Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9571
Views
3
Helpful
11
Replies

Integration Of Cisco ACS and MS Active Directory !!!

Mubasher Sultan - 2x CCIE # 20149 (R&S | Sec)
Level 1
Level 1

‎10-22-2010 09:58 AM - edited ‎03-10-2019 05:30 PM

Hi,

Please help me to configure the Cisco ACS to authenticate the users from MS Active Directory. Cisco Acs = 4.2.1(15)

Currently, i have multiple users configured as local databse. but now i want to authenticate with the domain users.

Looking for the comments...

Regards,

Mubasher

Labels:
0 Helpful
11 Replies 11

Jason Masker
Level 1
Level 1

‎10-22-2010 10:02 AM

Do you have an ACS appliance or ACS for windows?

0 Helpful

Mubasher Sultan - 2x CCIE # 20149 (R&S | Sec)
Level 1
Level 1
In response to Jason Masker

‎10-22-2010 02:01 PM

Hi Jason,

I have an ACS for windows.......

Please advise.

Regards,

Mubasher

0 Helpful

iilyinas
Level 3
Level 3

‎10-27-2010 02:54 AM

Hi, Mubasher!

You have to configure External User Databases.

Please, look here: http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html

See "Configuring a Windows External User Database". Actually, all "External Databases" chapter is worth to read before configuring.

Cheers, Iron

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

Mubasher Sultan - 2x CCIE # 20149 (R&S | Sec)
Level 1
Level 1
In response to iilyinas

‎10-27-2010 06:57 AM

Hi,

Thanks for the reply.

I followed the below link,

http://docwiki.cisco.com/wiki/Access_Control_Server_configuration_example

for the intergration between ACS and AD. After that, when i tried to login via Domain user, i was not able to login and was getting "Authentication Failed". Then, i Checked in Failed Attempts, i found "External DB user invalid or bad password".

At last, when i added the same Account (user) in Cisco ACS and put the "Password Authentication = Windows Database" in user setup, i was able to login.

My question is that, is this the right way ?  Because, before i was thinking that the Unknown User will be checked against the "Unknown User Policy" and the user will be authenticate directly by using Domain Username / password and no need to create user in ACS.

Looking for any comments...

Regards,

Mubasher 

0 Helpful

iilyinas
Level 3
Level 3
In response to Mubasher Sultan - 2x CCIE # 20149 (R&S | Sec)

‎10-27-2010 07:27 AM

This message "External DB user invalid or bad password" means, there is something wrong with login/password pair.

1. Please, check: does this user exist in Windows Database? Check that the password is right.

2. Do you add "DOMAIN\" before the username, when trying to log in using External Database - Windows User Database? You have to use Domain-Qualified Username...

0 Helpful

Mubasher Sultan - 2x CCIE # 20149 (R&S | Sec)
Level 1
Level 1
In response to iilyinas

‎10-27-2010 07:37 AM

Hi,

1) Username and password is correct.

2) I just tried the Domain/username, it also gives the same error.

But when i create the same username (AD) in Cisco ACS and gives "password authentication = Windows Database" under user setup. it works.

Clear me one thing that shall i need to create the same user of AD in Cisco ACS and set the "password authentication = Windows Database" under user setup. Is this correct or wrong?

Please advise.

Regards,

Mubasher Sultan

0 Helpful

iilyinas
Level 3
Level 3
In response to Mubasher Sultan - 2x CCIE # 20149 (R&S | Sec)

‎10-27-2010 08:01 AM

Hi, Mubasher,

If you set up "Unknown User Policy" to authenticate via external database and set up external database (Windows users database), you don't need to create additional user on ACS with password auth = win database.

...also... not "Domain/username", but "Domain\username"...

Cheers, Iron

Mubasher Sultan - 2x CCIE # 20149 (R&S | Sec)
Level 1
Level 1
In response to iilyinas

‎10-27-2010 09:21 AM

Hi Iron,

Thanks for your reply.

I understand your point. But still it is not working with me.

But, the point is that whenever i create the same user in ACS, it takes the AD password. So, communication is happening.

Do i need to check or required somethng on MS AD?

Please let me know that any logs which can help me or do you have any step by step procedure with snap-shot available with you.

Thanks for your patience and reply.

Regards,

Mubasher Sultan

0 Helpful

mshatkus1
Level 1
Level 1
In response to iilyinas

‎06-06-2012 04:30 AM

Hi iilyinas,

I too am trying to set up user authentication with AD but I do not have access to this link you provided on External User Databases.  Is there another way I can get access to that document?

Matt

0 Helpful

mauzamor
Level 1
Level 1

‎06-06-2012 05:42 AM

Hi there,

If under Unknown User Policy you already have selected the MS database, then you don't need to create manually the same AD users in the ACS. If at this point the authentication is not working, can you share with us the following:

-What type of authentication are you testing? telnet, ssh, PEAP, etc?

-Which is the operating system you are running in the Windows AD server?

-is it Windows server 2003 or 2008?

-is it R2 or not?

-is it 32-bits or 64-bits?

0 Helpful
Customers Also Viewed These Support Documents