Cisco AAA/Identity/Nac :: ACS 5.2 - AD Integrate With Single Domain Name With Multiple ADs
Sep 3, 2011
We having ACS version 5.2 0.26 with Active/Standby. We need to integrate active directory with ACS. Domain name given by Server team was as xyzcompy.local. When I tried to resolve the same domain name I got five servers ip address against the same domain name. however we given the ip reachability to only for two servers. We we try to save we get error saying that "Can not resolve the network address".
So my questions are;
- does ACS should have ip reachaibility to all five servers
- does the username/password we entered in the ACS should have domain admin rights?.
- the given AD is configured with windows NTP [URL] but when we configured ACS as windows NTP it was taking local server as active NTP..?
When we check the ACS logs, we saw the following error;
in acsLocalStore:
AdminName=acsadmin, DomainName=qatarconvention.local, ADOperationResult=unable to create secured connection against AD server, switching to non-secured connection. javax.naming.CommunicationException: simple bind failed: qnccad02.xxxxconvention.local:636 [Root exception is java.net.SocketException: Connection reset],
in ACSADAgent;
32484]: INFO dns.findsrv FindSrvFromDns failed: res_query failed _ldap._tcp.xxxxconvention.local
Sep 4 12:43:20 acs01-cc4 adjoin[32484]: INFO cli.adjoin Join to domain 'xxxxconvention.local', zone 'null' failed.
I attached some screen print which saw the error and output of nslookup for the domain name.
I have a question. What is the requirement of integrate ACS 4.2 Appliance and AD about CA server? it has to be windows 2003 server enterprice o windows 2008 enterprice? or it can be windows 2003 and 2008 stand alone? another question is about multi domain, i have domain father and children. the installation of CA Server is in domain father to enable 802.1x with AD with all domain children integrate? or I can be install the CA server in the server of domain children and is it work (CA server installed in server in domain child and it working all domains child and father)?
I have acs 4.2 for windows installed on a windows server 2003 box, because of a merger I need to now authenticate against 2 different domains, there is a bidirectional trust between the two domains and the dial-in permission has been set in ADUC but whenever I try to authenticate a user it says dial-in permissions needed in the acs failed authentication log.
We have an ACS 5.2 server connected to an AD domain controller which has several trusted domains. (domain1, domain2, domain3) We currently have to specify which domain each user belongs to (ie, domain1user) in order to connect. We would like to only have to enter the user name without the prefix, (ie, user1) and have ACS automatically check each domain for a match. Is this possible with ACS 5.2? I seem to remember this was possible with ACS 4.2.
I have multiple campuses and a Central Admin...I've created Groups for all, except I need a few devices within Central to be available to the Campus Admins... (ie..a Cisco WCS System) How do I allow a device to be put into multiple NDG groups?
I have a question with regard to setting up the ID firewall on the ASA 5585 in a single forest, multiple domain windows network.Currently I have a semi-operational IDF at the top level but can't find users on the lower other domains, here is the setup:I have 3 domains.
[URL]
Both domains have a two way parent-child trust and I can look for users in AD Users/Computer on both domains. I initially setup the ASA to look at domain1.test.com using an LDAP aaa-server per the IDF instructions, and then proceeded to configure the ad-agent. I installed the adagent on the domain1.test.com domain controller configured the settings on that system and had no problem adding users to the firewall and getting functionality within domain1. I looked to see if I could see domain 2 and domain 3 users and found none. I went ahead and added the domain2 system to the adagent on the DC and the system says that it is up, but when I search for users is not pulling them from domain2. Instead, it shows domain1 users as domain2user1. I also configured another adserver in the ASA to search ldap on domain 2 to no avail.The cisco documentation states the following:•Before you configure even a single domain controller machine using the adacfg dc create command, ensure that the AD Agent machine is first joined to a domain (for example, domain J) that has a trust relationship with each and every domain (for example, domain D[i]) that it will monitor for user authentications (through the domain controller machines that you will be configuring on the AD Agent machine). Single Forest, Multiple Domains—All the domains in a single forest already have an inherent two-way trust relationship with each other. Thus, the AD Agent must first be joined to one of the domains, J, in this forest, with this domain J not necessarily being identical to any of the domains D[i] corresponding to the domain controller machines. Because of the inherent trust relationship between domain J and each of the domains D[i], there is no need to explicitly configure any trust relationships.Reading that it sounds like it should just work. I had everything properly configured before I installed the adagent, but I'm guessing that there is a chance that you can't have the adagent on the top level DC and get to communicate with the lower level domains.
Is it possible to assign a single ssid to multiple interface groups by assigning the ssid to multiple AP groups?
I have buildings geographically dispersed that are configured with multiple vlans in interface groups so that I can maintain an addressing scheme of dhcp assigned addresses per building. Each building is also further grouped as AP groups. I'd like to know if by assigning the same wlan ssid to each of the AP groups, will I maintain addressing integrity for each building? I'm thinking it will work.
Do the buildings have to be outside AP range of each other to avoid problems?
Am trying to understand how we can have multiple IP addresses on a single NIC and what are the restrictions on the same. If i can have two IPs from two different networks present on a single NIC, then why would i ever get a new NIC?
Also, i want to understand the concept of virtual IP and how it fits into this picture.
I have an older DELL power edge 2800. Currently we have 2 NIC's one for the WAN one for the LAN. I wish to increase my users access speed. Can I team and or bond up to Four NIC's on the LAN side and leave the single NIC for the WAN? I am having trouble finding any info on the net for pulling this off. I have 67 users and throughput is getting a little rough.
I need to put a few cameras, without a server, on a static WAN ip address. Do I just assign them a static LAN ip address(for example 192.168.1.200), make sure the port they use is open, then type the WAN static ip address then colon and the last address? Like this.....I'm making up the WAN address....45.34.55.334:200
some of the servers are not pinging from one switch but they are pingable from other redundant distribution switch. So I took the IP addresses from the redundant switch, with that I found MAC addresses from the access switch.But when I tried to see to which ports these MAC are addresses are connected to, multiple MAC addresses are resolving to the same switchport. like 5 MAC's are showing to 1 port and other 3 MAC's are showing to other port, like this there are many. All these MAC's belong to virtual servers.
I just want to keep one PC as a server and one switch connect to it (For LAN). I want to connect multiple client/screen to that server, so I can use single servers for multiple screen/client.(Client machine will not have any CPU, they will utilize servers memory.)
I currently have mutiple computers at my place. Once the computer turned on i want the option of which login for the current computer to use, it can login it current computer or the mutiples computer with their content/data all inside. So more like an computer linked. Example, it can only to A or B, A is the current computer data, while B have all the data of the different computer monitor datas, and if i login B it will show that current computer info. And same goes to the B computer, i can login to A or B on the B computer. What makes this very good is that, both the computer logins are sort of connected, for example if im on actual computer A, but logined to computer B and downloaded/changed some files/data on the B login, once i login on computer B to login B, the changes will apply even tho the changes are done in computer A.
Redirecting a Domain to a IP:Port I host game servers for friends and strangers alike, but i'd like to make it easier for them all and give them dedicated IPs. Right now I include domain redirecting, but to connect to their server, they have to put in "example.com:xxxxx", x meaning their servers dedicated port. Is there any way that I can redirect a domain directly to "IP:Port"?
I have Cisco L3 3560G switch which directly connected with router . i have configured Vlan 2,3 on the switch and assign port 2 & 3 respectably. I want to management both vlan 2 & 3 from from L3 port g0/10 .
I am Implementing Cisco IP Routing (CCNP ROUTE FLG) book and right now I am reviewing IPv6 chapter. This part of OSPFv3 multiple instances over a single physical interface caught my attention
I have 2 gateway over my network provider to connect to internet.like Gateway1="1.1.1.2" and Gateway2 = "1.1.1.3".but i have only one network adapter with one wire.now i want program to create "Virtual Network adapter" assigned to my real network adapter to set secondary Gateway to it, and use it by "ForceBindip".
I have a i-ball 150M wireless-N ADSL2+ Router device in that , in the NAT tab, i have activated DMZ at my static ip with a private address 192.168.1.224 , so that that ip enabled device can be access to anywhere in public network.I want that using this single static ip , How to configure two private address devices in DMZ, so that both of ip enabled devices can be access in public network.
Our work building currently has 2 separate DSL lines feeding into it, one on each end of the building. The reason for two lines was so each one would have its own bandwidth, thereby supporting more simultaneous users. There is a router connected to the DSL jack at each end of the building, broadcasting its own wireless network: let's call them Work 1 and Work 2.Is there any way for me to connect the Work 1 and Work 2 wireless networks, so that they appear to the end user as one contiguous network?
I recently bought SG-300 28P to create the VLAN. My network hs 3 subnet 192.168.1.0, 192.168.2.0 and 192.168.3.0.My main net work is 192.168.1.0. I want to divide it to VLAN to eliminate the boardcast storm; especially from the domain 192.168.3.0
But I want all the devices from 192.168.1.0 to access other subnet.
I have an ACS 5.3 cluster, that is configured to use AD. There are a few wireless devices, and monitoring tools that do not have AD accounts. I would like to configure ACS to first check AD for the user authentication, and if that fails to roll over to the local (Internal Users) identity source where I can define these user accounts.
It seems that when the authentication hits the initial Identity Policy rule, it never moves onto the next one if the first fails.
Attached are screen shots that show how i'm configured for the test, i have a local user defined and I'm trying to log into the firewalls.
- Identity Definition : Screen shot of the main ACS definition for the rule i'm testing that's not working - Identity Rule 1 : The configuration of rule 1 that if it fails i need it to move onto rule 2. - Log Output : Screen shot for one of the failed attempts from the ACS View Log server.
Reason I need to configure it this way is:
- Wireless users authenticate to wireless using AD user accounts. Some hand held scanners do not support that and will need to authenticate using the MAC address. - Authentication to Network devices for managment uses AD accounts. We have some monitoring tools that do not have AD accounts, and will need to be able to log into Network devices to issue some commands (Examples: Cisco Prime LMS and NCS, Infoblox NetMRI).
I have a Failover pair of ASA5550's running ASDM 6.2(5) and ASA 8.2(2). Originally they were setup with 2 context's and an admin context but one of the contexts has now been removed. I would like to now migrate to single mode before I go about patching them to the latest software.
I have a FTP server at my local network and i have natted the private IP with my Public IP using default FTP Port ( 21) , now i have created Diffrent FTP Account in my server using port 2121 and i am able to login using the private IP with port 2121 , now i want to nat with my public IP with port 2121 and i failed,
1) 125.x.x.x --------- 10.10.1.x : 21 ( Able to access from external network)
2) 125.x.x.x ---------- 10.10.1.x : 2121 ( not able to login from external network and able to login internally )
We are migrating from a nother brand to an ASA Cluster running 8.4.5
We have a web-server on an inside interface listening on a non standard port - 20111. We have created a static NAT translating the public ip to the private, so If I do http://public-ip:20111 it works. (we are using a seperate public IP for this service only).
Now I need to create a NAT rule that will forward requests on BOTH port 80 and 443 to the same private ip and the same port number (20111)
The Private address is 10.99.250.20 and the "public" (I've replaced it in this example) is 172.16.16.16 I have managed to create a NAT that will translate 443 to 20111:
I have a Fail over pair of ASA5550's running ASDM 6.2(5) and ASA 8.2(2). Originally they were setup with 2 context's and an admin context but one of the contexts has now been removed. I would like to now migrate to single mode before I go about patching them to the latest software.
I have two 1142n LWP ap converted into standalone, as client doesn't have any controller there. They just want to extend their network via wireless.
L3 switch (trunk port gig 1/48) -----> connected to AP1 L3 switch (trunk port 2/48) -----------> connected to AP2
client is looking for 3 vlans on the floor ( users might multiple vlans might associated same AP ). They have a dedicated DHCP/DNS server and he will be configuring 3 vlans on L3 switch with correct ip helper address on SVI interfaces.
I'm i allowed to created 3 SSID's on 1142n standalone AP ?
What would the various optiosn to achieve this requirement ? Is there any simplest way to achieve this ? Do i need to go for 802.1x ? I remember client told their users are authenticating by using AD for wired network. This is their first request for wireless environment
I read from this forum some discussion about the WLC VLAN Select feature. [URL]. I see that you can use this feature to have multiple VLANS (interfaces) to map to the same WLAN (SSID).
What I try to learn is under what scenarios would people need to have mutliple vlan mapped to single SSID?
In my environment, I have 50+ AP int he campus on 20+ Cisco 4500 switches. I have single WLAN and it is mapped to one subnet. All wireless users would be on that subnets, whereas wired users are on 20+ subnets of their own.
We are in the process of installing time clocks at some of our sites around the USA. Our security department has asked that the time clocks be completely isolated from the rest of the network. The time clocks will be administered by ADP via a centralized firewall utilizing NAT. We have multiple subnets available at each site. Let me give an example to calrify what I would like to do. Example: Site A has 10.168.19.0 /24 user subnet and is configured for VLAN1 using 10.168.19.1 on the router as the default gateway. I would like to use subnet 10.168.20.0 /24 for the time clocks, configure it for VLAN2 and use 10.168.20.1 as the router gateway address for VLAN2. This should allow me to NAT one of our additional public IP addresses to the 10.168.20.1 gateway address thus completely isolating the time clocks from the remainder of the network. Problem is I have not done this before so I'm a little confused about how to configure it in the Cisco 3750 switches.
setting up a simple internet plan for a place, but a LAN center needs crazy fast internet, faster than most large enterprise class offices that take up an entire floor or two. Otherwise there is too much lag in games like first person shooters. We are expecting to have 60 computers, plus people bringing their own gaming rigs from home and laptops as well, xbox, ps3 and other consoles, all accessing the internet at the same time to varying degrees, with no room for lag. There is a LAN center in california that has 200 or more computers and they pay for 9 t3 lines, which is thousands and thousands of dollars per month. Plus the initial equipment to set that up from what I can find on cdw is many thousands of dollars also. Something like 10,000 for a router with 4 expansion bays, and 4000-6000 dollars for a t3 expansion card, bringing the total to around 22-28,000 for equipment to do just 4 t3's. Plus the monthly cost. Since we don't need all of the traffic to be secured like a high end business class line like a t3, I was considering what it would be like, and how one would set up, having multiple cable internet lines coming in. They make cable wic cards for cisco routers. 4, 50meg cable lines would give us 200 down and 40 up but I don't know how to make that work without having multiple public ip's. I was thinking that if I did have multiple public ip's on the network I could just divide the computers up so that they are in groups, using all of the public ip addresses for gateways, so that the load is split pretty evenly, but still, there should be a more seamless way to do this, I just don't know what it is. At the rate for business cable internet, 4 lines would probably only cost around 700 dollars a month, which is much better than probably 5 grand a month for several t3 lines.
I understand that Cisco Secure ACS 5.3 supports the integration with existing external identity repositories such as Windows Active Directory and LDAP servers. In fact, in my environment, my ACS 5.3 is now integrated with AD and RSA.My question here is can Cisco Secure ACS 5.3 integrate with "multiple" WIndows AD, LDAP, RSA Server etc.? if yes, is there a Cisco document stating this? The keyword here is multipple.
