Please help me to configure the Cisco ACS to authenticate the users from MS Active Directory. Cisco Acs = 4.2.1(15)
Currently, i have multiple users configured as local databse. but now i want to authenticate with the domain users.
Looking for the comments...
I have an ACS for windows.......
You have to configure External User Databases.
See "Configuring a Windows External User Database". Actually, all "External Databases" chapter is worth to read before configuring.
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
Thanks for the reply.
I followed the below link,
for the intergration between ACS and AD. After that, when i tried to login via Domain user, i was not able to login and was getting "Authentication Failed". Then, i Checked in Failed Attempts, i found "External DB user invalid or bad password".
At last, when i added the same Account (user) in Cisco ACS and put the "Password Authentication = Windows Database" in user setup, i was able to login.
My question is that, is this the right way ? Because, before i was thinking that the Unknown User will be checked against the "Unknown User Policy" and the user will be authenticate directly by using Domain Username / password and no need to create user in ACS.
Looking for any comments...
This message "External DB user invalid or bad password" means, there is something wrong with login/password pair.
1. Please, check: does this user exist in Windows Database? Check that the password is right.
2. Do you add "DOMAIN\" before the username, when trying to log in using External Database - Windows User Database? You have to use Domain-Qualified Username...
1) Username and password is correct.
2) I just tried the Domain/username, it also gives the same error.
But when i create the same username (AD) in Cisco ACS and gives "password authentication = Windows Database" under user setup. it works.
Clear me one thing that shall i need to create the same user of AD in Cisco ACS and set the "password authentication = Windows Database" under user setup. Is this correct or wrong?
If you set up "Unknown User Policy" to authenticate via external database and set up external database (Windows users database), you don't need to create additional user on ACS with password auth = win database.
...also... not "Domain/username", but "Domain\username"...
Thanks for your reply.
I understand your point. But still it is not working with me.
But, the point is that whenever i create the same user in ACS, it takes the AD password. So, communication is happening.
Do i need to check or required somethng on MS AD?
Please let me know that any logs which can help me or do you have any step by step procedure with snap-shot available with you.
Thanks for your patience and reply.
I too am trying to set up user authentication with AD but I do not have access to this link you provided on External User Databases. Is there another way I can get access to that document?
Try this link:
If under Unknown User Policy you already have selected the MS database, then you don't need to create manually the same AD users in the ACS. If at this point the authentication is not working, can you share with us the following:
-What type of authentication are you testing? telnet, ssh, PEAP, etc?
-Which is the operating system you are running in the Windows AD server?
-is it Windows server 2003 or 2008?
-is it R2 or not?
-is it 32-bits or 64-bits?