Cisco Security :: ACS 4.2 And SecurID RSA Integration
Feb 5, 2013
We have cisco ACS 4.2 installed on windows 2003 with secondary ACS on another machine. Database replication is okay.We installed primary SecurID RSA authentication manager on Primary ACS and is working okay as well.
Now we installed secondary SecurID RSA authentication manager on secondary ACS.
I have copied the required dll file (aceclnt.dll) to system32 folder from secondary SecurID RSA. SecurID RSA team gave me sdconf.rec file to be uploaded on ACS, but after creating new external DB (RSA Token), I do not see the option to upload the sdconf.rec file.
So without uploading sdconf.rec file, we shut down primary ACS service and tried to connect vpn, the request goes to secondary ACS, but it always tries to communicate with primary SecurID RSA authentication manager and getting attached screen on primary RSA authentication manager.
What is the exact procedure to be carried out toconfigure cisco ACS and SecurID RSA in high availibity option ?
I have RSA Securid appliance 3.0 "A120" V 7.1 Sp4 and Cisco Secure Access Control System (ACS) Appliance V4.1.1 (build 23)..I make communication between the Cisco Secure ACS and the RSA Securid appliance using RADIUS Protocol .I only configure 1st IP for RSA appliance and Add this ip In cisco ACS and i go through implementation guide that is attached in this discussion all things is fine in authentication.
now i enabled second IP for RSA but i did not know how to configure the Cisco ACS to know Second IP for RSA?
Is integration of LMS 3.2.1 with ACS 5.3 now possible ? (I understood from this forum that early ACS 5.x could not integrate wih LMS 3.2, but that this feature would be restored at one point in time (5.1?)).
first i configure the ACS to Synchronize time from AD as NTP server second when i configure the integration between the ACS and AD and test the connection there is no output from this test but i see that the domain is connected and the end of the page the problem is when i try to navigate the groups by go to directory group and use select there is no output.
I have Integrated the ACS 5.3 with AD.Now my next goal is to Integrate ACS with RSA in such a way that all my Cisco devices should use the username and password from the AD.The enable privilege level should come from the RSA Token OTP.Is it possible to do such a thing with ACS 5.3?
We have a customer who wants to configure his guest wireless network in such way that the guest should fill in a self registration form and generate the username and password themselves. For this purpose we are using cisco ISE but we don't know how to integrate it with cisco WLC.
Our DDM admin would like to pull device information from LMS. I've enabled DB Views (ODBC) access and tested from my desktop that I can query the data successfully. The DDM admin is telling me DDM requires access to several master tables - sysservers, sysdatabases, syslogins, etc..before he can query the RME/ANI device data. Does these master system tables are available, exposed or even exist in LMS? I can't find them.
We have an ACS running 4.2. I am sure that this ACS is talking to our AD database because our wireless users (using ACS as RADIUS servers) are able to log in using their Windows AD account.
However, I am not sure how ACS is integrated with AD. Our ACS is installed on a windows 2003 R2 server. I am not sure where the AD database is? ie,if AD is on the same server as ACS OR on a different server [ADs managed by different group altogether :-( ].
How is the integration done between ACS and AD when both are on the same windows server? And How is the integration done between ACS and AD when they are on different windows servers?
ACS is software installed on windows 2003 R2 server.
I have configured my WLC 4402 for Radius authentication using Cisco ACS server version 4.2 Patch 4. When using Local Database of ACS my Wireless Users are able to authenticate but users are not able to authenticate from External Database of Windows AD 2008 R1.
In ACS logs I am getting the this error- Authentication session timed out. Challenge not provided by client.
We've an issue with authorization on NCS system. NCS successfully integrated witch ACS, but there is a problem with one user. All users have equivalent rights under root. There is shell profile with all possible tasks (exported from NCS server) configured on ACS. All users exept this one (unlucky one:)) authorizes successfully. In ACS logs, authentification and authorization status for this user is passed and all attributes (policy, profile, AV-pairs e.t.c.) is the same as for another users. This 'unlucky' user gets a following message: There is surely no browser or network issue. Tried from different PCs with same result. There is no any local info related to this username on the NCS server. When i change one charecter in the username on his ACS account, everything works well.
Our ACS v Version 5.1.0.44.X And NCS Version : 1.1.2.X
We are trying to integrate Cisco WLC 5508 and Microsoft NPS 2008 to allow users to use their AD username and password to authenticate to the wireless network.I basically followed the following document but with no luck (Appendix B): URL I'v went through some threads in this forum but also with no luck,Basically, we are recieving the follwoing error in NPS event viewer:A RADIUS message was received from RADIUS client a.a.a.a with an invalid authenticator. This is typically caused by mismatched shared secrets. Verify the configuration of the shared secret for the RADIUS client in the Network Policy Server snap-in and the configuration of the network access server.
We are planning to deploy a Application Controle Engine - ACE family - and need to close the gap related to OWASP threat list masures.for what i could find in the information about ACE solution it seems that ACE does'nt have OWASP relations and need to deploy a IPS (Intrusion Prevention System) which seems to hold and apply to OWASP threat list vulnerabilities.question is it possible to deploy a ACE 4710 with a IPS 4200 as one or a inline deployment scenario ?
What are the configuration required on ISE to integrate with Prime 1.3.0.20?,On PI side, I have added ISE in the below path.Design-> External Management Servers -> ISE Servers.
integrated the Cisco ACS 1121 with 5.1 and AD and been able to use multiple policies to permit or deny access to different NDG? I am able to authenticate agains AD but I am having an issue with getting the policies to use the user memberOf attribute to set access levels.
Now i need to integrate the WLC with Windows 2008 AD for authentication.The idea is to let the users authenticate via AD for accesing the wireless network.
know about Domino LDAP ? I would like to integrate this LDAP with Cisco ISE.I try to bind this LDAP but it does not show me anything in "Naming Context". So I cannot choose group to map into ISE.I test this on WLC. It is success to do but cannot make the same thing with Cisco ISE.Is this LDAP supports with Cisco ISE 1.1.1 ?
I'm attempting to integrate an acs 5v into the domain through the gui. The connection will establish, and the status will read 'connected', just as it lists the domain I've submitted. However, I can't seem to find anything listed under the directory groups, and when I run a connection test, I simply get 'Global Catalogue port status error.' Eventually, I'd like to configure this as a radius server.
i need a documentation or a procedure to how make integration LMS 3.2 with microsoft active directory to make usernames of devices appear in end hosts reports.
I have an ACS 5,2.0.26-8 running on VM intergrated with RSA. Users are able to login using their RSA passcode for network management utilizing TACACS. The problem seam to be related with RSA token caching. Once a user login sucessful on device A using current token he can not login with the same token on another device. User must wait for a new token and then he can login again. Before moving to ACS 5.2 we were using ACS 4.2 (intergrated with the same RSA) and back then ACS 4.2 cache passcode so user where able to login on devices using the same passcode. When the token change user have to use the new one. providing the same functionality like the "Token Card Settings" Durantion option under group properties, to cache token for a specific period. The global option for caching under RSA definition on 5.2 does not solve the problem.
I'm currently working on ACS 5.1 to use it as AAA server for Netscout NGenius.I followed a guide for ACS 4.2 and tried to replicate the configuration settings in ACS 5.1.
- created a host profile on network devices and AAA clients having the same shared key with NGenius
- added three (3) NGenius required attributes in system administration > configuration > identity > internal users
- added attribute values to Internal User database
- created an access policy:
* identity pointing to Internal Users
- edit serverprivate.properties in NGenius server to match the requirements
I would like to have NGenius authenticate via ACS 5.1, but as of the moment there is an error message that I receive:
Unicentified error, Code=16510, Details: AV pairs do not match NGenius format ::<insert tacacs username here>, Severity 1, Code: 16510.
A customer uses Active Directory where some group names contain special characters (ç ~ '^). The Cisco ACS 5.2 is presenting the warnings: "Not all Active Directory user groups are retrieved successfully. One or more of thegroup's canonical name was not retrieved "(Category CSC Oacs_ Identity_ Stores_Diagnostics; code 24457).
What are the results of these warnings to the customer's network? Slow? Loss of access?
We have Nexus7009 at client network but due to limitation of Nexus switches that they can not be directly integrate Nexus with RSA so client has purchased cisco ACS for the AAA. We are able to do the authentication and authorization via ACS.However clients wants to further integrate the ACS with RSA so that authentication should happen via RSA and authorization should happen ACS. Is that possible ? if yes, how can i configure the ACS ?
configure the Cisco ACS to authenticate the users from MS Active Directory. Cisco Acs = 4.2.1(15)Currently, i have multiple users configured as local databse. but now i want to authenticate with the domain users.
I have a ACS version 5.2 (TACACS) where I require equipment integrated with Sandvine, I currently looking information and very little to manage the integration of ACS with these teams Sandvine.
I have an information on the provider Sandvine with a guide to the case where only states:
TACACS + server On a TACACS + server, each user entry must allow the service "Sandvine". Within this service, the attribute-value pairs Following can exist: • An attribute named "Sandvine-Group" of type string.
I am having an issue upgrading from 4.1 to 5.2 in regards to interoperability with our SafeConnect appliance. When I bring 5.2 online, Safe Connect reacts and causes network outages.
I'm having a issue when configuring Cisco ACS 5.2 appliance 1121 to integrate windows 2000 Active Directory as an External Users Database.I'm using an account with administrator privileges on AD (can create computer objects).The ACS register itself successfully to the domain but it doesn't retrieve the AD Groups, even when i change the seach base and filter.At this link says that ACS supports AD over Windows 2003, 2008 and 2008R2 but it doesnt say that not supports Windows 2000.[URL]
After integrating vCenter with VNMC I see the ESX hosts that exist on vCenter on VNMC ResourceManagement>Resources>VirtualMachines, but I cannot see any of the VM's that exist on on each of the ESX hosts.Yet, the integration is so straightforward that I have no idea why I'm not getting VM information.Then obviously I cannot match any of the VM attributes on VSG for vZone creation for instance.What can I do to troubleshoot this? VNMC version is 2.0(3)f, vCenter is on 5.0.0 build 755629
I have just recently purchased a 5505 Controller and 30 3502i AP's. On my main corporate WLAN, I would like to allow users to be able to authenticate via Active Directory username and password.I am also looking for as little client side set up as possible. From what I have researched, I will need to use some type of EAP method.
I have come across two methods that appear to be the top contenders.
EAP-FAST - The method seems to be a possibility but I see that it uses certificates. If I use this method, does it mean that I would have to import the certificates to each machine manually? Also, can I configure thsi to work with just the 5508 Controller and an AD Database server or do I need an intermediary like IAS or ACS?
PEAP/GTC - This method is also a possibility and I think that it does not require certificates. Does this also require an intermediary like ACS or IAS.