controllers from our ACS servers. We had missed adding some exceptions in our firewalls to allow for four new DCs. As far as we can tell from testing, connectivity to the DCs is now fine. The firewall rules group ACS1 and ACS2 together, so connectivity should be the same, and ACS2 authenticates users correctly.
View 2 Replies
View Related
Jun 6, 2011
I'm installing ACS4.2 in our lab domain and want to leverage the corporate domain for authentication. The one way trust is in place, but there is a facet that I'm not clear on in regards to the installation requirement.
I'd like to install ACS on a lab domain member server, but I'm not sure that will work. The installation docs seem to imply that a member server must be in the same domain as the authentication server, but its not very clear. if I want to use the one way trust to the Corporate Domain, am I required to install ACS on the domain controller of the Lab Domain?
View 3 Replies
View Related