01-08-2016 04:38 AM - edited 03-10-2019 11:22 PM
Hi all,
in the old versions of Cisco ACS ( 4.x ) there is the option to configure a workstation name (by default set to "CISCO") that it will be used as "presentation name" to AD. you can find this conf under : external user database-->database conf---> Windows database--->and scrool till the end of the page.
Is there the equivalent for acs 5.x ? i'm not able to find it.
i've upgraded from 4.x to 5.x and, since i was using this feature with the old acs,i would continue to use CISCO workstation name instead of modify the "logon to" to each users with the new acs servers name.
many thx
01-08-2016 08:51 AM
It's little different. AD account required for domain access in ACS should have either of these:
Add workstations to domain user right in corresponding domain.
Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ACS machine's account is created before joining ACS machine to the domain.
Note: Cisco recommends that you disable the lockout policy for the ACS account and configure the AD infrastructure to send alerts to the admin if a wrong password is used for that account. This is because if you enter a wrong password, ACS does not create or modify its machine account when it is necessary and therefore possibly deny all authentications.
Note: The Windows AD account, which joins ACS to the AD domain, can be placed in its own Organizational Unit (OU). It resides in its own OU either when the account is created or later on with a restriction that the appliance name must match the name of the AD account.
It's documented here:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113571-acs5-ad-int-config-00.html
- Jatin
01-11-2016 01:41 AM
hi,
thx for your reply. i'm not sure i undertood your comment or maybe i was not able to explain my problem correctly. I'll try to give you additional details:
Curently i'm using acs 4.1 with Peap authentication for wireless users who belong to a specific Group in AD.
each user (in AD) is binded ( logon_to tab of the AD) to some workstations/severs ...so a user "A" can ONLY log onto workstation X and server Y etc etc etc.
In order to let them join the network fwith PEAP authentication, I had to bind them also to a server named "CISCO" .....that is the name used by my 2 instances of ACS 4.1 ( see my first message for details )
Now, i'm upgrading to ACS 5.8. and i would use the same name (CISCO) for my 2 instances of acs INSTEAD OF configure the logon_to with the 2 new server's name ( NEW_ ACS_SERVER_1 and NEW_ACS_SERVER_2 ).
I would use the OLD name just because , for some users, i already reached the maximum number of servers/workstation that can be configured in the logon_to tab.
if i don't configure the new server names (NEW_ ACS_SERVER_1 and NEW_ACS_SERVER_2).... i receive the following error while a user attempt to use wireless network with peap : "this user is not allowed to login to this workstation...bla bla bla...." (or something similar).
Since ALL users already have "cisco" in the logon to conf of the AD, it would be easier for me to let things as they are and change the name of the2 ACS instance to "CISCO".....but my problem is that i don't know how to do it. in acs 4.1 there was a specific conf that seems to be missing in acs 5.8
any ideas?
hope it's more clear and sorry for my english ;-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide