Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS 4.1 AD Authentication

We have an existing HA deployment of Cisco ACS 4.1 servers authenticating wireless users with 802.1X against AD. We are looking to retire a number of older DCs in the near future. Prior to retiring the DCs, I want to make sure no authentication requests are being sent to them. From the ACS GUI, I cannot determine what DC IP / hostnames the ACS is pointing to. Within Exernal Users Databases -> Database Configuration -> Windows Database, I don't see any mention of server ip / hostname. I've ran throught he configuration guide, but didn't see any place where you enter the information either. Is it possible the DC server IP addresses are also stored within some configuration file on the server itself? Does anyone have any suggestions short of running wireshark captures to/from each of the DCs to see if authentication requests are coming from the ACS servers? Any advice or suggestions would be appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

From the ACS perspective this

From the ACS perspective this can't be done because this is not under the control of the ACS to choose the DC. ACS forwards user credentials to a Windows database by passing the user credentials to the Windows operating system of the computer that is running ACS for Windows or the Solution Engine remote agent. The Windows database passes or fails the authentication request from ACS.

You can refer to below listed link:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.
2/user/guide/UsrDb.html#wp353547

If you are running ACS on windows than you've a liberty to use windows lmhost file.

As a final means of ensuring communication with specific domain controllers, on the member server that is running ACS, configure a LMHOSTS file to include entries for each domain controller that ACS must authenticate.The format of an LMHOSTS file is very particular. Ensure that you understand the requirements of configuring the LMHOSTS file. For more information, see:

- Microsoft.com: LMHOSTS File
- The example LMHOSTS file is included with the Windows operating system. 
The default location and filename for the sample file is 
systemroot>\system32\drivers\etc\lmhosts

For more information, please refer the below listed doc
http://www.scribd.com/doc/50262863/345/Using-the-Lmhosts-File

NOTE:In order to check what domain and DC ACS is trying to connect, check auth.log when set to full logging.

Hope this helps.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~BR Jatin Katyal **Do rate helpful posts**
1 REPLY
Cisco Employee

From the ACS perspective this

From the ACS perspective this can't be done because this is not under the control of the ACS to choose the DC. ACS forwards user credentials to a Windows database by passing the user credentials to the Windows operating system of the computer that is running ACS for Windows or the Solution Engine remote agent. The Windows database passes or fails the authentication request from ACS.

You can refer to below listed link:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.
2/user/guide/UsrDb.html#wp353547

If you are running ACS on windows than you've a liberty to use windows lmhost file.

As a final means of ensuring communication with specific domain controllers, on the member server that is running ACS, configure a LMHOSTS file to include entries for each domain controller that ACS must authenticate.The format of an LMHOSTS file is very particular. Ensure that you understand the requirements of configuring the LMHOSTS file. For more information, see:

- Microsoft.com: LMHOSTS File
- The example LMHOSTS file is included with the Windows operating system. 
The default location and filename for the sample file is 
systemroot>\system32\drivers\etc\lmhosts

For more information, please refer the below listed doc
http://www.scribd.com/doc/50262863/345/Using-the-Lmhosts-File

NOTE:In order to check what domain and DC ACS is trying to connect, check auth.log when set to full logging.

Hope this helps.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

~BR Jatin Katyal **Do rate helpful posts**
56
Views
0
Helpful
1
Replies
CreatePlease to create content