Currently on ACS 5.2 and our MS Active Directory is migrating to a completely new domain. There will be a two way trust between them for the 24 month migration period. How best to configure ACS connect to both domains?
View 2 RepliesThe users belong to Multiple AD domains. If we purchase WLC 2500 controller. Can I have one more WLANs authenticate to multiple radius or ad domains? I thought one WLAN/ ssid authenticate to single radius server.
View 4 Replies View RelatedI do have a quick question about Cisco ACS 5.3 and multi domain authentication. How is it exactly handled?
Can I join more than one domain with the ACS server? Or do I still need to configure that bidirectional trust relationship between those AD forests (even with the ACS 5.3)?
I'm looking to implement ACS 5.2 using 802.1X, we have two seperate AD domains.A single switch will need to support both ADs, so if a machine in AD1 is connected, it will be authenticated to the ACS using AD1 and applied to VLAN1, while a machine that is in AD2 will be authenticated to AD2 and applied to VLAN 2.
I'm looking at machine authentication, not user authentication, so I assume that I will need to import two certs from each AD.
I have an ACS 5.3 cluster, that is configured to use AD. There are a few wireless devices, and monitoring tools that do not have AD accounts. I would like to configure ACS to first check AD for the user authentication, and if that fails to roll over to the local (Internal Users) identity source where I can define these user accounts.
It seems that when the authentication hits the initial Identity Policy rule, it never moves onto the next one if the first fails.
Attached are screen shots that show how i'm configured for the test, i have a local user defined and I'm trying to log into the firewalls.
- Identity Definition : Screen shot of the main ACS definition for the rule i'm testing that's not working
- Identity Rule 1 : The configuration of rule 1 that if it fails i need it to move onto rule 2.
- Log Output : Screen shot for one of the failed attempts from the ACS View Log server.
Reason I need to configure it this way is:
- Wireless users authenticate to wireless using AD user accounts. Some hand held scanners do not support that and will need to authenticate using the MAC address.
- Authentication to Network devices for managment uses AD accounts. We have some monitoring tools that do not have AD accounts, and will need to be able to log into Network devices to issue some commands (Examples: Cisco Prime LMS and NCS, Infoblox NetMRI).
I am setting up an LDAP identity store over ldaps in ACS 5.1. I specify that the connection uses secure authentication and provide the Root CA certificate. When I hit "Test Bind to Server", I get this error message in a popup window: "Connection test bind Failed :server certificate not found"Is this saying that ACS can't find the CA certificate uploaded, or does it mean the actual certificate presented by my LDAPS server during the bind test?
View 2 Replies View RelatedWe added AAA client in the Cisco ACS 5.0 for WLC 4402 (TACACS+ Authentication) and configured WLC 4402 to use TACACS+ authentication for the management access. We can't get this work for some reasons.
Other Cisco routers and switches all worked fine with TACACS+ authentication. This is a TACACS debug output from the WLC;
Sun Aug 23 16:19:06 2009: tplus response: type=1 seq_no=2 session_id=f59bbf0b length=15 encrypted=0
Sun Aug 23 16:19:06 2009: TPLUS_AUTHEN_STATUS_GETPASS
[Code].....
configuring 802.1x authentication on ACS 5.1.0.44 & Catalyst 2960S switches.All the documents i have found seem to have incorrect screen shots or missing steps.I have found a doc external to Cisco [URL]however this just hangs when attempting to complete the task in figure G.The other docs are for configuring IBNS & assume that 802.1x is already configured.
View 1 Replies View RelatedI have acs 4.2 for windows installed on a windows server 2003 box, because of a merger I need to now authenticate against 2 different domains, there is a bidirectional trust between the two domains and the dial-in permission has been set in ADUC but whenever I try to authenticate a user it says dial-in permissions needed in the acs failed authentication log.
View 5 Replies View RelatedWe currently use ACS 4.2 for authentication of corporate users who are accessing the network in 2 different ways:
1) VPN client (via ASA5510)
2) Wireless (EAP-PEAP)
For all users who currently access the network via either of the above 2 methods, the Password Authentication under User Account settings in ACS is set to query an RSA SecurID Token Server.
We would like to try achieve the following in ACS:
IF an access request comes from the ASA (VPN clients), THEN we would like the user's password authentication to be handled by the RSA SecurID Token Server as it currently is. IF an access request comes from the Wireless LAN controllers THEN we would like to use EAP-TLS authentication. (We are aware that we would obviously need to configure the WLC, clients, PKI infrastructure etc accordingly for eap-tls).
Does the LDAP authentication work across W2K3 Active Directory domains and multiple ASA5510 firewalls? Or do I need to setup another type of authentication? If I use another type of authentication can I get specific portals with special bookmarks based on login account?
View 4 Replies View RelatedIs it possible for Windows 7 to host multiple domains? I have seen that it is available for plenty of other OSs and I am sure that it is. I just wanted to make sure.
View 2 Replies View Relatedjoin multiple domains in windows xp?
View 2 Replies View RelatedI have a customer with three rooms where teh access layer aggregation switches are run back to.
Access Switch Stack A -> room 1 + room 2
Access Switch Stack B -> room 2 + room 3
Is it possible to have three Nexus 7000s ie one in each room (1,2 and 3) and have them setup like this:
Nexus 7000#1 vPC domain 1
Nexus 7000#2 vPC domain 1 + vPC domain 2
Nexus 7000#3 vPC domain 2
Thus gving all access switch stacks redundant links to the core withouit spanning tree.
I know its not ideal but its a campus site and thats how the existing fibre runs go.
We are trying to set up ACS 5.2 in our multi-forest AD environment. As part of our evaluation we set up an Active Directory External Identity Store to a domain (a.b.edu). It connects properly and I can see the directory groups in the that tab when we Select. This domain (a.b.edu) has a two way trust with another domain in another forest (x.y.b.edu). However, I do not see the groups in that domain and I cannot seem to manually add those groups using the Add on the free text Group Name.
The documentation is not clear on this point: Page 8-41 and 8-42 of the "User Guide for the Cisco Secure Access Control System 5.2) says: "The External User Groups dialog box appears displaying a list of AD groups in the domain, as well as other trusted domains in the same forest." This implies to me that it cannot cross forests even though a trust is set up. This seems to be what is happening.
i`m facing a problem configuring the mentioned access point to act as stand alone access point with multiple SSID assigned to differnet VLANs the problem is that
1) i`m not able to broadcast the both SSIDs in the same time from the Access point
2) i need to make the radius server to manage the SSID access for the wireless clients (trying to find a way in which the aceess point sends a log for the radius server containing the VLAN id /IP address of the the SSID) you may find the below info about the IOS ver. & the configuration?
i`m running IOS /c1100-k9w7-mx.123-8.JEE/c1100-k9w7-mx.123-8.JEE?
We are deploying a Microsoft Exchange 2010 server environment, which will have a ACE 4710 front end. What we are finding is that if a server goes down, a client will need to re-authenticate to a new server. The server team has informed me that if they use Microsoft SLB this does not happen. They have also mentioned that we are getting basic authentication, rather than NTLM. As a result I have read several posts/articles which mention forcing NTLM on the ACE, but none go into real detail.
A couple of official Cisco documents point to having the Exchange Server, and Client both set to use NTLM. So on the server you do not need to select MAPI encryption. I am told this is not an option here, because a multitude of clients are supported, from Outlook 2003, through to 2010.
I configured before ACS v4.2 to authenticate network devices using internal users at first, and if the user is not found use AD list users. But with v5.3 I have some problems doing this, on identity policies I use rule based result selection option, I configured 2 polices for Identity source, one for Internal Users and other policy for AD user, but it only works with the first policy, internal users or AD, but works only for the first policy identity. how to do that, if the user is not found on first policy, continue to the next policy.
View 7 Replies View RelatedI need a specify users to allow access to particular devices and give privilege only for show command or show run. Here is how I tried to configured.
1. Configured two seperate Shell Profile and Command set with privilege level 4-5 and allowing only show run command
2. create seperate service selection rule with adding the require NDG and protocol TACACS and maching service "RestrictAccess"
3. In the RestrictAccess Service I have following configured; Identity: internal users, Group Mapping to a particular group where the user exists, authorization: matching the above created identity group, NDG, shell profile, command sets
All the steps are attached in the .doc file. However when I tried with the particular user he is able to access everything and he is not hitting the correct access rule.
I understand that Cisco Secure ACS 5.3 supports the integration with existing external identity repositories such as Windows Active Directory and LDAP servers. In fact, in my environment, my ACS 5.3 is now integrated with AD and RSA.My question here is can Cisco Secure ACS 5.3 integrate with "multiple" WIndows AD, LDAP, RSA Server etc.? if yes, is there a Cisco document stating this? The keyword here is multipple.
View 4 Replies View RelatedI am trying to setup PEAP authentication for wireless users but I got stuck at place where I have single ssid and users are store in different identity stores like some will be using their active directory and some are locally created users on ACS. I created separate service for wireless authentication and under that I am unable to create rule to differentiate them with identity stores. any idea how to achieve this.
I tried creating identity selection based on role but it does not work as for protocol like radius.peap,ms-chap ACS does not look for another identity store once user not find in an identity stores.
I've replaced my dead ASA5505 with a 861-K9.Our ISP provides a subnet of public address /29 (wan side) by example: 200.200.200.xxx /29,we have 3 servers (lan side) in the example 10.1.1.xxx /24 is the same case than Johnatan, the only difference are the public addresses. [URL], everything is ok when NAT via the FE4 public address, but when do the same with other public IPs doesn't work.
View 7 Replies View RelatedI am trying to configure a Cisco 871 router.There are 3 servers on my network that need static public IPs but also still need to communicate on the local network.I have given my WAN interface the first IP in the block and set up PAT for the rest of the computers on the network with that IP which is working fine. Next I set up static NAT rules for the servers translating 3 of the remaining public IPs to the internal addresses of the servers.I can access those servers internally using the public IPs but not from outside the network. A traceroute from outside the network gets dropped when it gets to my ISP.I've never configured more than one static ip for a network before and i know i've just missed a step here. Do I also need to use static routes? Will that update the next hop's routing table? Do I need to make an ACL to permit any host to the servers? If so, do I use the internal or external address? [code]
View 2 Replies View RelatedI am in the process of configuring two vpn tunnels on one interface of cisco router series 1721. Any link or document with more information?
View 5 Replies View RelatedI want to set up a WiFi internet connection for a campus. I plan to use 4 routers. the first one is directly connected to the internet. I want to share internet access wirelessly with the other routers. Each of the routers should be a hotspot for each of the four blocks in the campus.
View 1 Replies View RelatedI'm trying to troubleshoot a wireless network at an Inn which is shared among three buildings. The internet at the main building works fine.
However there is a WDS set up for the other two houses that are part of the property. The network is a bit of a mess IMO. The main problem is that routers on the end of the WDS chain work for awhile after booting, but frequently stop issuing IPs. When a device tries to connect it says unable to configure IP or something like that. Rebooting the router always fixes the problem.
My networking knowledge is very limited but I think some settings must be incorrect. I will try to described the setup here..
All of the following routers are WRT54G's with DDWRT
Main router: 192.168.1.1 [different SSID that WDS], all routers forward DHCP to this router
WDS router 192.168.1.3 at main building is connected to an cantenna that shoots the signal over to 1st house. Gateway & Local DNS set to 192.168.1.1
WDS router 192.168.1.4 at that house is the main AP for that house and gets its signal from 1.3's cantenna. Gateway & Local DNS set to 192.168.1.3
WDS router 192.168.1.5 under the deck at the 1st house picks up that signal from 1.4 and uses a cantenna to send it to the 2nd house. Gateway & Local DNS set to 192.168.1.4
WDS router 192.167.1.6 under the deck of the 2nd house gets the signal from 1.5's cantenna. Gateway & Local DNS set to 192.168.1.5
The IP configuration problems happen at the 2nd house with 192.168.1.6. I believe 1.5 also has IP configuration problems but that router is not used other than to transmit to 1.6. Again rebooting the router fixes the issues temporarily. It works for a couple days up to a couple weeks before the IP problems start.
Mac addresses for the WDS are set of course. I have been trying to experiment with settings for awhile, but do not really know what I am doing. I am not the one who set this up.
Also under the Advanced Routing tab,here are the Static Routing settings:
192.168.1.3: Destination LAN NET: 192.168.1.0, Gateway: 192.168.1.1
192.168.1.4: Destination LAN NET: 192.168.1.3, Gateway: 192.168.1.1
192.168.1.5: Destination LAN NET: 192.168.1.4, Gateway: 192.168.1.3
192.168.1.6: Destination LAN NET: 192.168.1.5, Gateway: 192.168.1.4
Update: looks like STP should be enabled for WDS? Going to try enabling that I guess.
I would like to configure a 3750 switch port to be able to use two vlans. I know you can do this with a voice and data vlan, but what about two data vlans ? Say I have two devices, one on a 10 subnet and the other on a 172 subnet, but i only have one wall jack for both devices to plug into. So I use a mini switch to connect both devices and connect the switch to the wall jack; and of course this all leads back to one switch port. When I go to enter the switchport access vlan 172 cmd, how would I also make it so the device on the 10 subnet could route out ?
View 9 Replies View RelatedI have looked through the forum and think that I have found the answer to my question but I just need confirmation of my thoughts. We are using a 5508 W LAN controller running software ver 7.2.110.0 and LAP 1142n AP's.
What I would like to do is to configure multiple guest W LAN for each of our regional offices. Each of these W LAN needs to be configured with a Web Authentication page relevant to the office location. My question is this, can I have a Web Authentication page for each location or just 2, the default internal page and 1 customized page?
Trying to configure 802.1x with ACS 5.3, have some general doubts about how to make it, this is what I got for the moment:
ACS 5.3 = 192.168.240.28
AD = 192.168.251.97
Switch = 192.168.240.171
IOS device config Already configured and running Device Administration using Tacacs, mising with Radius aaa commands:
aaa group server tacacs+ TACACS_PLUS
server 192.168.240.28
!
aaa group server radius RADIUS_1x
[Code]......
My boss just asked me if there was a way for him to move from point A to Point B with his wireless laptop and NOT have to reauthenticate at point B if I install another access point there. Right now I have us setup on a Cisco WAP4410N Access Point that works well when he's within range of the antenna. The point B location is upstairs and while it's only about 50-70 feet away from the Point A access point the signal he's getting there is very weak so he wants me to install another AP there.
IOW he wants to authenticate once at point A and when he walks up to point B he wants the laptop to pickup the newer hotter signal when I put another AP point in.
can i have on asa 5510 multiple pools and multiple group authentication for various departments along with restricted access if any
View 3 Replies View RelatedI am trying to configure AAA authentication and authorization with Cisco 3725 (IOS 12.4(17)) for 802.1x and ACS 4.2 with VLAN assignment to my Windows XP client. (trying to assign VLAN 100 in my scenario).When user connects to the Router, it passes the authentication process (EAP-MD5). In my debug i see that Router recieves the Radius Attributes BUT does not apply anything!My running config:
Building configuration...
Current configuration : 1736 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
[code]......
As a result the vlan-switch data based does not change.
I am struggling with configuring NPS AA for our 3750 array ... authentication and authorization. I tried almost every config i could find online but the most i got out of it is a simple authentication. What i need is quite simple: we have several AD groups.
1- Admin
2- Read only with few privileges for ping, show, trace route and telnet
I need my switches to be able to recognize the groups and assign them the correct priv. But it doesn't seem to be happening. Any clean config for the switch and for NPS ?