Cisco AAA/Identity/Nac :: ACS Express 5.0.1 Joining Domain
Dec 18, 2011
I have been having some issues with an ACS express joining a domain. This device previously had joined and after a weekend we received a notice that users were not authenticating to the domain. This in turn let us to find out the the device was unable to join the domain. Further research led us to find that the account the device was using to join the domain had been disabled. However, after re-enabling the account we would only recieve domain timeouts when tried to join. I opened a case with cisco and we have tried everything under the sun to no avail. I can ping the AD server (name & ip) from the ACS express. Cisco apply a root patch that allowed us to create hosts file entries on the device. I checked the system time and made sure it was within 5 minutes of the Domain controller time. In the logs of the ACS express the only thing I can really find is:
-"Checking remote join status: SMB connectivity failed"
-"Timeout reached in getting AD Diag info"
"acsxp/server Warning Server 0 is DisconnectedMode, IOException for reason, ipc socket connect; No such file or directory:
Recently we re-imaged the ACS and tried to join the domain without the old config on it and just received the same error. I reloaded the backup after that which also resulted in no change. I am starting to think that there is more of a domain issue rather than networking but am having issues finding a way to prove this via the logs. The are other ACS's configured in the network and the settings on this device match the settings on the other device in the network which are working correctly.
View 1 Replies
ADVERTISEMENT
Dec 21, 2010
I've just installed two ACS 5.2 appliances and I'm trying to get them to join my domain, I've setup an account that has the relevant permissions (tested the account on a laptop and it can join the machine to the domain).
The ACS keeps coming back with an invalid credentials to join the domain error despite the fact that I know the user in question has the correct permissions.
I have a suspicion that the problem is related to how the ACS handles the Active Directory Domain, we have a large domain that spans several domain controllers. The DNS server uses round robin DNS to serve a different DC's IP each time, however a typical windows laptop is aware of what controllers it's allowed to use whereas the ACS box doesn't appear to be.
The ACS servers are located in a network in the UK that is only allowed to talk to 2/6 DC's and I have no way of controlling what IP appears when the ACS tries to join the domain due to the round robin DNS.
Is there any way to get around this? Or any way to hard code a specific DC for the server to connect to? Even being able to add the DNS manually to a hosts file would work.
View 9 Replies
View Related
Dec 12, 2011
this is what happens when I try to join an acs 5.3 to the domain. On two other acs appliances, it works.
View 1 Replies
View Related
Jun 9, 2011
I cannot join domain it saying that "Computer name changes", A domain controller for the domain MyDomain could not be contacted.”. We have domain and workgroup, Actually first its already joined the domain, but I want to map the sharedrive inside the workgroup but I cannot map. Then I change to join workgroup. After I boot up I cannot log in with that user, I log in with administrator and the user is dissappear in the "User Account", but the profile inside document and setting still left surprise. I don't know why Now I create one more user, it can map to share drive also share folder. also can see all other network computer. But only left one is I cannot join the domain. I need this one because of we don't let our user using as administrator account. Before I testing this one I should backup, but now the time
View 2 Replies
View Related
Sep 28, 2012
I am trying to join a Cisco Catalyst 3560X-24T-L to an existing VTP domain, my question is what configurations should I do to this switch?I have already gave it a hostname, setup passwords, enabled telnet, created a management address on port g0/24.I would like it to be on VLAN 13, is this done from my server switch, or done on the new switch?
View 10 Replies
View Related
Jan 19, 2013
Is it possible to disable SSH v1 in ACS express installed in ADE 1010?
View 2 Replies
View Related
Jan 18, 2012
l have a new ACS v 5.2 appliance and l´m trying to join to my domain, but l haven´t could, the acs shows me the Clock skew error, and l was checking some documents about it doesnt work. the acs have the same timezone and time that my domain, but the problem persist
View 7 Replies
View Related
Feb 3, 2013
I have acs 4.2 for windows installed on a windows server 2003 box, because of a merger I need to now authenticate against 2 different domains, there is a bidirectional trust between the two domains and the dial-in permission has been set in ADUC but whenever I try to authenticate a user it says dial-in permissions needed in the acs failed authentication log.
View 5 Replies
View Related
Nov 13, 2012
I have just change the DNS domain name of my ISE from CLI and restarted the appliance (its a 3395 appliance)However,, when i log in via GUI it doesnt reflect the new dns name.
View 1 Replies
View Related
Mar 1, 2011
I have installed the Cisco ACS 4.2 in a server running Windows 2003 Server, and this server is member server of the domain. The ACS is working whit a Wireless Platform 4400, and authenticating to the Wireless Users using PEAP and Digital Certificate. But now, the windows platform will be upgraded to Windows 2008. My doubt are the following:
1. The ACS running in a windows 2003 server, will authentificate users in the new windows 2008 domain?
2. At the beginning, the ACS and the Windows domain was 2003. Now whit the change of the version of windows domain, What happens whit the configuration of the acs server as member server? I need reconfigure the member server configuration in the ACS Server?
View 4 Replies
View Related
Oct 19, 2011
we are facing a strange problem with a Cisco Small Business SG 200-08 Switch (firmware release 1.0.1.0). When configuring the switch to act as a RADIUS Client with 802.1x port security enabled, it sends the “Account Name” attribute to the radius server with max. 32 characters. The string comes in this format: host/dns Host Name and will be cut after 32 characters which will cause the NPS to say: “The specified domain does not exist.” and NPS is right. When I reduce the hostname so that host/dnsHostName <= 32 characters, authentication is working fine. And by the way, we also have a SG 200-26 in production and it can handle more than 32 characters which lead me to think of a bug in the firmware of the SG 200-08.
View 1 Replies
View Related
May 8, 2011
We are in the earlier stages of moving our Domain Controlllers from 2003 to 2008 R2. The remote agents are running in 2003 Domain Controllers. According with Cisco Documentation, I can move the agent to a Windows 2003 Member Server and the upgrade to 2008 R2 Domain Controllers.
View 4 Replies
View Related
May 23, 2011
We have an ACS 5.2 server connected to an AD domain controller which has several trusted domains. (domain1, domain2, domain3) We currently have to specify which domain each user belongs to (ie, domain1user) in order to connect. We would like to only have to enter the user name without the prefix, (ie, user1) and have ACS automatically check each domain for a match. Is this possible with ACS 5.2? I seem to remember this was possible with ACS 4.2.
View 2 Replies
View Related
Sep 12, 2011
Within ACS 5.2, does any know of a way to see which specific domain controller a request is sent to?
View 1 Replies
View Related
Sep 1, 2011
I have a question. What is the requirement of integrate ACS 4.2 Appliance and AD about CA server? it has to be windows 2003 server enterprice o windows 2008 enterprice? or it can be windows 2003 and 2008 stand alone? another question is about multi domain, i have domain father and children. the installation of CA Server is in domain father to enable 802.1x with AD with all domain children integrate? or I can be install the CA server in the server of domain children and is it work (CA server installed in server in domain child and it working all domains child and father)?
View 1 Replies
View Related
Sep 5, 2012
I try to join an ACS v. 5.3 to the domain. For my acs in Location A, I can join without problems using my account. When I try to join the ACS in location B to the same domain with the same account, it doesnt work.I looked at the debug log files for the ad client, and noticed, that the ACS in location B goes to a certain Domain Controller. However, I would have expected the ACS to contact another DC, which is located on the same location as the ACS ... this doesnt happen.
My question: How does the ACS determine what DC to contact ? Is it possible to force the AC to join by connecting a certain DC ?
View 2 Replies
View Related
Sep 3, 2011
We having ACS version 5.2 0.26 with Active/Standby. We need to integrate active directory with ACS. Domain name given by Server team was as xyzcompy.local. When I tried to resolve the same domain name I got five servers ip address against the same domain name. however we given the ip reachability to only for two servers. We we try to save we get error saying that "Can not resolve the network address".
So my questions are;
- does ACS should have ip reachaibility to all five servers
- does the username/password we entered in the ACS should have domain admin rights?.
- the given AD is configured with windows NTP [URL] but when we configured ACS as windows NTP it was taking local server as active NTP..?
When we check the ACS logs, we saw the following error;
in acsLocalStore:
AdminName=acsadmin, DomainName=qatarconvention.local, ADOperationResult=unable to create secured connection against AD server, switching to non-secured connection. javax.naming.CommunicationException: simple bind failed: qnccad02.xxxxconvention.local:636 [Root exception is java.net.SocketException: Connection reset],
in ACSADAgent;
32484]: INFO dns.findsrv FindSrvFromDns failed: res_query failed _ldap._tcp.xxxxconvention.local
Sep 4 12:43:20 acs01-cc4 adjoin[32484]: INFO cli.adjoin Join to domain 'xxxxconvention.local', zone 'null' failed.
I attached some screen print which saw the error and output of nslookup for the domain name.
View 3 Replies
View Related
Sep 26, 2011
We have configured ACS 5.1 for autenticating wireless users with active directory, which is working fine now.But we would like implement that single user should be authenticated through ACS . If any user try to access WLAN from multi system will be notified with multi login access restriction.Can we implement this policy in acs, if possible what are the exact configuration changes we have to implement.
View 1 Replies
View Related
Dec 28, 2011
We have cross domain trust relationship established and I have added the user group in our ACS 5.1. we are using Active directory as an external Identity store. Also I have created a rule in the 'Access polices' to allow the user group. From the cross domain, I use abc@xxx.xyz as a user id, but I get this error message 13036 Selected Shell Profile is DenyAccess.
View 3 Replies
View Related
Oct 5, 2012
We have a Cisco ACS 5.2 deployment (appliance). It has an existing integration with Active Directory. We utilize this with RADIUS to authenticate our wireless users and TACACS for managing our network equipment.The RADIUS reports are useful for other teams (outside my own) to be able to troubleshoot password and account lockouts (everyone forgets to change the password on their phone).I would like to allow this team and other access to view the RADIUS authentications report.
View 2 Replies
View Related
Jun 6, 2011
I'm installing ACS4.2 in our lab domain and want to leverage the corporate domain for authentication. The one way trust is in place, but there is a facet that I'm not clear on in regards to the installation requirement.
I'd like to install ACS on a lab domain member server, but I'm not sure that will work. The installation docs seem to imply that a member server must be in the same domain as the authentication server, but its not very clear. if I want to use the one way trust to the Corporate Domain, am I required to install ACS on the domain controller of the Lab Domain?
View 3 Replies
View Related
Jul 24, 2011
We are currently evaluating a ACS 1121 running 5.2, we are trying to configure this to Authenticate eap-peap requests.
Our users will be using credentials in a username@example.com format, if the server sees a request using username@anotherrealm.com then it would forward the request to a external proxy radius server, if the server saw a request for our domain it would strip off the @example.com part and authenticate against AD.
Im finding it hard locating documentation to tell the server if a request comes from a NAS using username@example.com then strip @example.com and authenticate username against AD.
View 4 Replies
View Related
Feb 28, 2010
Is there currently any ACS version working with Windows Server 2008 R2 domain controllers?Our server stuff has recently upgraded the Domain Controllers to 2008r2 and turned off the 2003 servers. This didn't make our ACS 4.1.4 really happy.I've read now serveral posts regarding issues with ACS and Server 2008r2 and hope to find a solution (besides switching to LDAP, yukk).
View 5 Replies
View Related
Feb 14, 2013
On our ASA5510 in the area AAA Server Groups, there is an entry for LDAP and an object that refers to our 2003 Domain Controller. This DC has LDAP over SSL enabled and I can see the DN and Password for a domain user account.I've created two new DC's, both R2 2008 but when I enable these in the same way it says it could not authenticate, ERROR auth server not responding, AAA group removed.I thought this had something to do with CA being installed on a DC, but it's not running as a service on the DC that was already referred to.
View 2 Replies
View Related
Dec 28, 2011
I have a question with regard to setting up the ID firewall on the ASA 5585 in a single forest, multiple domain windows network.Currently I have a semi-operational IDF at the top level but can't find users on the lower other domains, here is the setup:I have 3 domains.
[URL]
Both domains have a two way parent-child trust and I can look for users in AD Users/Computer on both domains. I initially setup the ASA to look at domain1.test.com using an LDAP aaa-server per the IDF instructions, and then proceeded to configure the ad-agent. I installed the adagent on the domain1.test.com domain controller configured the settings on that system and had no problem adding users to the firewall and getting functionality within domain1. I looked to see if I could see domain 2 and domain 3 users and found none. I went ahead and added the domain2 system to the adagent on the DC and the system says that it is up, but when I search for users is not pulling them from domain2. Instead, it shows domain1 users as domain2user1. I also configured another adserver in the ASA to search ldap on domain 2 to no avail.The cisco documentation states the following:•Before you configure even a single domain controller machine using the adacfg dc create command, ensure that the AD Agent machine is first joined to a domain (for example, domain J) that has a trust relationship with each and every domain (for example, domain D[i]) that it will monitor for user authentications (through the domain controller machines that you will be configuring on the AD Agent machine). Single Forest, Multiple Domains—All the domains in a single forest already have an inherent two-way trust relationship with each other. Thus, the AD Agent must first be joined to one of the domains, J, in this forest, with this domain J not necessarily being identical to any of the domains D[i] corresponding to the domain controller machines. Because of the inherent trust relationship between domain J and each of the domains D[i], there is no need to explicitly configure any trust relationships.Reading that it sounds like it should just work. I had everything properly configured before I installed the adagent, but I'm guessing that there is a chance that you can't have the adagent on the top level DC and get to communicate with the lower level domains.
