07-03-2003 09:59 PM - edited 07-04-2021 08:50 AM
Hi,
I am having a problem setting this up. Has anyone done this before ?
If so is it a relatively straight forward process or are there some " tricks" that I should look out for.
I am setting up EAP-TLS and would like to have a single login that authenticates against ACS using Active directory password database.
Thanks
07-09-2003 10:57 AM
The following is the procedure for setting up the AD for ACS. In the ACS GUI, go to External User Databases - Database Configuration, click on Windows NT/2000 and Create New Config. Hit Configure, scroll down and hit Submit. Go to External User Databases - Unknown User Policy now and select the "Check the following UserDatabases" radio button, and move the Windows NT/2000 database over to the Selected Databases window. Hit submit.
I think there are some issues with integrating AD in ACS NT v2.6(4)
07-09-2003 12:08 PM
You need to setup certificate services on Windows 2000 server. Each individual user login id requires user certificate. I have tested this with ACS 3.0 and its working fine
07-09-2003 10:11 PM
Let me give you an overview of what the setup looks like. I have a windows 2000 server SP 3 running as a domain controller and a CA (standalone), I have another machine with windows 2000 server SP3 running ACS3.2 the server is running in standalone mode but has joined the domain.
The wireless users are able to authenticate and that works fine, the problem I am having though is when I reset the password on the domain controller, the wireless clients still logon with there old password, the new password does not work. Similarly , if I force the user to change password on next logon this does not work. If I take this very same wireless machine and connect it via ethernet, the new password takes effect and I am prompted to change my password.
Have you any ideas ??
Many thanks
07-15-2003 11:49 AM
Here is some doc from Cisco's website regarding password changes:
Password Change Prompt/GUI
The PEAP supplicant supports Microsoft Windows Password Change as directed by the Windows NT Active Directory user database. The user is prompted for password change in the timeframe and method specified by the Windows NT/2000 server configuration (Figure 19).
During the Microsoft Password Change process, the password credentials that are stored on the machine (local cache) from the authentication immediately preceding the password change message are not updated. Thus, although the password is updated on the Windows NT/2000 domain server, the user must perform extra steps in order to synchronize the local cache and domain controller. The user can either connect directly (via Ethernet) to the Windows NT domain in order to update the cached login credentials, or can manually change the password (after logging in to the system with a new password) once the wireless connection is established.
07-15-2003 09:46 PM
Thank you for your reply. Do you perhaps have a link to the document you referred to .
The problem I experience though is that when I reset the password on the Domain controller, the wireless client does get prompted to reset his login password, but once I enter the new password I get returned an error stating that the domain controller is unavailable. If I connect via ethernet everything works fine.
I dont know if I am missing something on the config. I have also read about machine authentication and am a bit unsure as to whether this should be enabled or not.
Many thanks
07-09-2003 09:57 PM
I have followed the procedure you have mentioned above. There is however some additional configuration required if ACS is installed on a standalone server so that ACS can authenticate users on the domain controller.
That portion of the configuration is what I am a bit unsure about.
Are you familiar with that portion of the configuration ??
Thanks for your reply!
07-09-2003 10:38 PM
i think the problem is the database synchronization between the ACS and the DC. try to stop and restart ACS after you change the user password at the DC.
for further troubleshooting start csradius debugging at cmd-line.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00800afec1.shtml#ob_nt
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide