The following is the procedure for setting up the AD for ACS. In the ACS GUI, go to External User Databases - Database Configuration, click on Windows NT/2000 and Create New Config. Hit Configure, scroll down and hit Submit. Go to External User Databases - Unknown User Policy now and select the "Check the following UserDatabases" radio button, and move the Windows NT/2000 database over to the Selected Databases window. Hit submit.
I think there are some issues with integrating AD in ACS NT v2.6(4)
Let me give you an overview of what the setup looks like. I have a windows 2000 server SP 3 running as a domain controller and a CA (standalone), I have another machine with windows 2000 server SP3 running ACS3.2 the server is running in standalone mode but has joined the domain.
The wireless users are able to authenticate and that works fine, the problem I am having though is when I reset the password on the domain controller, the wireless clients still logon with there old password, the new password does not work. Similarly , if I force the user to change password on next logon this does not work. If I take this very same wireless machine and connect it via ethernet, the new password takes effect and I am prompted to change my password.
Here is some doc from Cisco's website regarding password changes:
Password Change Prompt/GUI
The PEAP supplicant supports Microsoft Windows Password Change as directed by the Windows NT Active Directory user database. The user is prompted for password change in the timeframe and method specified by the Windows NT/2000 server configuration (Figure 19).
During the Microsoft Password Change process, the password credentials that are stored on the machine (local cache) from the authentication immediately preceding the password change message are not updated. Thus, although the password is updated on the Windows NT/2000 domain server, the user must perform extra steps in order to synchronize the local cache and domain controller. The user can either connect directly (via Ethernet) to the Windows NT domain in order to update the cached login credentials, or can manually change the password (after logging in to the system with a new password) once the wireless connection is established.
Thank you for your reply. Do you perhaps have a link to the document you referred to .
The problem I experience though is that when I reset the password on the Domain controller, the wireless client does get prompted to reset his login password, but once I enter the new password I get returned an error stating that the domain controller is unavailable. If I connect via ethernet everything works fine.
I dont know if I am missing something on the config. I have also read about machine authentication and am a bit unsure as to whether this should be enabled or not.
I have followed the procedure you have mentioned above. There is however some additional configuration required if ACS is installed on a standalone server so that ACS can authenticate users on the domain controller.
That portion of the configuration is what I am a bit unsure about.
Are you familiar with that portion of the configuration ??
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...