View 1 Replies
View Related
Dec 3, 2011
I'm having problem joining a AP802 access-point in a Cisco 887VAM-W router to a WLC2125 running 7.0.116.0. I get the following messages pasted below from the AP console. The AP connects to the WLC over a EZVpn tunnel with a ASA on the other end, and can't see any error messages there. [code]
View 5 Replies
View Related
Jul 1, 2012
Customer has got a 2 x 1552AP that wont join a WLC.
This is the debugs from the WLC. Customer cant console to AP to capture as its up in the roof so not easily accessible. why the AP wont join? Date/Time are fine on the WLC as is the region.
*spamReceiveTask: Jun 28 13:45:26.612: 2c:3f:38:be:23:c0 DTLS connection not found, creating new connection for 172:16:2:1 (57918) 172:16:0:1 (5246)
*spamReceiveTask: Jun 28 13:45:27.243: 2c:3f:38:be:23:c0 DTLS Session established server (172.16.0.1:5246), client (172.16.2.1:57918)
[Code]....
View 2 Replies
View Related
May 12, 2012
There are a total of 25 Cisco 3502 APs installed. 24 APs were discovered except for 1 AP. I run SH CDP NE on the switch and the AP was discovered by the switch but it does not have an IP address. On the output of the SH CDP NE DE, I noticed that on the AP that is not joining, the Platform is "cisco AIR-SAP3502E-E-K9" while the APs that joined the WLC, the Platform is "cisco AIR-CAP3502E-E-K9". The software versions are also different but this could be because the WLC already upgraded the IOS when the APs joined.Why is the Platform "SAP3502E" for the AP that did not join.
View 9 Replies
View Related
Apr 17, 2013
I had problems joining a 1131AG AP to a "new" 5508 WLC with 7.4.100.0 running. This AP has been connected to a, for me unknown controller for years. Now the customer wants to move this AP to a newer 5508 controller with 7.4.100.0 We [URL] could not get this AP to the controller connected. Now I have this AP on my desk. I have a 5508 (7.4.100.0) as well. I connected the AP to the same network as the WLC Management -> AP did not connect, tried to download the "new" IOS but didn't seem to work, same as already in the old tread. So I tried to login to the AP, but it seemed to have a for me unknown Account / Password.
-> I did a reset of the AP by pressing the mode button (about 2-3 sec.) during Power on (not connected to the network). Now I could log on to the AP. I deleted six crashinfos and connected the AP back to the network.
Now the AP joined the controller.
Does a "unknown" Password prevent the AP to join to a other WLC?
The AP hat 15740928 bytes total (6409728 bytes free) space on the Flash: was this enough for the new image? 15740928 bytes total (7798272 bytes free) after deleting the crashinfos
The customer has more AP's that has to join the new controller, would be nice that we don't have to reset all APs.
View 3 Replies
View Related
Mar 19, 2012
After a wireless network interruption, one of MAP 1522 it's not joining to WLC .
(Cisco Controller) >show ap join stats detailed 00:08:30:bb:53:20
Discovery phase statistics
- Discovery requests received.............................. 7
- Successful discovery responses sent...................... 5
[Code]....
View 1 Replies
View Related
Apr 8, 2013
For some reason some AP will not join the WLC. (WISMII)I have several hundrede AP online, but still a few offline
This fails:
FRH-R06-L226-UX-G#sh cdp nei gi2/0/41 detail
-------------------------
Device ID: AP5057.a8a1.c632
Entry address(es):
[Code]...
View 3 Replies
View Related
Apr 3, 2013
recently migrated APs from a 4400 to 5508 which had the 7.4 code and encountered an issue that I haven't see before, in short the APs would never join the 5508 even when the selction rules said it should.The AP would get a discovery response from both controllers and even though the 4400 had 98 APs attached and the 5508 just 1 and a factory reset was made on the AP, it would always join the 4400.
A packet capture showed that the first CAPWAP address from the 5508 was always an IPv6 whilst the 4400 always sent IPv4 CAPWAP control adressess, disabling the global IPv6 option on the 5508 ensured that the the first CAPWAP control address was now an IPv4 and the AP then happily joined the controller, IPv6 addresses were still showing up in the discovery responses but since it was no longer the first one in the packet the AP didn't mind.
View 3 Replies
View Related
Dec 14, 2011
We've just replaced some 1240 LAPs with 20 x 3502i.
Seem to have a problem, most of the 14 * 3502i have regersted on the network and working, 6 arent connecting and log below. I've replaced one of the AP with a differnt one, same model and batch and this works.
WISMs on 7.0.98.0
Scirpt
*Mar 1 00:15:16.015: %CAPWAP-5-CHANGED: CAPWAP changed state to
[Code].....
View 11 Replies
View Related
