ACS 4.1 AD Authentication

psullivan1984 — Mon, 11 Mar 2019 04:39:45 GMT

We have an existing HA deployment of Cisco ACS 4.1 servers authenticating wireless users with 802.1X against AD. We are looking to retire a number of older DCs in the near future. Prior to retiring the DCs, I want to make sure no authentication requests are being sent to them. From the ACS GUI, I cannot determine what DC IP / hostnames the ACS is pointing to. Within Exernal Users Databases -> Database Configuration -> Windows Database, I don't see any mention of server ip / hostname. I've ran throught he configuration guide, but didn't see any place where you enter the information either. Is it possible the DC server IP addresses are also stored within some configuration file on the server itself? Does anyone have any suggestions short of running wireshark captures to/from each of the DCs to see if authentication requests are coming from the ACS servers? Any advice or suggestions would be appreciated.

From the ACS perspective this

Jatin Katyal — Thu, 24 Apr 2014 19:04:02 GMT

From the ACS perspective this can't be done because this is not under the control of the ACS to choose the DC. ACS forwards user credentials to a Windows database by passing the user credentials to the Windows operating system of the computer that is running ACS for Windows or the Solution Engine remote agent. The Windows database passes or fails the authentication request from ACS.

You can refer to below listed link:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.
2/user/guide/UsrDb.html#wp353547

If you are running ACS on windows than you've a liberty to use windows lmhost file.

As a final means of ensuring communication with specific domain controllers, on the member server that is running ACS, configure a LMHOSTS file to include entries for each domain controller that ACS must authenticate.The format of an LMHOSTS file is very particular. Ensure that you understand the requirements of configuring the LMHOSTS file. For more information, see:

- Microsoft.com: LMHOSTS File
- The example LMHOSTS file is included with the Windows operating system.
The default location and filename for the sample file is
systemroot>\system32\drivers\etc\lmhosts

For more information, please refer the below listed doc
http://www.scribd.com/doc/50262863/345/Using-the-Lmhosts-File

NOTE:In order to check what domain and DC ACS is trying to connect, check auth.log when set to full logging.

Hope this helps.

Regards,

Jatin Katyal

*Do rate helpful posts*

topic From the ACS perspective this in Network Access Control

ACS 4.1 AD Authentication

From the ACS perspective this