Cisco AAA/Identity/Nac :: ACS 4.2 Appliance Integrate Multi Domain

Sep 1, 2011

I have a question. What is the requirement of integrate ACS 4.2 Appliance and AD about CA server? it has to be windows 2003 server enterprice o windows 2008 enterprice? or it can be windows 2003 and 2008 stand alone? another question is about multi domain, i have domain father and children. the installation of CA Server is in domain father to enable 802.1x with AD with all domain children integrate? or I can be install the CA server in the server of domain children and is it work (CA server installed in server in domain child and it working all domains child and father)?

View 1 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: ACS 5.2 - AD Integrate With Single Domain Name With Multiple ADs

Sep 3, 2011

We having ACS version 5.2 0.26 with Active/Standby. We need to integrate active directory with ACS. Domain name given by Server team was as xyzcompy.local. When I tried to resolve the same domain name I got five servers ip address against the same domain name. however we given the ip reachability to only for two servers. We we try to save we get error saying that "Can not resolve the network address".
 
So my questions are;

- does ACS should have ip reachaibility to all five servers

- does the username/password we entered in the ACS should have domain admin rights?.

- the given AD is configured with windows NTP [URL] but when we configured ACS as windows NTP it was taking  local server as active NTP..?
 
When we check the ACS logs, we saw the following error;

in acsLocalStore:
AdminName=acsadmin, DomainName=qatarconvention.local, ADOperationResult=unable to create secured connection against AD server, switching to non-secured connection. javax.naming.CommunicationException: simple bind failed: qnccad02.xxxxconvention.local:636 [Root exception is java.net.SocketException: Connection reset],
in ACSADAgent;
32484]: INFO  dns.findsrv FindSrvFromDns failed: res_query failed _ldap._tcp.xxxxconvention.local
Sep  4 12:43:20 acs01-cc4 adjoin[32484]: INFO  cli.adjoin Join to domain 'xxxxconvention.local', zone 'null' failed.
 
I attached some screen print which saw the error and output of nslookup for the domain name.

View 3 Replies View Related

AAA/Identity/Nac :: ACS 5.2 - Joining Multi-DC Domain

Dec 21, 2010

I've just installed two ACS 5.2 appliances and I'm trying to get them to join my domain, I've setup an account that has the relevant permissions (tested the account on a laptop and it can join the machine to the domain).
 
The ACS keeps coming back with an invalid credentials to join the domain error despite the fact that I know the user in question has the correct permissions.
 
I have a suspicion that the problem is related to how the ACS handles the Active Directory Domain, we have a large domain that spans several domain controllers. The DNS server uses round robin DNS to serve a different DC's IP each time, however a typical windows laptop is aware of what controllers it's allowed to use whereas the ACS box doesn't appear to be.
 
The ACS servers are located in a network in the UK that is only allowed to talk to 2/6 DC's and I have no way of controlling what IP appears when the ACS tries to join the domain due to the round robin DNS.
 
Is there any way to get around this? Or any way to hard code a specific DC for the server to connect to? Even being able to add the DNS manually to a hosts file would work.

View 9 Replies View Related

Cisco Firewall :: ASA 5585 / Identity Firewall With Single Forest / Multi-Domain

Dec 28, 2011

I have a question with regard to setting up the ID firewall on the ASA 5585 in a single forest, multiple domain windows network.Currently I have a semi-operational IDF at the top level but can't find users on the lower other domains, here is the setup:I have 3 domains.

[URL]
 
Both domains have a two way parent-child trust and I can look for users in AD Users/Computer on both domains.  I initially setup the ASA to look at domain1.test.com using an LDAP aaa-server per the IDF instructions, and then proceeded to configure the ad-agent.  I installed the adagent on the domain1.test.com domain controller configured the settings on that system and had no problem adding users to the firewall and getting functionality within domain1.  I looked to see if I could see domain 2 and domain 3 users and found none.  I went ahead and added the domain2 system to the adagent on the DC and the system says that it is up, but when I search for users is not pulling them from domain2.  Instead, it shows domain1 users as domain2user1.  I also configured another adserver in the ASA to search ldap on domain 2 to no avail.The cisco documentation states the following:•Before you configure even a single domain controller machine using the adacfg dc create command, ensure that the AD Agent machine is first joined to a domain (for example, domain J) that has a trust relationship with each and every domain (for example, domain D[i]) that it will monitor for user authentications (through the domain controller machines that you will be configuring on the AD Agent machine). Single Forest, Multiple Domains—All the domains in a single forest already have an inherent two-way trust relationship with each other. Thus, the AD Agent must first be joined to one of the domains, J, in this forest, with this domain J not necessarily being identical to any of the domains D[i] corresponding to the domain controller machines. Because of the inherent trust relationship between domain J and each of the domains D[i], there is no need to explicitly configure any trust relationships.Reading that it sounds like it should just work.  I had everything properly configured before I installed the adagent, but I'm guessing that there is a chance that you can't have the adagent on the top level DC and get to communicate with the lower level domains. 

