WLC4402, SSC 4.0, EAP FAST with ACS 4.1.23 and Active Directory

Answered Question
Nov 1st, 2007

Hi All,

I have a problem where my SSC (Cisco Secure Services) wireless client software on the laptops will only authenticate the windows domain users if they enter the username and passwords manually. The single sign on feature will not work. I am using EAP-FAST. This is an appliance based ACS server which I have restored from the recovery CD.

When I look at the failed authentication requests I can see that it is trying to send [email protected] when attempting single sign on. The log states that this is a bad username or password. Note that the end of the domain name is missing.

I can see the authentication attempt in the remote agent log (CSWINagent.log) on the domain controller so I know it is sending the login request to the DC. The Remote Agent is the same version as the ACS server. When I authenticate successfully (manually) it is not sending the domain portion of the username.

This is a new installation. Initially I had 2 remote agents, both on DCs the service was running as a windows domain admin account with the necessary privileges. After a scheduled power down at the weekend the windows authentication stopped working completely. I found a post in this forum which said to use local system to start the remote agent service. This brought the windows authentication back to life but now i have this problem. I'm sure that before I changed it the manual login also required the domain portion (ie domain\username). I can't be certain this is the case though!

Can anybody help me to get windows AD to accept these credentials as they are sent from the client login? Alternatively if I can get it to work with the user account it worked with originally then that would be great.


Many thanks


Correct Answer by Premdeep Banga about 9 years 4 months ago

As you have mentioned that SSC is sending username as "[email protected]" during SSO.


What I can think of for the moment is, to use Proxy Distribution feature on ACS.


i.e. as the request coming to as is "[email protected]", we'll make ACS to stip off "@domain" and send "username" to RA for verification from AD.


http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NetCfg.html#wp342969


After stripping "@domain" send the request back to ACS SE it self, i.e. in the Forward To column, ensure that we have the ACS SE's entry.


And let me know if this works for you?


Regards,

Prem

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Premdeep Banga Fri, 11/02/2007 - 13:07

As you have mentioned that SSC is sending username as "[email protected]" during SSO.


What I can think of for the moment is, to use Proxy Distribution feature on ACS.


i.e. as the request coming to as is "[email protected]", we'll make ACS to stip off "@domain" and send "username" to RA for verification from AD.


http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NetCfg.html#wp342969


After stripping "@domain" send the request back to ACS SE it self, i.e. in the Forward To column, ensure that we have the ACS SE's entry.


And let me know if this works for you?


Regards,

Prem

dheavey30 Wed, 11/07/2007 - 05:12

Prem, It worked straight away after doing this. Thanks very much for this. Much appreciated.

D

Actions

This Discussion