ACS 22.214.171.124.8; Auth against AD fails (resolved by upgrade to 5.1)
Recently install ACS 126.96.36.199.8 and setup ACS for device Administration using TACACS+.
Everything works as expected; ACS intergrated correctly with end points, local users can auth onto end point correctly though AAA.
Debug on end points shows successful AAA comms to ACS.
Now I'm at the point to remove all local users in ACS and intergrate ACS with AD.
I setup the external store AD section with the correct domain name and added the AD user (the AD service account had domain admin rights)
I clicked 'test connectivity' button and got a successful connection first go.
I setup the AD section to link to 2 AD groups.
Now I run into a brick wall.
I cannot seem to authenticate an AD user for AAA access onto a router or switch using telnet.
I check the logs and noticed that it says 'unknown user' and the store its using says 'internal store'
I have set the identity store sequence to be AD first then local but ACS still does not seem to check against the external store.
I'm not sure if I should be setting up ACS to AD group mappings, if this will have any effect, like it did in 4.2
I'm also unsure as to how the rule set should be changed in my access policies; e.g. do I need to click the customize button and add in a new policy element. And then rewrite the rules to exclude local groups and include AD groups, so as to get ACS to perform user lookup against the external AD store.
If anyone can point be the the right direction, would be greatly appreciated.. or
if someone could please point me towards a step guide as to how to correctly setup ACS to intergrate into AD for tacacs device admin this would also help.
Did you notice the tacacs authentication logs in AAA protocol logs > tacacs authentication? Do you see "internal error in ACS/AD"? You need to apply patch 9 (5-0-0-21-9.tar.gpg ), there is some issue with 188.8.131.52 and AD authentication.
You can download the patch from below listed link:
Go to Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software > click on 184.108.40.206
HOW TO APPLY PATCH ON ACS 5.0 =============================
Go to the CLI mode of this ACS
–Create a repository (it’s basically defining FTP server) AAA/admin(config)# repository FTP ---> (could be any name) AAA/admin(config-Repository)# urlftp:// AAA/admin(config-Repository)# user password plain AAA/admin(config-Repository)# exit AAA/admin(config)#exit
After that place the patch on the ftp server.
AAA/admin# acs patch install repository ftp from here it will stop the services, apply the patch and start the services again.
We can check the version status using AAA51/admin# show application version acs
Your probably correct, although I was swapping between FF and Safari (mac).
I did notice that certain windows would crash using FF and would use Safari for item dragging from one selection box to another.
I swapped and changed browsers so much that I cannot recall 100% if I did or did not see that selection box in Safari.
I did have a colleague with me working on this problem and upgrade,.... he only uses safari and does not have FF installed (on his mac) and he thinks that it wasn't available for him either. ......we cannot confirm it now that we have upgraded.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...