Cisco AAA/Identity/Nac :: Error When Joining Acs 5.3 To Domain
Dec 12, 2011this is what happens when I try to join an acs 5.3 to the domain. On two other acs appliances, it works.
View 1 Replies
ADVERTISEMENT
AAA/Identity/Nac :: ACS 5.2 - Joining Multi-DC Domain
Dec 21, 2010I've just installed two ACS 5.2 appliances and I'm trying to get them to join my domain, I've setup an account that has the relevant permissions (tested the account on a laptop and it can join the machine to the domain).
The ACS keeps coming back with an invalid credentials to join the domain error despite the fact that I know the user in question has the correct permissions.
I have a suspicion that the problem is related to how the ACS handles the Active Directory Domain, we have a large domain that spans several domain controllers. The DNS server uses round robin DNS to serve a different DC's IP each time, however a typical windows laptop is aware of what controllers it's allowed to use whereas the ACS box doesn't appear to be.
The ACS servers are located in a network in the UK that is only allowed to talk to 2/6 DC's and I have no way of controlling what IP appears when the ACS tries to join the domain due to the round robin DNS.
Is there any way to get around this? Or any way to hard code a specific DC for the server to connect to? Even being able to add the DNS manually to a hosts file would work.
Cisco AAA/Identity/Nac :: ACS Express 5.0.1 Joining Domain
Dec 18, 2011I have been having some issues with an ACS express joining a domain. This device previously had joined and after a weekend we received a notice that users were not authenticating to the domain. This in turn let us to find out the the device was unable to join the domain. Further research led us to find that the account the device was using to join the domain had been disabled. However, after re-enabling the account we would only recieve domain timeouts when tried to join. I opened a case with cisco and we have tried everything under the sun to no avail. I can ping the AD server (name & ip) from the ACS express. Cisco apply a root patch that allowed us to create hosts file entries on the device. I checked the system time and made sure it was within 5 minutes of the Domain controller time. In the logs of the ACS express the only thing I can really find is:
-"Checking remote join status: SMB connectivity failed"
-"Timeout reached in getting AD Diag info"
"acsxp/server Warning Server 0 is DisconnectedMode, IOException for reason, ipc socket connect; No such file or directory:
Recently we re-imaged the ACS and tried to join the domain without the old config on it and just received the same error. I reloaded the backup after that which also resulted in no change. I am starting to think that there is more of a domain issue rather than networking but am having issues finding a way to prove this via the logs. The are other ACS's configured in the network and the settings on this device match the settings on the other device in the network which are working correctly.
Can't Log On To Domain After Joining Workgroup
Jun 9, 2011I cannot join domain it saying that "Computer name changes", A domain controller for the domain MyDomain could not be contacted.”. We have domain and workgroup, Actually first its already joined the domain, but I want to map the sharedrive inside the workgroup but I cannot map. Then I change to join workgroup. After I boot up I cannot log in with that user, I log in with administrator and the user is dissappear in the "User Account", but the profile inside document and setting still left surprise. I don't know why Now I create one more user, it can map to share drive also share folder. also can see all other network computer. But only left one is I cannot join the domain. I need this one because of we don't let our user using as administrator account. Before I testing this one I should backup, but now the time
View 2 Replies View RelatedCisco Switching/Routing :: 3560X-24T-L Joining A Switch To VTP Domain
Sep 28, 2012I am trying to join a Cisco Catalyst 3560X-24T-L to an existing VTP domain, my question is what configurations should I do to this switch?I have already gave it a hostname, setup passwords, enabled telnet, created a management address on port g0/24.I would like it to be on VLAN 13, is this done from my server switch, or done on the new switch?
View 10 Replies View RelatedCisco :: 4402 / Updated WLC Has Strange Error Log And APs Not Joining?
Jan 10, 2011we recently updated all of our WLC's to 7.098 and it all went smoothly, controllers rebooted and AP's updated their firmware and rebooted OK.One WLC (4402) which was working fine since the update now has no AP's associated. The AP's were all configured to run in HREAP mode and are on remote sites within our WAN. I have checked that all policies and ports are still open (none have changed anyway) but the AP's can not join with the contoller.The log from an AP trying to join with the WLC.
[Code] .....
The logs on WLC show as below.
*emWeb:
Jan 12 13:14:13.629: %AAA-5-AAA_AUTH_ADMIN_USER: aaa.c:1289 Authentication succeeded for admin user 'adann'*spamReceiveTask:
Jan 12 13:14:12.919: %LWAPP-6-CAPWAP_SUPP_VER: spam_lrad.c:1440 Discarding discovery request in LWAPP from AP 00:21:a0:81:a4:10 supporting CAPWAP*spamReceiveTask:
Jan 12 13:14:11.543: %LWAPP-6-CAPWAP_SUPP_VER: spam_lrad.c:1440 Discarding discovery request in LWAPP from AP 00:21:a0:81:8f:a0 supporting CAPWAP*spamReceiveTask:
[Code] ......
Cisco Wireless :: Joining AP To WLC 5508 Getting Error In Logs?
Dec 6, 2012I am tryign to join my first AP to the 5508 and am gettign this error int he logs.
*Dec 07 10:42:31.067: %DTL-3-NPUARP_ADD_FAILED: dtl_arp.c:2280 Unable to add an ARP entry for 0:0.0.0 to the network processor. entry does not exist
The management Interface is on the the same vlan as the AP , both untagged ports. the AP gets an ip address from my dhcp server.
Cisco :: AIR 1522 Error In Joining Wireless LAN Controller 5508
Aug 27, 2011I am facing problem with an outdoor access point AIR-1522-K-E series which is unable to join a wirless lan controller 5508. The wireless AP is able to get IP address from dhcp server and discover the Wireless controller IP address. After this i see following status messeges on the console of AP.
*Aug 27 11:04:19.767: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Aug 27 11:04:21.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.2.64.50 peer_port: 5246
*Aug 27 11:04:21.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Aug 27 11:04:21.707: %CAPWAP-5-DTLSREQSUCC: DTLS connection created successfully peer_ip: 10.2.64.50 peer_port: 5246
[Code]...
Workgroup To Domain Connection Error?
Jul 19, 2011I have an domain server to which some of my machines are connected to it. and some machines are in workgroup.Now when I am trying to connect one of the machine which is in domain from workgroup I got an following error message
View 6 Replies View RelatedWindows Vista - Domain Name Server Configuration Error
Jul 21, 2011I can't seem to get the browser to properly show spacing.So I was browsing the internet normally, then all of the sudden, I'm disconnected. When I reconnected, I was able to access the network, but unable to connect to the internet. After attempting to diagnose the issue, I got the "There may be a problem with your Domain Name Server Configuration."can't connect to well known host microsoft.com.
View 9 Replies View RelatedNSURL Error Domain - Unable To Complete Download
Jun 18, 2011I have recently been trying to download a file but every time that I've tried, the download stops at the exact same point, saying that it is "unable to complete the download". It gives the error message: NSURLErrorDomain error -1.
View 1 Replies View RelatedError - Changing Primary Domain DNS Name Of This Computer Failed
Apr 14, 2011When I try to connect to our domain I get the error message:Changing the Primary Domain DNS name of this computer to "" failed. The name will remain "(name of our domain)" The specified domain either does not exist or could not be contacted.The procedure is the same I've used since Hector was a pup and never had a problem. I can't add users to the domain and can't log on directly to the domain.
View 1 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.2 Error - 22056 Subject Not Found In Applicable Identity
Oct 6, 2012I have two ACS v 5.2 (primary and secundary) and some users are in the internal stor and the others are in the AD.The local site topology is like this:
PC - AP - WLC - ACS - AD
Authentication method is PEAP(EAP-MSCHAPv2) and all user have the certificate company installed. The OS in the client users is Windows 7.Users was working fine but some users reports intranet disconnections. I see in the ACS log many "22056 Subject not found in the applicable identity store(s)." and "24415 User authentication against Active Directory failed since user's account is locked out" alarms.I believed it was because user wasn´t in the AD data base, but some times the same user is authenticated successfull and other i see the "22056...." or "24415...." alarms.
I switched the role for ACS primary to works as secundary and we see the same alarms.
Cisco AAA/Identity/Nac :: ACS V 5.2 Can't Join To Domain
Jan 18, 2012l have a new ACS v 5.2 appliance and l´m trying to join to my domain, but l haven´t could, the acs shows me the Clock skew error, and l was checking some documents about it doesnt work. the acs have the same timezone and time that my domain, but the problem persist
View 7 Replies View RelatedCisco AAA/Identity/Nac :: ACS 4.2 Multiple AD Domain Authentication?
Feb 3, 2013I have acs 4.2 for windows installed on a windows server 2003 box, because of a merger I need to now authenticate against 2 different domains, there is a bidirectional trust between the two domains and the dial-in permission has been set in ADUC but whenever I try to authenticate a user it says dial-in permissions needed in the acs failed authentication log.
View 5 Replies View RelatedCisco AAA/Identity/Nac :: 3395 DNS Domain Name Change
Nov 13, 2012I have just change the DNS domain name of my ISE from CLI and restarted the appliance (its a 3395 appliance)However,, when i log in via GUI it doesnt reflect the new dns name.
View 1 Replies View RelatedCisco AAA/Identity/Nac :: ACS 4.2 New Windows Domain 2008
Mar 1, 2011I have installed the Cisco ACS 4.2 in a server running Windows 2003 Server, and this server is member server of the domain. The ACS is working whit a Wireless Platform 4400, and authenticating to the Wireless Users using PEAP and Digital Certificate. But now, the windows platform will be upgraded to Windows 2008. My doubt are the following:
1. The ACS running in a windows 2003 server, will authentificate users in the new windows 2008 domain?
2. At the beginning, the ACS and the Windows domain was 2003. Now whit the change of the version of windows domain, What happens whit the configuration of the acs server as member server? I need reconfigure the member server configuration in the ACS Server?
AAA/Identity/Nac :: SG 200-08 Not Working With Domain / Host-name
Oct 19, 2011we are facing a strange problem with a Cisco Small Business SG 200-08 Switch (firmware release 1.0.1.0). When configuring the switch to act as a RADIUS Client with 802.1x port security enabled, it sends the “Account Name” attribute to the radius server with max. 32 characters. The string comes in this format: host/dns Host Name and will be cut after 32 characters which will cause the NPS to say: “The specified domain does not exist.” and NPS is right. When I reduce the hostname so that host/dnsHostName <= 32 characters, authentication is working fine. And by the way, we also have a SG 200-26 in production and it can handle more than 32 characters which lead me to think of a bug in the firmware of the SG 200-08.
View 1 Replies View RelatedCisco AAA/Identity/Nac :: ACS SE 4.2.1 And Windows 2008R2 Domain Controllers?
May 8, 2011We are in the earlier stages of moving our Domain Controlllers from 2003 to 2008 R2. The remote agents are running in 2003 Domain Controllers. According with Cisco Documentation, I can move the agent to a Windows 2003 Member Server and the upgrade to 2008 R2 Domain Controllers.
View 4 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.2 Multiple Domain Prefix Searching?
May 23, 2011We have an ACS 5.2 server connected to an AD domain controller which has several trusted domains. (domain1, domain2, domain3) We currently have to specify which domain each user belongs to (ie, domain1user) in order to connect. We would like to only have to enter the user name without the prefix, (ie, user1) and have ACS automatically check each domain for a match. Is this possible with ACS 5.2? I seem to remember this was possible with ACS 4.2.
View 2 Replies View RelatedCisco AAA/Identity/Nac :: ASC5.2 - How To Tell Which Domain Controller Request Is Sent
Sep 12, 2011Within ACS 5.2, does any know of a way to see which specific domain controller a request is sent to?
View 1 Replies View RelatedCisco AAA/Identity/Nac :: ACS 4.2 Appliance Integrate Multi Domain
Sep 1, 2011I have a question. What is the requirement of integrate ACS 4.2 Appliance and AD about CA server? it has to be windows 2003 server enterprice o windows 2008 enterprice? or it can be windows 2003 and 2008 stand alone? another question is about multi domain, i have domain father and children. the installation of CA Server is in domain father to enable 802.1x with AD with all domain children integrate? or I can be install the CA server in the server of domain children and is it work (CA server installed in server in domain child and it working all domains child and father)?
