cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1285
Views
0
Helpful
8
Replies

Cisco ACS 4.1 to External AD for authentication

parthibanp
Level 1
Level 1

Hi,

We have just configured Cisco ACS solution engine 4.1 and using a Windows Domain Controller 2003 as a remote agent.we are using tacacs as protocol.

The users which are created in ACS itself are able to login to various network devices. but domain (active directory) users are unable to login. we get access denial message. same time we get External DB is not operational message in ACS.

Active directory server where agent running, in CSWINAgentlog we get the follwoing error " NDLIB..FOUND 0 TRUSTED DOMAIN"

Could you please help us to isolate the problem.

Thanks&Regards

3 Accepted Solutions

Accepted Solutions

Jagdeep Gambhir
Level 10
Level 10

Make sure the software ver of acs and remote agent is same. And also account running remote agent should have special domain admin rights, like act as part of operating system and login as service.

Regards,

~JG

View solution in original post

Make sure remote agent service is running using local admin account , since RA is running on DC.

Also check how many processor do we have on that RA system and what is the operating system with SP we have on RA system?

Regards,

~JG

View solution in original post

a)The reason it goes directly to enable mode is because we have priv 15 defined for that user.

If you don't user to log directly to enable mode then lower the priv lvl for that user.

b) There must be some misconfiguration. It should also not work via SSH but since we have exec authorization configured it bypassed enable password.

On acs in user setup -->Enable Tacacs+ options----> Choose any one --->Use Cisco PAP pwd, or Use windows pass or use separate pwd.

That should fix it.

Please mark it resolved so other can benefit for it.

Regards,

~JG

Do rate helpful posts

View solution in original post

8 Replies 8

Jagdeep Gambhir
Level 10
Level 10

Make sure the software ver of acs and remote agent is same. And also account running remote agent should have special domain admin rights, like act as part of operating system and login as service.

Regards,

~JG

Dear JG ..thanks for the great input.as per your response we had found out the software version which was running in Remote Agent was wrong. we have now installed the correct version corresponding to the ACS software version.but now we are still facing problem in active directory user login network devices.

Please find the error we are receiving the error we are getting in CSWINAgentlog in Active directory server.

CSWinAgent 05/13/2008 11:47:18 A 0386 3068 RPC: NT_MSCHAPAuthenticateUser received

CSWinAgent 05/13/2008 11:47:18 A 0063 3068 NTLIB: Attempting Windows authentication for user test

CSWinAgent 05/13/2008 11:47:18 A 0063 3068 NTLIB: Windows authentication FAILED (error 6L)

CSWinAgent 05/13/2008 11:47:18 A 0451 3068 RPC: NT_MSCHAPAuthenticateUser reply sent

Please note that we have only one Domain Controller where we have installed Remote Agent.there is no trusted or child domain.

Make sure remote agent service is running using local admin account , since RA is running on DC.

Also check how many processor do we have on that RA system and what is the operating system with SP we have on RA system?

Regards,

~JG

Dear JG,

Thanks again for your input. it is now resolved the issue.thanks again.

The following are the main steps we carried out to make it work.

1) Added ACS hostname in Active Directory server computer field.

2) Enable Netbios in ADS

3) Made remote agent service is running using local admin account

We have the following issue once we login with Active directoy users

a) ADS user when login through SSH after giving the username and password it directly goes to enable mode(not asking the enable password at all)

b) ADS user when login through console its not taking the enable password.do we need to modify the aaa configuration in router and ACS.

Thanks for your time.

a)The reason it goes directly to enable mode is because we have priv 15 defined for that user.

If you don't user to log directly to enable mode then lower the priv lvl for that user.

b) There must be some misconfiguration. It should also not work via SSH but since we have exec authorization configured it bypassed enable password.

On acs in user setup -->Enable Tacacs+ options----> Choose any one --->Use Cisco PAP pwd, or Use windows pass or use separate pwd.

That should fix it.

Please mark it resolved so other can benefit for it.

Regards,

~JG

Do rate helpful posts

Dear DJ,

Thanks for the great help.

Everything is fixed and working fine.

On acs in user setup -->Enable Tacacs+ options----> Choose any one --->Use Cisco PAP pwd, or Use windows pass or use separate pwd . here if put windows pass should it be changing the users each login or it would be permanent?

Thanks&Regards

Not sure if I understand you last issue. Are your talking about password expiry ?

Please rephrase it ..

Glad to know things are moving :-)

Dear DJ,

I was talking about the Dynamic users enable password.can we set dynamic users password permanently so that each time when they login we dont need to set password? How long dynamic users login details will be available in the users list in ACS?

We find there is no option in the group belongs to those users.

Thanks&Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: