Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Integrating ACS with Active directory login

Hi,

I am having a problem setting this up. Has anyone done this before ?

If so is it a relatively straight forward process or are there some " tricks" that I should look out for.

I am setting up EAP-TLS and would like to have a single login that authenticates against ACS using Active directory password database.

Thanks

7 REPLIES
Anonymous
N/A

Re: Integrating ACS with Active directory login

The following is the procedure for setting up the AD for ACS. In the ACS GUI, go to External User Databases - Database Configuration, click on Windows NT/2000 and Create New Config. Hit Configure, scroll down and hit Submit. Go to External User Databases - Unknown User Policy now and select the "Check the following UserDatabases" radio button, and move the Windows NT/2000 database over to the Selected Databases window. Hit submit.

I think there are some issues with integrating AD in ACS NT v2.6(4)

New Member

Re: Integrating ACS with Active directory login

You need to setup certificate services on Windows 2000 server. Each individual user login id requires user certificate. I have tested this with ACS 3.0 and its working fine

New Member

Re: Integrating ACS with Active directory login

Let me give you an overview of what the setup looks like. I have a windows 2000 server SP 3 running as a domain controller and a CA (standalone), I have another machine with windows 2000 server SP3 running ACS3.2 the server is running in standalone mode but has joined the domain.

The wireless users are able to authenticate and that works fine, the problem I am having though is when I reset the password on the domain controller, the wireless clients still logon with there old password, the new password does not work. Similarly , if I force the user to change password on next logon this does not work. If I take this very same wireless machine and connect it via ethernet, the new password takes effect and I am prompted to change my password.

Have you any ideas ??

Many thanks

New Member

Re: Integrating ACS with Active directory login

Here is some doc from Cisco's website regarding password changes:

Password Change Prompt/GUI

The PEAP supplicant supports Microsoft Windows Password Change as directed by the Windows NT Active Directory user database. The user is prompted for password change in the timeframe and method specified by the Windows NT/2000 server configuration (Figure 19).

During the Microsoft Password Change process, the password credentials that are stored on the machine (local cache) from the authentication immediately preceding the password change message are not updated. Thus, although the password is updated on the Windows NT/2000 domain server, the user must perform extra steps in order to synchronize the local cache and domain controller. The user can either connect directly (via Ethernet) to the Windows NT domain in order to update the cached login credentials, or can manually change the password (after logging in to the system with a new password) once the wireless connection is established.

New Member

Re: Integrating ACS with Active directory login

Thank you for your reply. Do you perhaps have a link to the document you referred to .

The problem I experience though is that when I reset the password on the Domain controller, the wireless client does get prompted to reset his login password, but once I enter the new password I get returned an error stating that the domain controller is unavailable. If I connect via ethernet everything works fine.

I dont know if I am missing something on the config. I have also read about machine authentication and am a bit unsure as to whether this should be enabled or not.

Many thanks

New Member

Re: Integrating ACS with Active directory login

I have followed the procedure you have mentioned above. There is however some additional configuration required if ACS is installed on a standalone server so that ACS can authenticate users on the domain controller.

That portion of the configuration is what I am a bit unsure about.

Are you familiar with that portion of the configuration ??

Thanks for your reply!

New Member

Re: Integrating ACS with Active directory login

i think the problem is the database synchronization between the ACS and the DC. try to stop and restart ACS after you change the user password at the DC.

for further troubleshooting start csradius debugging at cmd-line.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00800afec1.shtml#ob_nt

342
Views
0
Helpful
7
Replies
CreatePlease login to create content