10-22-2010 09:58 AM - edited 03-10-2019 05:30 PM
Hi,
Please help me to configure the Cisco ACS to authenticate the users from MS Active Directory. Cisco Acs = 4.2.1(15)
Currently, i have multiple users configured as local databse. but now i want to authenticate with the domain users.
Looking for the comments...
Regards,
Mubasher
10-22-2010 10:02 AM
Do you have an ACS appliance or ACS for windows?
10-22-2010 02:01 PM
Hi Jason,
I have an ACS for windows.......
Please advise.
Regards,
Mubasher
10-27-2010 02:54 AM
Hi, Mubasher!
You have to configure External User Databases.
Please, look here: http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html
See "Configuring a Windows External User Database". Actually, all "External Databases" chapter is worth to read before configuring.
Cheers, Iron
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
10-27-2010 06:57 AM
Hi,
Thanks for the reply.
I followed the below link,
http://docwiki.cisco.com/wiki/Access_Control_Server_configuration_example
for the intergration between ACS and AD. After that, when i tried to login via Domain user, i was not able to login and was getting "Authentication Failed". Then, i Checked in Failed Attempts, i found "External DB user invalid or bad password".
At last, when i added the same Account (user) in Cisco ACS and put the "Password Authentication = Windows Database" in user setup, i was able to login.
My question is that, is this the right way ? Because, before i was thinking that the Unknown User will be checked against the "Unknown User Policy" and the user will be authenticate directly by using Domain Username / password and no need to create user in ACS.
Looking for any comments...
Regards,
Mubasher
10-27-2010 07:27 AM
This message "External DB user invalid or bad password" means, there is something wrong with login/password pair.
1. Please, check: does this user exist in Windows Database? Check that the password is right.
2. Do you add "DOMAIN\" before the username, when trying to log in using External Database - Windows User Database? You have to use Domain-Qualified Username...
10-27-2010 07:37 AM
Hi,
1) Username and password is correct.
2) I just tried the Domain/username, it also gives the same error.
But when i create the same username (AD) in Cisco ACS and gives "password authentication = Windows Database" under user setup. it works.
Clear me one thing that shall i need to create the same user of AD in Cisco ACS and set the "password authentication = Windows Database" under user setup. Is this correct or wrong?
Please advise.
Regards,
Mubasher Sultan
10-27-2010 08:01 AM
Hi, Mubasher,
If you set up "Unknown User Policy" to authenticate via external database and set up external database (Windows users database), you don't need to create additional user on ACS with password auth = win database.
...also... not "Domain/username", but "Domain\username"...
Cheers, Iron
10-27-2010 09:21 AM
Hi Iron,
Thanks for your reply.
I understand your point. But still it is not working with me.
But, the point is that whenever i create the same user in ACS, it takes the AD password. So, communication is happening.
Do i need to check or required somethng on MS AD?
Please let me know that any logs which can help me or do you have any step by step procedure with snap-shot available with you.
Thanks for your patience and reply.
Regards,
Mubasher Sultan
06-06-2012 04:30 AM
Hi iilyinas,
I too am trying to set up user authentication with AD but I do not have access to this link you provided on External User Databases. Is there another way I can get access to that document?
Matt
06-06-2012 04:36 AM
Hi, Matt!
Try this link:
Cheers, Iron
06-06-2012 05:42 AM
Hi there,
If under Unknown User Policy you already have selected the MS database, then you don't need to create manually the same AD users in the ACS. If at this point the authentication is not working, can you share with us the following:
-What type of authentication are you testing? telnet, ssh, PEAP, etc?
-Which is the operating system you are running in the Windows AD server?
-is it Windows server 2003 or 2008?
-is it R2 or not?
-is it 32-bits or 64-bits?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide