Re: Cisco ACS v3.3 mapping problem
CLI Guru - Cisco Eğitim ve Danışmanlık Merkezi |

+ Konuyu Cevapla
Toplam 2 sonuçtan 1 ile 2 arasındakiler gösteriliyor.
Re: Cisco ACS v3.3 mapping problem

Merhabalar Cihan Hocam, ACS'i AD ile entegre edemediğini söylemişsin, eğer ACS ile AD'yi direkt olarak çalıştırırsan sorunun çözüleceğini tahmin ediyorum, ama ACS'in 3.3 versiyonuyla ilgili bir kısıtlama var mı bilmiyorum

  1. #1
    Ahmet KAFTAN Guest

    Standart Re: Cisco ACS v3.3 mapping problem

    Merhabalar Cihan Hocam,

    ACS'i AD ile entegre edemediğini söylemişsin, eğer ACS ile AD'yi direkt olarak çalıştırırsan sorunun çözüleceğini tahmin ediyorum, ama ACS'in 3.3 versiyonuyla ilgili bir kısıtlama var mı bilmiyorum ancak ben 4.1 ile AD'yi sorunsuz entegre ettim. Eğer ACS'de domainlerden sadece bir tanesinde bu sorunu yaşıyorsan, bu sorun o domain ile ilgilidir. Biliyorsun ACS, windows'ta servis olarak çalışıyor ve windows'ta servisler bir kullanıcı hesabı üzerinden çalışır aşağıdaki dökümanda da yazdığı gibi sorunun olduğu domainde administrator yetkisi olan kullanıcılar tarafından çalıştırılıp, gerekli izinlerin verilip verilmediğini kontrol etmen gerekiyor..

    İyi çalışmalar.

    [url]http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/A_Trble.html[/url]

    Condition
    During configuration of group mapping, the user sees the following message in a pop up window:
    Failed to enumerate Windows groups. If you are using AD consult the installation guide for information
    Action
    This problem may occur if:
    •ACS services do not have privileges to execute the NetGroupEnum function.. For information go to MSDN on Microsoft.com.
    •NetBIOS over TCP is not enabled.
    •DNS is not correctly working. You can try reregistering by using ipconfig /flushdns and then ipconfig /registerdns from a DOS prompt. Otherwise, goto Microsoft.com for more information.
    •RPC is not correctly working (for example, after Blaster Update). Go to Microsoft.com to find the following MS hot fixes:
    –kb822831
    –kb823980
    –kb824105
    –kb824146
    •The domain controllers are not synchronized. To synchronize, use the following command from a DOS prompt: net time /Domain: <DomainName>.
    •Different SPs are running on different domain controllers.
    •The NetLogon service is not up and running on all domain controllers
    •Check that packet filters are installed.
    •Choose yes on the DNS properties to Allow Dynamic Updates.
    Configuration of Active Directory (ACS Solution Engine)
    ________________________________

    Note On
    some servers, ACS services should be configured with the Local System
    account. On other servers, it will be necessary to configure a domain
    account (for example, create an account called ACS in the AD domain and assign appropriate privileges). In some extreme
    cases, you might have to make this account a member of Domain
    Administrators.
    ________________________________

    Condition
    You must configure Active Directory for ACS.
    Action
    On the domain controller serving the ACS server:
    ________________________________

