Cisco AAA/Identity/Nac :: ACS 5.3 Not Accessing Internal DB
Jul 2, 2012
i have configured my ACS 5.3 server to access AD for user authentication but i would as well like to use the internal store for some users.The problem is that when i test with an internal user account, i can see in the logs that it still tries to access the AD for this user and i receive a message in the logs. " 22056 subject not found in the applicable data store".i have already defined the identity sequence to first use the AD, then if user not found, use the internal database.
Ive run into something a bit new to me. Networking! Now i do have some experience but not enough for me to figure this one outHere is what i am trying to achieveWe have a webserver at the office which i can access from the outside world. We also have a local server with a static internal ip(File Server)My question is as follows can i add a link on a web page on my webserver to that i can access the internal ip address from outside the office?
I have a Cisco 5505, 2 sites that are internal, 1 external IP (dhcp from cable modem). While on my laptop, ipad, iphone, I cannot access the server via it's external IP address. I MUST use the internal IP in order to access this site. I have heard of hairpinning, internal dns server(don't really want this).
we recently upgraded from an RVS4000 router which didn't have this issue.
the problem; Internal users from Site A cannot access the external owa address.From Site A i can successfully ping both the external/internal IP addresses/names and they resolve correctly, including pinging the address ('mail.company.com") resolves correctly to the external ip address.
I just moved from a Linksys wired router to the Cisco EA2700 wired/wireless router.I have three web servers on my network that serve up content via standard web URLs. For example, pretend www.domain.com pointed to the WAN side of my EA2700. Port forwarding routes port 80 traffic to the server, located on an internal, private IP (ie, 192.168.1.21).All works well when accessing these servers from outside my network (I checked this via my mobile broadband connection). But when I'm on a workstation internal to the same network as the servers, I cannot connect to the servers via the web URL. Of course, I can hit them via the IP or an internal-only DNS network entry. For example, when on 192.168.1.55 on a desktop machine, and I type the URL in the form www.domain.com, it just hangs and times out. I was able to do this on the old Linky router. Traffic should go stop at the router and be re-routed back internally to the port-forwarded server - but it does not.
I have to route properly via the web URL and not the internal DNS name or IP addy, as I am running virtual web servers on IIS on one of the servers.Is there a setting I failed to set on the EA2700?
I'm currently looking for a solution in order to restrict the modification of the host internal identity store (add or delete MAC host) per group. The default administrator roles does not include "per group restriction". Under the ACS I defined one group per department? My objective it to allow each department to access their ACS MAC database to add or delete MAC addresses as required.
How to restrict internal identity store per group?Do I need to create new roles? and how?I was not able to get an answer from the ACS ADMIN manual.
We are using acs version 4.2.0 build 124 on windows server 2003. Our domain controller has been upgraded from 2003 to windows 2008 R2.Now we are facing following error in ACS authentication for accessing our devices.Error: AUTH 06/09/2012 11:55:40 E 1810 3316 0x8f21 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)if we restarted services of ACS server then users get authentiated fine.
I have a self signed certificate on an ACS 4.2 Windows machine. I open a browser port to https://ipaddress:2002 of the acs and get the certificate error message as expected. When I proceed to the site then check the certificate via the shield on the top of the browser it shows is issued to ACSCOSC216_7. I install the certificate via the IE certificate import wizard.I then connect to the acs via the poper fqdn at [URL] login with my account but now get;The website declined to show this webpage.
On ACS 4.2.0.124 version installed on Appliance 1113.We are getting error code as "Internal error" and also "Enabling Tacacs+ is not allowed for this Access Server" while client authentication.
Trying to use the "File Operations" option to import hosts into ACS. I go through the wizard and click "Finish", the pop up goes blank and just hangs there. No errors are generated.
Migrating from 4.2 to 5.2 acs and have noticed there is no expiration date per internal user added. We expire users at different times due to their time on site. Is there something that has to be added to get back this basic feature we had before?
I have an ACS 5.2 server integrated with Active directory . Now i need to create an internal user account to login to some radisu devices using internal user database .I have near about 600 users all are authenticating through AD .
Using a CSV file, I can not add user in the internal database of the ACS I have a permanent "error File Format Validation Failed" However the file I want to import is a really CSV file.
My ACS5.2 joined Windows 2003 Active Directory successfully. I created Support group with user1 in the internal store, also created Support-AD group with userad1 in the AD store. Identity Store Sequency is set Internal first, then AD. I can map Support-AD group to the local Support group without any problem.
Internal user gets authenticated and authorized OK. However, if the user is an AD user, the rule for AD users is not picked. So it goes to default.
I am looking for a way how to set the password-rules for individually for for some users or identity-groups.I just can find the global settings,Background of the requirement: We want to use password-aging for most admin-users, for some we dont want that pw expires.
I'm doing some testing with ACS server on my windows box and I can't seem to get a barebone radius authentication to work with ACS internal users. I tested the same configuration with TACACS and it works fine, so there's something missing or misconfigured in my setup.
I have a cisco 3550 switch that I want users to login using their ACS username/password.
my sister is having a pc in office which is connected to another pc (having net connectivity) over LAN. she is getting the LAN icon in network connections. till today she could not access internet on her pc.but today an engineer came, and changed proxy address or something in internet options>connections>lan settings and accessed internet. after he was over, he again changed something in lan settings and went away. now my sis is not able to access internet. what can i do
I use Sage to update my stock on a PC in my back room.I want to access that PC and open the sage program from another 2 PC's, add data, save etc.I thought a simple network would do it but not quite. I have three PC's in different parts of the building.I can see all three PC's and share files, printers etc, but not sure how to execute and run the program through the network on the back PC.I didn't want to set-up a server but in a way this looks like what I need to do.How much more after what i've set-up as a network with all sharing and internet connections etc do i need to do?I'm thinking if i use the PC the program is on as the server, how would i be able to execute the program from another PC in the network.
I have an internal server 172.16.1.202 that is PAT to 5.5.5.103 to allow RDP connections. - This works fine from the internet.I have now been asked to allow our guest wireless (192.168.100.0/24 - DMZ) to access this same external connection.We have 2 cisco controllers, with the guest controller "anchored" in the DMZ.I cannot get this to work.Both the DMZ and inside NAT their internet connections to 5.5.5.2.
we connect to Cisco ASA 5505 on IPSEC VPN the cisco fowards the demand to the our Juniper router. what ever we do on VPN works #1 exept FTP. [code] Since most home routers use 0.0 1.0 or 2.0 most of our clients cant connect to the VPN so my boss configured our Juniper to translate the IP.So to access 2.0 we do 202.0.So exemple to access in RDP a server in 192.168.2.220 we write in windows RDP 192.168.202.220 and the Juniper converts the data to 2.220 and all works fine. [code]
We have an ASA-5505 running 8.2(1) with a Bosch DVR 600. When a machine is on the local subnet, it can see the video; however, when it's moved to the DMZ, the unit can be accessed, but all video screens are black and an java script error pops up as follows: [URL]
This message does not pop up when on the local subnet. Additionally, in the login screen, there is a language selection, and sometimes all languages are blanked out. There is a space for them, but they don't display.
I've tried this on a half a dozen machines, either XP or Win7 with IE8 and IE9, and they all do the same thing. I disabled http inspection, but that doesn't work. I also did a packet capture, and the only packets that traverse the ASA.
Have a school which is split into 2 domains (and 2 different subnets). A logged in windows domain user from domain A needs to access a windows share on domain B. So I made a bat file on the pc in domain A to map a drive to the share on domain B, using the net use command but specifying login credentials of a domain user from domain B.The pc on domain A has it's hosts file edited so it can access the server on domain B which the share is on, ping and everything to this server works fine.I created a user in domain B with the corresponding login details as in the batch file, same un and pwd, it didn't work. If I specify the un and pwd in the batch file as the domain admin account on domain B, it works fine everytime. I'm pretty sure it's not a premissions thing as I have given the inital user that I specified in the batch file full control to the share permissions and security permissions on the share in question, it still wouldn't work.
All I can think of, but can't put into good technical words, is that this user I am specifying in the batch file not only needs to have access to the share itself but has to enter the other domain as well, would there be some protocol or something in which it does not have permissions to use effictively but the domain admin clearly does as it works fine for domain admin?
I want to access my system from internet. My network scenario is as follows; Internet ==> DSL Modem(s) ==> Load Balance ==> Gateway Firewall ==> My PC DSL 1 : ZXDSL 831CII (Fixed IP)DSL 2 : HG510a Load Balance : TL-R480T+Gateway Firewall : pfSense (BSD)
Q1/ I have 2 WinXP laptops on the network. One is WinXP Pro and one is WinXP HomeIn My Network Places of WinXP Home, it can see the WinXP Pro. In WinXP Pro, I have to do a search of the WinXP Home computer in order to detect its existence. WhyQ2/ In both systems, when I tried to access the other computer, a popup screen asked for password. I keyed in the proper password, but I cannot access the computer on the network. I repeatedly keying in the password but had the same result. I turned off the firewall on both systems. Same problem existed. On both systems, "File and Printer Sharing" are enabled in the Firewall exception. And on both systems, I can ping the other system without any problem
I have two subnets at my home and both run through my Cisco router. One is my private LAN with access to the Internet, ie your standard home network. The other is a semi-public network that I share with friends through an encrypted GRE tunnel system(DMVPN) over the Internet. I have a server on that semi-public network and I can access my friend's servers from my server, but not from my main PC on my private network.
Is there a way I can access both networks from only my main pc using two nic's?
I have 2 computers connected in a LAN. I want to access the other computer through the main one.I do have shared folders (homegroup), but I would like to know how I can get complete access to the other computer via command prompt maybe?
I have shared folder s on my Win 7 PC.I can access these folders by typing in the username and password on a Mac.I can't access these folders on my Vista PC because there's no prompt to sign in.How do I change the login account on Vista so that it can access my Windows 7 shared folders?
I am trying to run Windows XP in a Virtual Machine on my Windows 7(64bit) system. I have a Windows XP cd, but my cd-player is broken. I shared a cd-player on a different pc and am able to access it as a shared folder. I tried copying the files to my HD and making aan ISO out of em. This worked, but my Virtual Machines(VMware Player & Oracle VM VirtualBox) don't detect it as a windows install, also tried to mount this ISO. detect the original XP cd with one of these VM's. But in order for this to work I have to make my system think that the cd-player on the other pc is part of the local setup,
I have two devices in my office which both need to be accessible externally. One is an FTP server (Hermstedt Stingray), the other is a NAS drive (Lacie). I don't have a static IP so have instead configured an account with DYNDNS. My understanding is that by using this method, only one device will be ever be accessible because of the one single dynamic IP. Is this correct? Or is there a way of configuring something somewhere (DYNDNS, router etc) so that both my devices can be accessed externally.