View 1 Replies View RelatedCisco AAA/Identity/Nac :: Force ACS V.5 To Join Domain With Certain Controller?
Sep 5, 2012I try to join an ACS v. 5.3 to the domain. For my acs in Location A, I can join without problems using my account. When I try to join the ACS in location B to the same domain with the same account, it doesnt work.I looked at the debug log files for the ad client, and noticed, that the ACS in location B goes to a certain Domain Controller. However, I would have expected the ACS to contact another DC, which is located on the same location as the ACS ... this doesnt happen.
My question: How does the ACS determine what DC to contact ? Is it possible to force the AC to join by connecting a certain DC ?
Cisco AAA/Identity/Nac :: ACS 5.2 - AD Integrate With Single Domain Name With Multiple ADs
Sep 3, 2011We having ACS version 5.2 0.26 with Active/Standby. We need to integrate active directory with ACS. Domain name given by Server team was as xyzcompy.local. When I tried to resolve the same domain name I got five servers ip address against the same domain name. however we given the ip reachability to only for two servers. We we try to save we get error saying that "Can not resolve the network address".
So my questions are;
- does ACS should have ip reachaibility to all five servers
- does the username/password we entered in the ACS should have domain admin rights?.
- the given AD is configured with windows NTP [URL] but when we configured ACS as windows NTP it was taking local server as active NTP..?
When we check the ACS logs, we saw the following error;
in acsLocalStore:
AdminName=acsadmin, DomainName=qatarconvention.local, ADOperationResult=unable to create secured connection against AD server, switching to non-secured connection. javax.naming.CommunicationException: simple bind failed: qnccad02.xxxxconvention.local:636 [Root exception is java.net.SocketException: Connection reset],
in ACSADAgent;
32484]: INFO dns.findsrv FindSrvFromDns failed: res_query failed _ldap._tcp.xxxxconvention.local
Sep 4 12:43:20 acs01-cc4 adjoin[32484]: INFO cli.adjoin Join to domain 'xxxxconvention.local', zone 'null' failed.
I attached some screen print which saw the error and output of nslookup for the domain name.
AAA/Identity/Nac :: ACS 5.1 Domain User Authentication Restriction
Sep 26, 2011We have configured ACS 5.1 for autenticating wireless users with active directory, which is working fine now.But we would like implement that single user should be authenticated through ACS . If any user try to access WLAN from multi system will be notified with multi login access restriction.Can we implement this policy in acs, if possible what are the exact configuration changes we have to implement.
View 1 Replies View RelatedAAA/Identity/Nac :: ACS 5.1 Authentication From Cross Domain User
Dec 28, 2011We have cross domain trust relationship established and I have added the user group in our ACS 5.1. we are using Active directory as an external Identity store. Also I have created a rule in the 'Access polices' to allow the user group. From the cross domain, I use abc@xxx.xyz as a user id, but I get this error message 13036 Selected Shell Profile is DenyAccess.
View 3 Replies View RelatedCisco AAA/Identity/Nac :: Windows Domain Account To View Reports Acs 5.2
Oct 5, 2012We have a Cisco ACS 5.2 deployment (appliance). It has an existing integration with Active Directory. We utilize this with RADIUS to authenticate our wireless users and TACACS for managing our network equipment.The RADIUS reports are useful for other teams (outside my own) to be able to troubleshoot password and account lockouts (everyone forgets to change the password on their phone).I would like to allow this team and other access to view the RADIUS authentications report.
View 2 Replies View RelatedCisco AAA/Identity/Nac :: ACS4.2 Windows Authentication To Other Trusted Domain?
Jun 6, 2011I'm installing ACS4.2 in our lab domain and want to leverage the corporate domain for authentication. The one way trust is in place, but there is a facet that I'm not clear on in regards to the installation requirement.
I'd like to install ACS on a lab domain member server, but I'm not sure that will work. The installation docs seem to imply that a member server must be in the same domain as the authentication server, but its not very clear. if I want to use the one way trust to the Corporate Domain, am I required to install ACS on the domain controller of the Lab Domain?
Cisco AAA/Identity/Nac :: 1121 - Configuring ACS To Strip Domain From Request And Sending It To AD
Jul 24, 2011We are currently evaluating a ACS 1121 running 5.2, we are trying to configure this to Authenticate eap-peap requests.
Our users will be using credentials in a username@example.com format, if the server sees a request using username@anotherrealm.com then it would forward the request to a external proxy radius server, if the server saw a request for our domain it would strip off the @example.com part and authenticate against AD.
Im finding it hard locating documentation to tell the server if a request comes from a NAS using username@example.com then strip @example.com and authenticate username against AD.
Cisco AAA/Identity/Nac :: ACS 4.1.4 Any Version With Domain Controller On Windows Server 2008 R2
Feb 28, 2010Is there currently any ACS version working with Windows Server 2008 R2 domain controllers?Our server stuff has recently upgraded the Domain Controllers to 2008r2 and turned off the 2003 servers. This didn't make our ACS 4.1.4 really happy.I've read now serveral posts regarding issues with ACS and Server 2008r2 and hope to find a solution (besides switching to LDAP, yukk).
View 5 Replies View RelatedAAA/Identity/Nac :: ASA5510 Entry For LDAP Object That Refers To Domain Controller
Feb 14, 2013On our ASA5510 in the area AAA Server Groups, there is an entry for LDAP and an object that refers to our 2003 Domain Controller. This DC has LDAP over SSL enabled and I can see the DN and Password for a domain user account.I've created two new DC's, both R2 2008 but when I enable these in the same way it says it could not authenticate, ERROR auth server not responding, AAA group removed.I thought this had something to do with CA being installed on a DC, but it's not running as a service on the DC that was already referred to.
View 2 Replies View RelatedCisco Firewall :: ASA 5585 / Identity Firewall With Single Forest / Multi-Domain
Dec 28, 2011I have a question with regard to setting up the ID firewall on the ASA 5585 in a single forest, multiple domain windows network.Currently I have a semi-operational IDF at the top level but can't find users on the lower other domains, here is the setup:I have 3 domains.
[URL]
Both domains have a two way parent-child trust and I can look for users in AD Users/Computer on both domains. I initially setup the ASA to look at domain1.test.com using an LDAP aaa-server per the IDF instructions, and then proceeded to configure the ad-agent. I installed the adagent on the domain1.test.com domain controller configured the settings on that system and had no problem adding users to the firewall and getting functionality within domain1. I looked to see if I could see domain 2 and domain 3 users and found none. I went ahead and added the domain2 system to the adagent on the DC and the system says that it is up, but when I search for users is not pulling them from domain2. Instead, it shows domain1 users as domain2user1. I also configured another adserver in the ASA to search ldap on domain 2 to no avail.The cisco documentation states the following:•Before you configure even a single domain controller machine using the adacfg dc create command, ensure that the AD Agent machine is first joined to a domain (for example, domain J) that has a trust relationship with each and every domain (for example, domain D[i]) that it will monitor for user authentications (through the domain controller machines that you will be configuring on the AD Agent machine). Single Forest, Multiple Domains—All the domains in a single forest already have an inherent two-way trust relationship with each other. Thus, the AD Agent must first be joined to one of the domains, J, in this forest, with this domain J not necessarily being identical to any of the domains D[i] corresponding to the domain controller machines. Because of the inherent trust relationship between domain J and each of the domains D[i], there is no need to explicitly configure any trust relationships.Reading that it sounds like it should just work. I had everything properly configured before I installed the adagent, but I'm guessing that there is a chance that you can't have the adagent on the top level DC and get to communicate with the lower level domains.
Cisco AAA/Identity/Nac :: Getting ACS 5.4.0.46.3 Error
Jun 3, 2013ACS 5.4, when I was working in it. In the CLI appeared this file to solution I have to reload the ACS.
SMflag : 1Cmd str: haltSave the current ADE-OS running configuration? (yes/no) [yes] ? noContinue with shutdown? [y/n] Func Trace: <<< vsh_mark_process_status >>>22007: Terminated by signal 2.EOL ==>completedJob is completeRestored the shell's terminal mode.EOL: abnormal exit: code: 0EOL: signaled: 2 InterruptCmd execution successful
[Code] .........