    Step 1 Create a user and provide a strong password.
    Step 2 Make the user a member of Domain Admins group.
    Step 3 Make the user a member of the Administrators group.
    Step 4 On the Windows 2000 server running ACS:
    a. Add a new user to the local group.
    b. Choose Administrative Tools from the Windows control panel.
    c. Choose Computer Management > Local Users and Groups > Groups.
    d. Double-click the Administrators group, and then click Add.
    e. Choose the domain from the Look in box.
    f. Double-click the user created earlier to add the user, and then click OK..
    Step 5 Give new user special rights on ACS server:
    a. Choose Administrative Tools from the control panel.
    b. Choose Local Security Policy > Local Policies.
    c. Open User Rights Assignment.
    d. Double-click on Act as part of the operating system and click Add.
    e. Choose the domain from the Look in box.
    f. Double-click the user created earlier to add it and click OK.
    g. Double-click on Log on as a service, and click Add.
    h. Choose the domain from the Look in box.
    i. Double-click the user created earlier to add the user, and click OK.
    Step 6 Set the ACS services to run as the created user:
    a. Choose Open Administrative Tools from the control panel.
    b. Choose Services.
    c. Double-click the CSAdmin entry.
    d. Click the Log On tab, and then click This Account and then the Browse button.
    e. Choose the domain, double-click the user created earlier. Click OK.
    Step 7 Repeat the steps for the rest of the CS services.
    Step 8 Wait
    for Windows to apply the security policy changes, or reboot the server.
    If you rebooted the server, skip the rest of these instructions.
    Step 9 Stop and then start the CSAdmin service.
    Step 10 Open the ACS web interface.
    Step 11 Choose System Config > Service Control > Restart.
    Step 12 If the Domain Security Policy is set to override settings for the Act as part of the operating system and Log on as a service rights, you mustalso make the user rights changes listed previously to the policy.



    ----- Original Message ----
    From: Cihan Akgün <[email protected]>
    To: [email][email protected][/email]
    Sent: Monday, June 23, 2008 4:53:28 PM
    Subject: [cisco-ttl] Cisco ACS v3.3 mapping problem




    Arkadaslar Merhaba;



    Sirketimde radius islemleri icin kullandigim ACS v3.3 appliance bir cihaz var. Wifi clientlarin authendication islemlerini bu cihaz uzerinden active directory database i kullanarak peap uzerinden yaptiriyorum. Appliance AD domain i icerisine giremedigi icin bir member server uzerine cisco agent kurup onunla entegrasyon sagliyorum. Sorun su ki ortamda ayni forest ta bulunan4-5 tane farkli domain var. ACS tum domain ler icin user mapping yapabiliyor fakat son domain i eklemek istedigimde” failed to enumerate windows groups. if you are using Active Directory consult the installation guide for information” diye bir hata aliyorum. Ne yapmaliyim?





    Simdiden Tesekkurler



    ..

    <[url]http://geo.yahoo[/url]. com/serv? s=97359714/ grpId=8459951/ grpspId=17050047 26/msgId= 5312/stime= 1213616810/ nc1=4507179/ nc2=3848641/ nc3=5202321>



    [Non-text portions of this message have been removed]






    [Non-text portions of this message have been removed]


    ------------------------------------

    --
    Cisco Teknik Tartisma Listesi (Cisco-ttl)

    Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk
    kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya da
    bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu tutulamazlar.Yahoo! Groups Links

    <*> To visit your group on the web, go to:
    [url]http://groups.yahoo.com/group/cisco-ttl/[/url]

    <*> Your email settings:
    Individual Email | Traditional

    <*> To change settings online go to:
    [url]http://groups.yahoo.com/group/cisco-ttl/join[/url]
    (Yahoo! ID required)

    <*> To change settings via email:
    mailto:[email protected]
    mailto:[email protected]

    <*> To unsubscribe from this group, send an email to:
    [email][email protected][/email]

    <*> Your use of Yahoo! Groups is subject to:
    [url]http://docs.yahoo.com/info/terms/[/url]



  2. #2
    Cihan Akgün Guest

    Standart RE: Cisco ACS v3.3 mapping problem

    Merhaba Ahmet Hocam;

    Oncelikle sunu soyleyeyim ACS bende appliance yani herhangi bir isletim sistemi uzerinde degil (aslinda w2k uzerinde ama mudahale edilemiyor) dolayisiyla web arayuzu yada serial porttan baglanmadan calisma yapamiyoruz. Ki bu aleti domain e join etmem mumkun degil(kisitli bir isletim sistemi, monitorkullanarak login filan olunmuyor). Onceki maili attiktan sonra 1-2 deneme yaptim. Simdi bende ki 3 domain (1 root- 2 child) 10.34.x.x/24 networku icerisinde bu network icerisindeki bir acs agent i radius a kullanmasini soyledigimde bu domaindeki tum grouplari map edebiliyorum. Fakat 1 tane domain im 172.x.x.x/24 networkunde ve 10 lu network ile aralarinda firewall var (ipbazinda any-any service full olarak konf ettim kisitlama yok.). 172 li network e de bir network agent kurdum. Simdi acs 10 lu network deki agent i kullandiginda sadece 10 lu network deki domain lerdeki grouplari map edebiliyor, 172 li olan domain gozukuyor ama grouplari map edemiyorum. Acs e 172 linetwork deki network agent i kullanmasini soyledigimde bu sefer 10 lu network deki domain leri gorebiliyor fakat grouplari map edemiyor 172 li domaincalisiyor. İki network arasindaki mantiksal domain yapisinda hicbir farklilik yok fiziksel olarak aralarinda bir juniper ssg firewall var. Sadece firewall dan supheleniyorum fakat hem ip hemde service bazinda permit verdim, hemde o networkdeki remote agent i kullanabiliyorum, sorun olsa sanirim oagent i kullanamazdim.


    Cakgun


    -----Original Message-----
    From: [email][email protected][/email] [mailto:[email protected]] On Behalf Of Ahmet KAFTAN
    Sent: Wednesday, June 25, 2008 5:26 PM
    To: [email][email protected][/email]
    Subject: Re: [cisco-ttl] Cisco ACS v3.3 mapping problem

    Merhabalar Cihan Hocam,

    ACS'i AD ile entegre edemediğini söylemişsin, eğer ACS ile AD'yi direkt olarak çalıştırırsan sorunun çözüleceğini tahmin ediyorum, ama ACS'in 3.3 versiyonuyla ilgili bir kısıtlama var mı bilmiyorum ancak ben 4.1 ile AD'yi sorunsuz entegre ettim. Eğer ACS'de domainlerden sadece bir tanesinde bu sorunu yaşıyorsan, bu sorun o domain ile ilgilidir. Biliyorsun ACS, windows'ta servis olarak çalışıyor ve windows'ta servisler bir kullanıcı hesabı üzerinden çalışır aşağıdaki dökümanda da yazdığı gibi sorunun olduğu domainde administrator yetkisi olan kullanıcılar tarafından çalıştırılıp, gerekli izinlerin verilip verilmediğini kontrol etmen gerekiyor..

    İyi çalışmalar.

    [url]http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/A_Trble.html[/url]

    Condition
    During configuration of group mapping, the user sees the following message in a pop up window:
    Failed to enumerate Windows groups. If you are using AD consult the installation guide for information
    Action
    This problem may occur if:
    •ACS services do not have privileges to execute the NetGroupEnum function.. For information go to MSDN on Microsoft.com.
    •NetBIOS over TCP is not enabled.
    •DNS is not correctly working. You can try reregistering by using ipconfig /flushdns and then ipconfig /registerdns from a DOS prompt. Otherwise, goto Microsoft.com for more information.
    •RPC is not correctly working (for example, after Blaster Update). Go to Microsoft.com to find the following MS hot fixes:
    –kb822831
    –kb823980
    –kb824105
    –kb824146
    •The domain controllers are not synchronized. To synchronize, use the following command from a DOS prompt: net time /Domain: <DomainName>.
    •Different SPs are running on different domain controllers.
    •The NetLogon service is not up and running on all domain controllers
    •Check that packet filters are installed.
    •Choose yes on the DNS properties to Allow Dynamic Updates.
    Configuration of Active Directory (ACS Solution Engine)
    ________________________________

    Note On
    some servers, ACS services should be configured with the Local System
    account. On other servers, it will be necessary to configure a domain
    account (for example, create an account called ACS in the AD domain and assign appropriate privileges). In some extreme
    cases, you might have to make this account a member of Domain
    Administrators.
    ________________________________

    Condition
    You must configure Active Directory for ACS.
    Action
    On the domain controller serving the ACS server:
    ________________________________

    Step 1 Create a user and provide a strong password.
    Step 2 Make the user a member of Domain Admins group.
    Step 3 Make the user a member of the Administrators group.
    Step 4 On the Windows 2000 server running ACS:
    a. Add a new user to the local group.
    b. Choose Administrative Tools from the Windows control panel.
    c. Choose Computer Management > Local Users and Groups > Groups.
    d. Double-click the Administrators group, and then click Add.
    e. Choose the domain from the Look in box.
    f. Double-click the user created earlier to add the user, and then click OK..
    Step 5 Give new user special rights on ACS server:
    a. Choose Administrative Tools from the control panel.
    b. Choose Local Security Policy > Local Policies.
    c. Open User Rights Assignment.
    d. Double-click on Act as part of the operating system and click Add.
    e. Choose the domain from the Look in box.
    f. Double-click the user created earlier to add it and click OK.
    g. Double-click on Log on as a service, and click Add.
    h. Choose the domain from the Look in box.
    i. Double-click the user created earlier to add the user, and click OK.
    Step 6 Set the ACS services to run as the created user:
    a. Choose Open Administrative Tools from the control panel.
    b. Choose Services.
    c. Double-click the CSAdmin entry.
    d. Click the Log On tab, and then click This Account and then the Browse button.
    e. Choose the domain, double-click the user created earlier. Click OK.
    Step 7 Repeat the steps for the rest of the CS services.
    Step 8 Wait
    for Windows to apply the security policy changes, or reboot the server.
    If you rebooted the server, skip the rest of these instructions.
    Step 9 Stop and then start the CSAdmin service.
    Step 10 Open the ACS web interface.
    Step 11 Choose System Config > Service Control > Restart.
    Step 12 If the Domain Security Policy is set to override settings for the Act as part of the operating system and Log on as a service rights, you mustalso make the user rights changes listed previously to the policy.



    ----- Original Message ----
    From: Cihan Akgün <[email protected]>
    To: [email][email protected][/email]
    Sent: Monday, June 23, 2008 4:53:28 PM
    Subject: [cisco-ttl] Cisco ACS v3.3 mapping problem




    Arkadaslar Merhaba;



    Sirketimde radius islemleri icin kullandigim ACS v3.3 appliance bir cihaz var. Wifi clientlarin authendication islemlerini bu cihaz uzerinden active directory database i kullanarak peap uzerinden yaptiriyorum. Appliance AD domain i icerisine giremedigi icin bir member server uzerine cisco agent kurup onunla entegrasyon sagliyorum. Sorun su ki ortamda ayni forest ta bulunan4-5 tane farkli domain var. ACS tum domain ler icin user mapping yapabiliyor fakat son domain i eklemek istedigimde” failed to enumerate windows groups. if you are using Active Directory consult the installation guide for information” diye bir hata aliyorum. Ne yapmaliyim?





    Simdiden Tesekkurler



    ..

    <[url]http://geo.yahoo[/url]. com/serv? s=97359714/ grpId=8459951/ grpspId=17050047 26/msgId= 5312/stime= 1213616810/ nc1=4507179/ nc2=3848641/ nc3=5202321>



    [Non-text portions of this message have been removed]






    [Non-text portions of this message have been removed]


    ------------------------------------

    --
    Cisco Teknik Tartisma Listesi (Cisco-ttl)

    Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk
    kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya da
    bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu tutulamazlar.Yahoo! Groups Links




    ------------------------------------

    --
    Cisco Teknik Tartisma Listesi (Cisco-ttl)

    Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk
    kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya da
    bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu tutulamazlar.Yahoo! Groups Links

    <*> To visit your group on the web, go to:
    [url]http://groups.yahoo.com/group/cisco-ttl/[/url]

    <*> Your email settings:
    Individual Email | Traditional

    <*> To change settings online go to:
    [url]http://groups.yahoo.com/group/cisco-ttl/join[/url]
    (Yahoo! ID required)

    <*> To change settings via email:
    mailto:[email protected]
    mailto:[email protected]

    <*> To unsubscribe from this group, send an email to:
    [email][email protected][/email]

    <*> Your use of Yahoo! Groups is subject to:
    [url]http://docs.yahoo.com/info/terms/[/url]



+ Konuyu Cevapla

Bu Konuyu Paylaşın !

Bu Konuyu Paylaşın !

Yetkileriniz

  • Konu Acma Yetkiniz Yok
  • Cevap Yazma Yetkiniz Yok
  • Eklenti Yükleme Yetkiniz Yok
  • Mesajınızı Değiştirme Yetkiniz Yok