I'm having issues authenticating (MS-PEAP) a user in a MS Domain/Active Directory on W2K or W2003. I have installed the latest remote agent and the ACS sees the agent. I can define a local user to the ACS and authenticate with no problems. However, I have configured the unknown user properly and the group mappings. I see in the failed attempts log I am sending DOMAIN\UserID properly, however it is failing with an "Internal Error". In the documentation, (I am not an MS expert), I am confused about two items. First, for the Computer Account named CISCO, all users must be able to logon using that account. All users have the attribute to allow them to logon to any computer. That should cover the CISCO computer account, right?
Secondly, I do not follow this documentation instruction:
"To the user account that you create, grant Read all properties permission for all Active Directory folders containing users that ACS must be able to authenticate. To grant permission for Active Directory folders, access Active Directory from the Microsoft Management Console and the security properties for the folders that contain users whom ACS will authenticate."
What folder is that which I should grant these permissions? Thanks for any hints and suggestions.
Just to close the loop: I opened a TAC case and based on the output from the logs, the engineer asked me to change the CS Agent service running on the domain controller to Logon with a Local System Account and to Allow service to interact with the desktop. Once I made the change, everything started to work. Either the documentation is very wrong or there is a bug in either the ACS code or the CS Agent code.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...