Re: [cisco-ttl] Cisco ACS v3.3 mapping problem

From: Ahmet KAFTAN <kaftana_at_....>
Date: Wed, 25 Jun 2008 07:26:21 -0700 (PDT)


Merhabalar Cihan Hocam,

ACS'i AD ile entegre edemediğini söylemişsin, eğer ACS ile AD'yi direkt olarak çalıştırırsan sorunun çözüleceğini tahmin ediyorum, ama ACS'in 3.3 versiyonuyla ilgili bir kısıtlama var mı bilmiyorum ancak ben 4.1 ile AD'yi sorunsuz entegre ettim. Eğer ACS'de domainlerden sadece bir tanesinde bu sorunu yaşıyorsan, bu sorun o domain ile ilgilidir. Biliyorsun ACS, windows'ta servis olarak çalışıyor ve windows'ta servisler bir kullanıcı hesabı üzerinden çalışır aşağıdaki dökümanda da yazdığı gibi sorunun olduğu domainde administrator yetkisi olan kullanıcılar tarafından çalıştırılıp, gerekli izinlerin verilip verilmediğini kontrol etmen gerekiyor.

İyi çalışmalar.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/A_Trble.html

Condition
During configuration of group mapping, the user sees the following message in a pop up window: Failed to enumerate Windows groups. If you are using AD consult the installation guide for information Action
This problem may occur if:
•ACS services do not have privileges to execute the NetGroupEnum function. For information go to MSDN on Microsoft.com. •NetBIOS over TCP is not enabled.
•DNS is not correctly working. You can try reregistering by using ipconfig /flushdns and then ipconfig /registerdns from a DOS prompt. Otherwise, go to Microsoft.com for more information. •RPC is not correctly working (for example, after Blaster Update). Go to Microsoft.com to find the following MS hot fixes: –kb822831
–kb823980
–kb824105
–kb824146
•The domain controllers are not synchronized. To synchronize, use the following command from a DOS prompt: net time /Domain: <DomainName>. •Different SPs are running on different domain controllers. •The NetLogon service is not up and running on all domain controllers •Check that packet filters are installed. •Choose yes on the DNS properties to Allow Dynamic Updates. Configuration of Active Directory (ACS Solution Engine)

 

Note On
some servers, ACS services should be configured with the Local System account. On other servers, it will be necessary to configure a domain account (for example, create an account called ACS in the AD domain and assign appropriate privileges). In some extreme cases, you might have to make this account a member of Domain Administrators.

Condition
You must configure Active Directory for ACS. Action
On the domain controller serving the ACS server:

 

Step 1 Create a user and provide a strong password. Step 2 Make the user a member of Domain Admins group. Step 3 Make the user a member of the Administrators group. Step 4 On the Windows 2000 server running ACS: 

a. Add a new user to the local group. 
b. Choose Administrative Tools from the Windows control panel. 
c. Choose Computer Management > Local Users and Groups > Groups. 
d. Double-click the Administrators group, and then click Add. 
e. Choose the domain from the Look in box. 
f. Double-click the user created earlier to add the user, and then click OK.
Step 5 Give new user special rights on ACS server: 
a. Choose Administrative Tools from the control panel. 
b. Choose Local Security Policy > Local Policies. 
c. Open User Rights Assignment. 
d. Double-click on Act as part of the operating system and click Add. 
e. Choose the domain from the Look in box. 
f. Double-click the user created earlier to add it and click OK. 
g. Double-click on Log on as a service, and click Add. 
h. Choose the domain from the Look in box. 
i. Double-click the user created earlier to add the user, and click OK.
Step 6 Set the ACS services to run as the created user: 
a. Choose Open Administrative Tools from the control panel. 
b. Choose Services. 
c. Double-click the CSAdmin entry. 
d. Click the Log On tab, and then click This Account and then the Browse button. 
e. Choose the domain, double-click the user created earlier. Click OK.
Step 7 Repeat the steps for the rest of the CS services. Step 8 Wait
for Windows to apply the security policy changes, or reboot the server. If you rebooted the server, skip the rest of these instructions. Step 9 Stop and then start the CSAdmin service. Step 10 Open the ACS web interface.
Step 11 Choose System Config > Service Control > Restart. Step 12 If the Domain Security Policy is set to override settings for the Act as part of the operating system and Log on as a service rights, you must also make the user rights changes listed previously to the policy.
  • Original Message ---- From: Cihan Akgün <cihan.akgun_at_zaman.com.tr> To: cisco-ttl_at_yahoogroups.com Sent: Monday, June 23, 2008 4:53:28 PM Subject: [cisco-ttl] Cisco ACS v3.3 mapping problem

Arkadaslar Merhaba;

Sirketimde radius islemleri icin kullandigim ACS v3.3 appliance bir cihaz var. Wifi clientlarin authendication islemlerini bu cihaz uzerinden active directory database i kullanarak peap uzerinden yaptiriyorum. Appliance AD domain i icerisine giremedigi icin bir member server uzerine cisco agent kurup onunla entegrasyon sagliyorum. Sorun su ki ortamda ayni forest ta bulunan 4-5 tane farkli domain var. ACS tum domain ler icin user mapping yapabiliyor fakat son domain i eklemek istedigimde” failed to enumerate windows groups. if you are using Active Directory consult the installation guide for information” diye bir hata aliyorum. Ne yapmaliyim?

Simdiden Tesekkurler

.

<http://geo.yahoo. com/serv? s=97359714/ grpId=8459951/ grpspId=17050047 26/msgId= 5312/stime= 1213616810/ nc1=4507179/ nc2=3848641/ nc3=5202321>

[Non-text portions of this message have been removed]            

[Non-text portions of this message have been removed] 

--
Cisco Teknik Tartisma Listesi (Cisco-ttl)

Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk 
kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya da 
bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu tutulamazlar.Yahoo! Groups Links



<*> To visit your group on the web, go to:

    http://groups.yahoo.com/group/cisco-ttl/



<*> Your email settings:

    Individual Email | Traditional



<*> To change settings online go to:

    http://groups.yahoo.com/group/cisco-ttl/join
    (Yahoo! ID required)



<*> To change settings via email:

    mailto:cisco-ttl-digest_at_yahoogroups.com 
    mailto:cisco-ttl-fullfeatured_at_yahoogroups.com



<*> To unsubscribe from this group, send an email to:

    cisco-ttl-unsubscribe_at_yahoogroups.com



<*> Your use of Yahoo! Groups is subject to:

    http://docs.yahoo.com/info/terms/
Received on Fri Jun 27 2008 - 23:38:57 CEST

This archive was generated by hypermail 2.2.0 : Fri Jun 27 2008 - 23:39:02 CEST