RE: [cisco-ttl] Cisco ACS v3.3 mapping problem

From: Cihan Akgün <cihan.akgun_at_....>
Date: Sat, 28 Jun 2008 12:59:46 +0300


Merhaba Ahmet Hocam;

Oncelikle sunu soyleyeyim ACS bende appliance yani herhangi bir isletim sistemi uzerinde degil (aslinda w2k uzerinde ama mudahale edilemiyor) dolayisiyla web arayuzu yada serial porttan baglanmadan calisma yapamiyoruz. Ki bu aleti domain e join etmem mumkun degil(kisitli bir isletim sistemi, monitor kullanarak login filan olunmuyor). Onceki maili attiktan sonra 1-2 deneme yaptim. Simdi bende ki 3 domain (1 root- 2 child) 10.34.x.x/24 networku icerisinde bu network icerisindeki bir acs agent i radius a kullanmasini soyledigimde bu domaindeki tum grouplari map edebiliyorum. Fakat 1 tane domain im 172.x.x.x/24 networkunde ve 10 lu network ile aralarinda firewall var (ip bazinda any-any service full olarak konf ettim kisitlama yok.). 172 li network e de bir network agent kurdum. Simdi acs 10 lu network deki agent i kullandiginda sadece 10 lu network deki domain lerdeki grouplari map edebiliyor, 172 li olan domain gozukuyor ama grouplari map edemiyorum. Acs e 172 li network deki network agent i kullanmasini soyledigimde bu sefer 10 lu network deki domain leri gorebiliyor fakat grouplari map edemiyor 172 li domain calisiyor. İki network arasindaki mantiksal domain yapisinda hicbir farklilik yok fiziksel olarak aralarinda bir juniper ssg firewall var. Sadece firewall dan supheleniyorum fakat hem ip hemde service bazinda permit verdim, hemde o networkdeki remote agent i kullanabiliyorum, sorun olsa sanirim o agent i kullanamazdim.

Cakgun    

-----Original Message-----
From: cisco-ttl_at_yahoogroups.com [mailto:cisco-ttl_at_yahoogroups.com] On Behalf Of Ahmet KAFTAN Sent: Wednesday, June 25, 2008 5:26 PM
To: cisco-ttl_at_yahoogroups.com
Subject: Re: [cisco-ttl] Cisco ACS v3.3 mapping problem

Merhabalar Cihan Hocam,

ACS'i AD ile entegre edemediğini söylemişsin, eğer ACS ile AD'yi direkt olarak çalıştırırsan sorunun çözüleceğini tahmin ediyorum, ama ACS'in 3.3 versiyonuyla ilgili bir kısıtlama var mı bilmiyorum ancak ben 4.1 ile AD'yi sorunsuz entegre ettim. Eğer ACS'de domainlerden sadece bir tanesinde bu sorunu yaşıyorsan, bu sorun o domain ile ilgilidir. Biliyorsun ACS, windows'ta servis olarak çalışıyor ve windows'ta servisler bir kullanıcı hesabı üzerinden çalışır aşağıdaki dökümanda da yazdığı gibi sorunun olduğu domainde administrator yetkisi olan kullanıcılar tarafından çalıştırılıp, gerekli izinlerin verilip verilmediğini kontrol etmen gerekiyor.

İyi çalışmalar.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/A_Trble.html

Condition
During configuration of group mapping, the user sees the following message in a pop up window: Failed to enumerate Windows groups. If you are using AD consult the installation guide for information Action
This problem may occur if:
•ACS services do not have privileges to execute the NetGroupEnum function. For information go to MSDN on Microsoft.com. •NetBIOS over TCP is not enabled.
•DNS is not correctly working. You can try reregistering by using ipconfig /flushdns and then ipconfig /registerdns from a DOS prompt. Otherwise, go to Microsoft.com for more information. •RPC is not correctly working (for example, after Blaster Update). Go to Microsoft.com to find the following MS hot fixes: –kb822831
–kb823980
–kb824105
–kb824146
•The domain controllers are not synchronized. To synchronize, use the following command from a DOS prompt: net time /Domain: <DomainName>. •Different SPs are running on different domain controllers. •The NetLogon service is not up and running on all domain controllers •Check that packet filters are installed. •Choose yes on the DNS properties to Allow Dynamic Updates. Configuration of Active Directory (ACS Solution Engine)

 

Note On
some servers, ACS services should be configured with the Local System account. On other servers, it will be necessary to configure a domain account (for example, create an account called ACS in the AD domain and assign appropriate privileges). In some extreme cases, you might have to make this account a member of Domain Administrators.