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Unable To SSH To ACS 4.2.0.124 SE Appliance

Feb 20, 2010

I could not SSH to ACS SE appliance? Why I could not, however I can do on another ACS SE.
 
note that I can ping the ACS SE, after disabling the CSA, so netowrk connectivity is ok.
 
Cisco Secure ACS: 4.2.0.124.

View 5 Replies View Related

Cisco AAA/Identity/Nac :: Secure ACS 5.2 Appliance To Use Or Not To Use UCP

Nov 16, 2011

All users are located in the local identity store.So - assume I do not implement ACS but I do turn on password expiration after 60 or 90 days.  Will a user whose password is about to expire attempts to authenticate against ACS 5.2, will they be notified that their password is about to expire?Also, when a user attempts to authenticate but their password expired yesterday, will they be prompted to change it and if so, how will that prompt to change it be presented?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Multi Forest AD Integration?

Aug 24, 2011

Domain A (Forest 1) <--Two Way Trust--> Domain B (Forest 2)
 
ACS is joined to domain A.
 
My question is AD integration (Not LDAP) supported between 2 domains in different forests?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Re-image NAC-3315 Appliance To ISE

Mar 29, 2012

My site got the NAC-3315 appliance and we would like to reimage this appliance to inline posture mode (for VPN purpose)What's the proper migration process should deal with this? Is the NAC-3315 hardware comply with the Inline posture mode requirement?

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 1121 Appliance Downgrade To 4.2.0.124

May 2, 2011

Newly shipped cisco  ACS appliance 1121 has been shipped with ACS version 5.0 , I need to downgrade to ACS version 4.2,0 , I could not see recovery CD or DVD for acs 4.2 along with shipment , Is ACS 1121 appliance is comptaible to acs 4.2.0 version ? .
 
My ACS BOM details
CSACS-1121-K9
ACS 1121 Appliance With  5.1 SW And Base license

[code]....

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Configure ACS 5.1 Appliance To Connect To AD

Jun 18, 2011

This is a new installation.I did to configure the ACS to connect to the AD to authenticate users and retrieve the user information for group mapping as following step. Go to Users and Identity Stores > External Identity Stores > Active Directory, and enter the domain name and provide a username/password that will allow connect to the domain.Next, click on the Test Connection button to validate joining the domain.
I got success test connection. But when I click Save Changes. I got error .

View 5 Replies View Related

Cisco AAA/Identity/Nac :: Licensing On C1121 ACS Appliance

Feb 13, 2012

01. I have one customer unit C1121 ACS system shipped with version 5.1. The customer buy the base license and large deployment license along with the purchase.
 
02. Fact is i have manually upgrade the system to version 5.3.0.40, and applying a trial license for it for administering the appliance.
 
a. If i now using the purchased base license and large deployment PAK to activate the system, would it still valid for me to continue using Version 5.3.0.40?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Expanding NIC On 3315 NAC / ISE Appliance

May 2, 2013

Is it possible to add another NIC to the Cisco 3315 NAC appliance. It ships with Four ethernet interfaces, but would like to add at least 1 extra interface i.e. PCI card if possible.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Up-gradation ACS 4.2.0.124.16 On Appliance 1113 To ACS 4.2.1.15

Jun 21, 2012

we have below softwares in the order to install one by one on the appliance 1113.

1)ACSse-Upgrade-Pkg-appl-mng-v4.2.1.15-K9.zip
(Appliance Management package)

2)ACSse-Upgrade-Pkg-acs-v4.2.1.15-K9.zip
(ACS Software package)

3)applAcs_4.2.1.15.8.zip
(ACS SE 4.2.1.15.8 cumulative patch)
 
take it forward to upgrade by step by step procedure. ( is that same like TFTP to transfer these packeges to appliance or different method? ) (we are using Windows XP system)

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Migration ACS 5 Appliance To ACS 5.1 Vmware

Jun 7, 2011

I'm with problems to migrate the ACS 5.1 hardware to  ACS 5.1 vmware. In my infraestructure I have a appliance with ACS 5.1 and I need to migrate to vmware to do HA. I installed vmware as the Cisco ACS recommendations. I made ​​a backup of the ACS hardware and copied the local disk vmware ACS.
 
