Cisco AAA/Identity/Nac :: ACS 5.2 AD Trust To Other Domains?
Jan 27, 2011
We are trying to set up ACS 5.2 in our multi-forest AD environment. As part of our evaluation we set up an Active Directory External Identity Store to a domain (a.b.edu). It connects properly and I can see the directory groups in the that tab when we Select. This domain (a.b.edu) has a two way trust with another domain in another forest (x.y.b.edu). However, I do not see the groups in that domain and I cannot seem to manually add those groups using the Add on the free text Group Name.
The documentation is not clear on this point: Page 8-41 and 8-42 of the "User Guide for the Cisco Secure Access Control System 5.2) says: "The External User Groups dialog box appears displaying a list of AD groups in the domain, as well as other trusted domains in the same forest." This implies to me that it cannot cross forests even though a trust is set up. This seems to be what is happening.
View 5 Replies
ADVERTISEMENT
Aug 9, 2012
I do have a quick question about Cisco ACS 5.3 and multi domain authentication. How is it exactly handled?
Can I join more than one domain with the ACS server? Or do I still need to configure that bidirectional trust relationship between those AD forests (even with the ACS 5.3)?
View 5 Replies
View Related
Jan 11, 2012
I am wondering if having a Nexus 7K is mandatory to implement SGACLs within a TrustSec Infrastructure deployment or having a Nexus 5500 could be enough?
View 1 Replies
View Related
Jan 7, 2013
Currently on ACS 5.2 and our MS Active Directory is migrating to a completely new domain. There will be a two way trust between them for the 24 month migration period. How best to configure ACS connect to both domains?
View 2 Replies
View Related
May 25, 2011
I'm looking to implement ACS 5.2 using 802.1X, we have two seperate AD domains.A single switch will need to support both ADs, so if a machine in AD1 is connected, it will be authenticated to the ACS using AD1 and applied to VLAN1, while a machine that is in AD2 will be authenticated to AD2 and applied to VLAN 2.
I'm looking at machine authentication, not user authentication, so I assume that I will need to import two certs from each AD.
View 3 Replies
View Related
Feb 26, 2013
How to trust the transit CoS value on ASR1013?
Tried so:
Router# configure terminal
Router(config)# interface gigabitethernet 0/0/0.1
Router(config-subif)# encapsulation dot1Q 1 native
Router(config-subif)# plim qos input map cos enable
But not worked.
Traffic path without ASR:
Server --> DLink 3526_1 --> Cisco 3750 --> Cisco 7606 vrf VoIP --> DLnk 3526_2 --> Client
DLink 3526_1 sets the CoS = 5
Client receives CoS = 5
If we add ASR1013:
Server --> DLink 3526_1 --> Cisco 3750 --> Cisco 7606 vrf VoIP --> Cisco ASR1013 --> Cisco 7600 global --> DLink 3526_2 - Client
DLink 3526_1 sets the CoS = 5
Client receives CoS = 0
View 3 Replies
View Related
May 8, 2012
I have a question which i am unsure of, on the 6500 i know i can set mls qos trust to cos or dscp since I don't have any trunks configured on that switch that i want to trust cos most of my ports trust dscp instead. The question is will packets coming in or going out at L3 with the TOS bits set get placed in the correct in/out queue. For example if a packet comes in on a port with a mls qos trust dscp and has the TOS set to XX will this XX get mapped to the correct COS value based on the default dscp to cos map and end up going out the correct queue which handles that specific COS number?
I mainly asked this because i saw the following on the cisco site and again i am suing dscp trust and not cos.
Weighted Round Robin (WRR), Deficit Weighted Round Robin (DWRR) and Shaped Round Robin (SRR). WRED and all the Round Robin scheduling options use the priority tag (CoS) inside an Ethernet frame to provide enhanced buffer management and outbound scheduling.
View 2 Replies
View Related
Jan 25, 2013
I applied command "auto qos voip trust" to the uplink interface. But I found that the interface shown command "auto qos trust" was applied when i show running-config. Could the command "auto qos voip trust" show in the configuration after i applied? If not, how can i check the interface that applied "auto qos voip trust"?
View 5 Replies
View Related
Sep 22, 2011
I have a problem with the command mls qos trust dscp, I used the ios c2800nm-ipvoice_ivs-mz.124-25f.bin but i can not enable dont show me the complete command in the interface Ethernet o Giga. I want to configuring mls qos trust dscp.
View 1 Replies
View Related
Feb 13, 2013
I want to know what the default behavior about the command 'mls qos trust dscp' under router platform interface. the router is ASR1000 series.we don't need to put above command line to trust dscp in case of router? otherwise, we have to add it as welll as like switch platform.
View 4 Replies
View Related
Jul 4, 2012
I am reading through a QOS Document and they want me to trust the DSCP value from an IP phone (Siemens) but UN trust the PC DSCP value. How can I trust one thing but not the other? I am using a 2960 Cisco switch with IP base IOS.
View 2 Replies
View Related
Jan 8, 2013
i have Catalyst2950SI with iOS12.1, connect a wifi-access-point to f1/1(dot1q trunk port),and connect another L2SW to f1/2(dot1q trunk port),and IP phone, MobileCamera connects to wifi-access-point,IP phone has dscp=40 value on its own packet,but MobileCamera doesn't have any dscp value or cos.now, i wanna do QoS by that dscp, So i type as below,
interface 1/1
switchport mode trunk
mls qos trust dscp
interface 1/2
switchport mode trunk
mls qos trust cos
View 10 Replies
View Related
Aug 10, 2011
I have a computer connected to a domain trying to login and I got this error message "the trust relationship between this workstation and the primary domain failed"
Then I tried to login as local Administrator and after trying a few passswords get this error. Your account has been disabled.. please see your system administrator
View 2 Replies
View Related
Oct 7, 2012
We have QoS configured throughout the company, but the standard config we have applied across the 3750 switches only includes the below: We have IP phones (not cisco) attached that are marking with EF, and the PC is an untrusted end device (so needs to be by default marked as zero).Is the above enough to trust VOIP DSCP EF without resetting it to DSCP 0, or do I also need to add a trust line (i.e.: mls qos trust dscp)?
View 2 Replies
View Related
Aug 1, 2012
Are there any differences between the autoqos commands on a WS-C2960S switches (or in any other series)? Follow the commands:
- auto qos trust
- auto qos voip trust
I was checking the documentation on this link:
URL
And couldn't find any great difference between the two commands, as far as I could see they'll set the Ingress and Egress queues the same way.
Are there any differences between those two commands (auto qos trust and auto qos voip trust)? If so, when should I use one and the other?
View 2 Replies
View Related
Dec 24, 2012
i would like to know the possibility to use mls qos trust dscp with service-policy in the IOS ver.12.2(25)SEE2.The specific version is not possible to configure like below.
Cat3750(config-if)#do sh run int f1/0/1
Building configuration...
[code]....
View 8 Replies
View Related
Jul 30, 2012
When attempting to log in to a computer (running Windows 7 Professional) here at the office using the network administrator account, I get the error message: "The trust relationship between this workstation and the primary domain failed." I wasn't here when this laptop was set up, and so I don't know if any local user accounts were made or what their passwords would be if they were there, so I can't think of any way to log in to the machine and disconnect/reconnect to the domain which is really my only idea on how to fix it. Finding out what would cause this to suddenly start happening would also be nice, but mostly I just need to figure out how to get reconnected so I can get this back up and running.
View 1 Replies
View Related
Jun 20, 2012
I have some 2960 switches with Lan Lite ios in my infrastructure.And I try to configure them to support "trust device cisco-phone" and "switchport priority extend cos 0" on ports with cisco phones.But LAN Lite image does not support "mls qos trust device cisco-phone".can I use any workaround to trust cos of cisco phone and to remark PC traffic with cos 0?
View 1 Replies
View Related
Oct 17, 2012
My company bought another company and moved them into our building. the company moved in but are on an entirely different network all together. wired separately, different domains.what i would like to do is be able to have them communicate with each other. have users on company A be able to use printers on company B's side of the network.
View 15 Replies
View Related
Oct 27, 2011
I've just been testing QOS on 3560 with version 15.0(1) and it seems the the default qos trust behavior on access ports has changed. By default the trust state of a port is not to trust anything, however rather than rewriting the DSCP value of the incoming packets and settign it to 0 the switch now seems to leave the DSCP value unchanged.
SW04-C3560(config)# do sh mls qos int g0/2
GigabitEthernet0/2
trust state: not trusted
trust mode: not trusted
trust enabled flag: ena
[Code]......
View 4 Replies
View Related
May 19, 2011
Need step by step instructions for setting up trust between two domains
View 1 Replies
View Related
Dec 22, 2012
I am creating a migration plan for our organization, Im wondering, how many domain controllers people have, how many member servers and what there used for?
View 3 Replies
View Related
Apr 5, 2011
How do I block specific domains (pandora.com, etc.) in the Sonicwall? It seems like this would happen in the CFS but do I need a subscription for this? I don't want to subscribe to Sonicwall's filtering list, I just want to block a couple specific domains.
View 9 Replies
View Related
Apr 4, 2012
My company have just set up a new subsidiary. I have had a request from my Managing Director asking if it is possible for us to share calendars with the other company so if he wants to make a meeting appointment he can check if Joe Bloggs from the subsidiary is free.There is domain A (parent company) and domain B (subsidiary)Both us and the subsidiary are currently running Microsoft Exchange 2007 on windows SBS 2008 server with mainly windows 7 clients with Outlook 2007-2010?Is it possible to share calendars between the 2 domains?
View 7 Replies
View Related
Feb 21, 2011
Is it possible for Windows 7 to host multiple domains? I have seen that it is available for plenty of other OSs and I am sure that it is. I just wanted to make sure.
View 2 Replies
View Related
Oct 27, 2011
join multiple domains in windows xp?
View 2 Replies
View Related
Mar 6, 2013
I've been tasked with designing a network consisting of 3 separate broadcast domains with each one representing a separate business accross 3 separate floors. None of the companies should be able to communicate with each other.I've been told that the design should only represent the first 3 layers of the OSI model so I'm only looking at Cabling, Switching and Routing.
I don't expect you all to tell me exactly how I should do this, however I just need a starting point. My main issue is with routing. I'm aware that each port on a router represents a broadcast domain so if I use one router, 3 broadcast domains, does that means that none of the domains will be able to communicate with each other? Should I use more than one router or can i get away with one? Also just so you are aware I've been told not to use VLans and each broadcast domain must have its own ip address schema.
View 19 Replies
View Related
Dec 8, 2010
Does the LDAP authentication work across W2K3 Active Directory domains and multiple ASA5510 firewalls? Or do I need to setup another type of authentication? If I use another type of authentication can I get specific portals with special bookmarks based on login account?
View 4 Replies
View Related
Mar 13, 2012
The users belong to Multiple AD domains. If we purchase WLC 2500 controller. Can I have one more WLANs authenticate to multiple radius or ad domains? I thought one WLAN/ ssid authenticate to single radius server.
View 4 Replies
View Related
Apr 9, 2012
I would like to configure few routings on my Cisco router 871 in order to allow my employees to have access only to specific websites.However, since some websites have dynamic IPs propably the route that I will create will not work.
My question is, can I configure a route or is there any other way to configure this permission based on the hostname/domain? For example, if I want to permit access to this website www.surveymonkey.com (75.98.93.51) instead of configuring:
ip route 75.98.93.51 255.255.255.255 192.168.10.250
is there any way to configure based on the url.. in order to be able to recognise this host correctly??
View 2 Replies
View Related
Aug 28, 2012
Currently, my company runs a DC and exchange server in the building. It is also hosting our website with IIS7. All AD users currently have @company1.com.au email addresses.We have just started an off shoot company and would like to setup emails in exchange so that we can automatically assign and manage emails on the same exchange server. so that each user hasWhat is the best way to do this?At the moment, company2.com - company is hosted outside with someone else. Is there a way that he can direct the mail to us so that he hosts the website but we host the email server?
View 1 Replies
View Related
Jan 31, 2012
I am trying to block certain domain, i used "domain" and "domain.com" in the forbidden domains , but when people access the website as https://domain.com the website loads perfect. Http is block however. I tried to block "https://domain.com", but that didn't work.
View 3 Replies
View Related
Nov 13, 2011
I have a customer with three rooms where teh access layer aggregation switches are run back to.
Access Switch Stack A -> room 1 + room 2
Access Switch Stack B -> room 2 + room 3
Is it possible to have three Nexus 7000s ie one in each room (1,2 and 3) and have them setup like this:
Nexus 7000#1 vPC domain 1
Nexus 7000#2 vPC domain 1 + vPC domain 2
Nexus 7000#3 vPC domain 2
Thus gving all access switch stacks redundant links to the core withouit spanning tree.
I know its not ideal but its a campus site and thats how the existing fibre runs go.
View 5 Replies
View Related