Condition
You must configure Active Directory for ACS. Action
On the domain controller serving the ACS server:

 

Step 1 Create a user and provide a strong password. Step 2 Make the user a member of Domain Admins group. Step 3 Make the user a member of the Administrators group. Step 4 On the Windows 2000 server running ACS: 

a. Add a new user to the local group. 
b. Choose Administrative Tools from the Windows control panel. 
c. Choose Computer Management > Local Users and Groups > Groups. 
d. Double-click the Administrators group, and then click Add. 
e. Choose the domain from the Look in box. 
f. Double-click the user created earlier to add the user, and then click OK.
Step 5 Give new user special rights on ACS server: 
a. Choose Administrative Tools from the control panel. 
b. Choose Local Security Policy > Local Policies. 
c. Open User Rights Assignment. 
d. Double-click on Act as part of the operating system and click Add. 
e. Choose the domain from the Look in box. 
f. Double-click the user created earlier to add it and click OK. 
g. Double-click on Log on as a service, and click Add. 
h. Choose the domain from the Look in box. 
i. Double-click the user created earlier to add the user, and click OK.
Step 6 Set the ACS services to run as the created user: 
a. Choose Open Administrative Tools from the control panel. 
b. Choose Services. 
c. Double-click the CSAdmin entry. 
d. Click the Log On tab, and then click This Account and then the Browse button. 
e. Choose the domain, double-click the user created earlier. Click OK.
Step 7 Repeat the steps for the rest of the CS services. Step 8 Wait
for Windows to apply the security policy changes, or reboot the server. If you rebooted the server, skip the rest of these instructions. Step 9 Stop and then start the CSAdmin service. Step 10 Open the ACS web interface.
Step 11 Choose System Config > Service Control > Restart. Step 12 If the Domain Security Policy is set to override settings for the Act as part of the operating system and Log on as a service rights, you must also make the user rights changes listed previously to the policy.
  • Original Message ---- From: Cihan Akgün <cihan.akgun_at_zaman.com.tr> To: cisco-ttl_at_yahoogroups.com Sent: Monday, June 23, 2008 4:53:28 PM Subject: [cisco-ttl] Cisco ACS v3.3 mapping problem

Arkadaslar Merhaba;

Sirketimde radius islemleri icin kullandigim ACS v3.3 appliance bir cihaz var. Wifi clientlarin authendication islemlerini bu cihaz uzerinden active directory database i kullanarak peap uzerinden yaptiriyorum. Appliance AD domain i icerisine giremedigi icin bir member server uzerine cisco agent kurup onunla entegrasyon sagliyorum. Sorun su ki ortamda ayni forest ta bulunan 4-5 tane farkli domain var. ACS tum domain ler icin user mapping yapabiliyor fakat son domain i eklemek istedigimde” failed to enumerate windows groups. if you are using Active Directory consult the installation guide for information” diye bir hata aliyorum. Ne yapmaliyim?

Simdiden Tesekkurler

.

<http://geo.yahoo. com/serv? s=97359714/ grpId=8459951/ grpspId=17050047 26/msgId= 5312/stime= 1213616810/ nc1=4507179/ nc2=3848641/ nc3=5202321>

[Non-text portions of this message have been removed]            

[Non-text portions of this message have been removed] 

--
Cisco Teknik Tartisma Listesi (Cisco-ttl)

Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk 
kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya da 
bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu tutulamazlar.Yahoo! Groups Links




------------------------------------

--
Cisco Teknik Tartisma Listesi (Cisco-ttl)

Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk 
kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya da 
bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu tutulamazlar.Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/cisco-ttl/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/cisco-ttl/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:cisco-ttl-digest_at_yahoogroups.com 
    mailto:cisco-ttl-fullfeatured_at_yahoogroups.com

<*> To unsubscribe from this group, send an email to:
    cisco-ttl-unsubscribe_at_yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
Received on Mon Jun 30 2008 - 12:19:23 CEST

This archive was generated by hypermail 2.2.0 : Mon Jun 30 2008 - 12:19:27 CEST