When I start the restore process after a few minutes an error occurs:
 
UMA/admin# dir
Directory of disk:/
    33293306 Jun 08 2011 16:51:38  bkp-production-110608-1433.tar.gpg
       5862 Nov 07 2009 01:06:32  favicon.ico.1
      16384 Jun 06 2011 17:54:34  lost+found/
[Code]....

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ISE 3355 Appliance Use Of Both GigE Ports

Apr 12, 2013

I am setting up six ISE 3355 appliances 3 in one datacenter 3 in another. They have just installed a new server farm infrastructure using Nexus 5596 and Nexus 2248TP top of rack switches.I have been looking for documentation on how to do NIC teaming on the 3355 or some way to connect Gig0 to FEX101 and Gig1 to FEX102. Or do I just setup a port channel using LaCP between the two different FEX groups?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Disable Telnet To ACS Appliance 4.2 1113 SE?

Aug 12, 2010

How do we disable the telnet to ACS appliance 4.2 1113 SE

View 4 Replies View Related

Cisco AAA/Identity/Nac :: Unable To Upload Patch To ACS 5.2 Appliance?

Jul 21, 2011

I'm trying to upload the 5-2-0-26-4.tar.gpg patch to our ACS and so far have been unsucessfull. I keep getting the "please verify the patch bundle is valid".
 
When I download the 5-2-0-26-4.tar.gpg file, for some reason the download always comes down from Cisco as 5-2-0-26-4.tar.tar. I've renambed the file to 5-2-0-26-4.tar.gpg and verified the MD5.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Unable To Register A Secondary ACS 5.2 Appliance

Dec 6, 2011

I have installed 2 ACS 5.2 appliances, the two appear as Primary. When I try to register one of them with the other one using "System Administrator -> Local Operation -> Deployment Operations" I get the following message:
 
This System Failure occurred:  Unable to authenticate with node.. Your changes have not been saved.Click OK to return to the list page.
 
I have tried with both "ACSAdmin" and "admin" users with their respective passwords.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Running An Inventory For ACS 1113 Appliance

Mar 23, 2011

I want to gather an inventory of all devices  that shows the AAA client name, IP addresses, authentication method and key under my Network Configuration on my ACS appliance. Is there a report to run in it that will shows this, or is something that has to be done manually?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Add SNMP Server IP And Community In ACS 3.2 Appliance

May 23, 2012

how to add an snmp server ip and community in the ACS 3.2 appliance .

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.0 0n 1120 Appliance Stopped Booting

May 10, 2012

I have an acs 5.0 running on Cisco 1120 appliance. It has worked for 2 years. Suddenly, I discovered that user can no longer login with their credentials. On close examination, when I console, the booting does not complete. Screen shot attached.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Appliance - Service Rules Missing

Sep 25, 2012

This does seem correct.  I had 2 rules and now they are gone.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Secure ACS 5.2 Appliance - High Availability

Sep 1, 2011

I just want to know if i need to support High Availability in Cisco Secure ACS 5.1 appliance, will the base license suffice or do i need to buy Security Group Access System License/ Large deployment License. Again, do we require license for each appliance or just one is enough?

I Suppose the licensing rules are same for the Vmware version also.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Windows Remote Agent For ACS 4.2 Appliance?

Jun 7, 2011

The problem is that i had configured the ACS appliance with a remote agent to Integrate with Microsoft active directory and I installed that agent on one of our domain controls and it is working fine.
 
When I installed another agent on anther domain control and add it to the ACS server it appear that the remote authentication service is working on it but when try to make the new agent the primary and the old one the secondary from External database configuration all the domain users authenticated but only to one group which configured in Unknown User Policy.It appeared like it can't read any more groups from active directory.

View 2 Replies View Related

AAA/Identity/Nac :: ACS 4.2 Authenticating 4710 ACE Appliance Failed

May 5, 2011

I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
 
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
 
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
 
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1).
 
tacacs-server key 7 "xxxxxxxxxxxxx"aaa group server tacacs+ tac_admin  server xx.xx.xx.xx
 
aaa authentication login default group tac_admin local aaa authentication login console group tac_admin local aaa accounting default group tac_admin

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Test EAP TLS Authentication On ACS 4.2.1.15 Running On Appliance 1120

May 2, 2011

i am trying to test EAP_TLS authentication on acs 4.2.1.15 running on Appliance 1120 , I have installed my server certficate along with CA certficate on my appliance box , I have enabled features of  EAP_TLS under golbal authentication setup .
 
I have downloaded client supplicant certficate file for my windows XP machine .When i tried to authenticated i am finding following error message under  failed attempts(EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake) on my acs appliance box .Under certficate revocation list , I have forced my CA as CRL in use . Attached snap shot of all .

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Required Patch For ACS Appliance 1120 Version 4.2.15.3

May 4, 2011

Need URL for patch 4.2.1.15.3  with comptaible for cisco acs appliance 1120 . Though its for appliance patch should be along with webserver . I have downloaded patch of SE its not comptaible to this hardware .

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS Server 5-2 Appliance Gentle Shutdown Method?

Mar 29, 2011

I need to move our (secondary instance, version 5-2) ACS server to a different server rack and I have not been able to find a gentle way to shut down the appliance (not the windows version).  Does one exist or is it just the power button/cord?

View 2 Replies View Related

AAA/Identity/Nac :: Upgrade From 5.1 To 5.2 By Having Smarnet On 1120 Secure ACS Appliance?

Mar 13, 2011

Am I entitle to upgrade from 5.1 to 5.2 by having smarnet on my 1120 Secure ACS Appliance?

View 1 Replies View Related

AAA/Identity/Nac :: Windows ACS 4.2.0 Backup Database On 1120 Appliance 4.2.1.15?

Apr 26, 2011

I am running windows based acs 3.3 in my lan environment going to be replaced with acs 1120 appliance running acs 4.2.1.15 , ACS 3.3 database has been built upto  4.2.0.124 ,step by step by upgrade process
 
1) acs 3.3.3.14---> 4.1.1.24
2) acs 4.1.1.24 ----> 4.2.0.124 .
 
now my database is with 4.2.0.124 dmp file , I cannot upgrade my database to 4.2.1.15 because 4.2.1.15 patch is not applicable & executable  on 90 days evalution package of 4.2.0.124 of windows platform .
 
can i import my windows based 4.2.0.124 datbase directly to my acs appliance running 4.2.1.15.3 ??? , else its requires any step to be done to modify the windows based databse matching to appliance windows verison once .
 
I could see on appliance under restore settings the following options (restore from 4.2.0 backup file to acs 4.2.1)

View 8 Replies View Related

Cisco AAA/Identity/Nac :: Unable To Access CS ACS 1113 Appliance After Enabling HTTPs

Nov 2, 2011

I've recently installed a certificate on my ACS 1113 appliance and in the Admin setup enabled management access over HTTPS. Since then I've not been able to access the GUI console. I have done some troubleshooting and I'm fairly certain that I have a certificate issue as Firefox gives me the error: Certificate type not approved for application. (Error code: sec_error_inadequate_cert_type)when I try and connect. So I want to either reconfigure the management access to use just HTTP or remove the certificate. I have logged on to the serial console and there are no options her to do this. The RADIUS and TACACS functions are working correctly - I just can't logon via the GUI.

View 1 Replies View Related

AAA/Identity/Nac :: SSL Certificate Installation On Acs Appliance 1120 For PEAP Clients

Apr 18, 2011

I need this SSL certficate installation on my acs appliance 1120 for PEAP clients.I have exported SSL server certficate from my old acs 3.3 server which is under acscertstore folder issued by CA vendor . I need to reuse this same SSL certificate on my acs appliance .ACS appliance certficate setup requires following two certificate to be installed for PEAP clients authentication

1) Server Certificate

2) CA certificate
 
Server Certificate : For server certifcate , I have my old certificate which is exported from my old acs 3.3 server , when i tried to download my server certficate via ftp server on my acs appliance , its looking for private key & private key file .Private key & file is generated intially on CSR request when this server certificate is requested to CA vendor for my old acs 3.3 . I dont know the private key password . If i need private key & file , then i need to generate new CSR from my acs appliance and i need to submit this CSR output to my CA vendor to generate new SSL server certificate .which is something like new server certificate request .CA certficate : For CA certficate , when i open my existing SSL certificate under detials tab in CRL distribution point , i could see below URL . whn i open this URL it giving certificate revocation list . [1]CRL Distribution Point.

View 10 Replies View Related

Cisco AAA/Identity/Nac :: ISE-3315 / Procedure To Join ISE Appliance Become Inline Posture Node

Oct 17, 2012

I would like to ask, given that i got 2 units of ISE-3315 appliance, one need to be primary node for admin-policy service-monitoring, another unit then become Inline posture node.For the preparation on line posture node, what shoud i do on it?
 
01. For the unit ready to become inline posture node, so I just boot it, install the OS from sractch (using version 1.1.1), then start the initialize setup etc, like Normal setup?
 
02. Before i regieter, what is the deployment nodes i should select for inline posture node unit? provided the admin-policy service-monitoring will become primary node, and registration for inline posture node will be next action.

View 10 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved