Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
635
Views
0
Helpful
3
Replies

Quick query

Chts
Level 4
Level 4

‎08-12-2015 07:01 AM - edited ‎03-08-2019 01:19 AM

Hello,

This is not a Routing/Switching query but thought you would help me.

I need to find out which DNS server is authenticating TACACS users when they try to logon to switches .. I can't find any attribute that tells about passed authentication users authenticated DNS server?

I really appreciate if you could shed some light on this?

Cisco Secure ACS software version we are using is 4.2 if that helps.

 

Let me know if you need any other details

 

 

 

 

Labels:
0 Helpful
3 Replies 3

Peter Paluch
Cisco Employee
Cisco Employee

‎08-12-2015 10:24 AM

Hi,

I believe you need to clarify your question. DNS server never authenticates users - that is not its job. If a user is logging "into switch" - I understand this as logging into the CLI of a switch - then the DNS should not be involved at all in the overall procedure.

Best regards,
Peter

0 Helpful

Chts
Level 4
Level 4
In response to Peter Paluch

‎08-13-2015 03:06 AM

Sorry for the confusion it's my mistake. Actually, we have integrated ACS 4.2 with AD allows the use of the existing AD users.

When we shutdown one of our AD windows server TACACS authentication failing and

We don't understand that so I'm trying to find out which AD server authenticating users.

Have checked on the ACS server are there any attributes which tells on the "passed authentication report " but can't find any.

 

 

 

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to Chts

‎08-13-2015 03:43 AM

Hi,

I have not worked with ACS personally so I am afraid I cannot guide you to the setting (if there is any) that defines the AD server to perform the authentication. Nevertheless, I see only two ways how an ACS server can determine the domain controllers in an AD: Either it goes and asks for the DC address in DNS, or it uses a local setting.

To locate the set of domain controllers in DNS, a lookup for a SRV record is performed, with the SRV record having the following name: _ldap._tcp.dc._msdcs.DnsDomainName . I suggest using a DNS lookup tool, such as "host" on Linux or "nslookup" on Windows to look up a SRV record of this name. The resulting list of servers is the list of domain controllers. Replace the DnsDomainName with the DNS domain your AD is using.

Please let me know if you need assistance with the "host" or "nslookup" tools.

Best regards,
Peter

 

0 Helpful
Customers Also Viewed These Support Documents