Active Directory Login Behavior When a Dc Is Down
Active Directory Integration in ACS v.8
Revised: February 26, 2018
Active Directory Central Features in ACS 5.eight
Authentication Domains
When ACS is joined to an Active Directory domain, information technology will automatically discover the Active Directory's trusted domains. All the same, not all domains may be relevant to ACS for authentication and authorization. ACS allows you to select a subset of domains from the trusted domains for authentication and authorization. This subset of domains is called hallmark domains. It is recommended to ascertain the domains where users or machines are located that you intend to authenticate, as authentication domains. Defining hallmark domains enhances security by blocking domains thus restricting user authentications from taking identify on these domains. It also helps optimize performance because you can skip domains that are not relevant for policies and authentication and help ACS to perform identity search operations more efficiently.
Ambiguous Identity Resolution
If the user or machine name received by ACS is ambiguous, that is, it is not unique, it can cause problems for users when they effort to authenticate. Identity clashes occur in cases when the user does non accept a domain markup, or when there are multiple identities with the same username in more than 1 domain. For example, userA exists on domain1 and another userA exists on domain2. You tin can use the identity resolution setting to define the telescopic for the resolution for such users. Cisco highly recommends you to use qualified names such every bit UPN or NetBIOS. Qualified proper noun reduces chances of ambivalence and increases performance by reducing delays.
Group Membership Evaluation Based on Security Identifiers
ACS uses security identifiers (SIDs) for optimization of grouping membership evaluation. SIDs are useful for two reasons, firstly for efficiency (speed) when the groups are evaluated, and secondly, resilience against delays if a domain is down and user is a member of groups from that domain. When you delete a group and create a new group with same proper name as original, you must update SIDs to assign new SID to the newly created group.
Diagnostic Tool
The Diagnostic Tool allows you to automatically test and diagnose the Agile Directory deployment for full general connectivity issues. This tool provides information on:
■
The ACS node on which the test is run
■Connectivity to the Active Directory
■Detailed status about the domain
■Detailed status about ACS-DNS server connectivity
The tool provides a detailed report for each test that you run.
Certificate Authentication Contour Enhancements
ACS 5.viii has introduced a new enhancement in certificate authentication profile:
■Only to resolve identity ambivalence option—Yous can use this options to resolve identity issues in EAP-TLS authentications. Y'all can have multiple identities from TLS certificates. If the usernames are ambiguous, for example, if there are two "jdoe" from an conquering, and if the customer certificates are present in Active Directory, ACS tin use binary comparing to dominion out the ambiguity.
Reports and Alarms
ACS provides new AD Connector Operations report and new alarms in dashboard to monitor and troubleshoot Active Directory related activities.
Advanced Tuning
The advanced tuning characteristic provides node-specific changes and settings to accommodate the parameters deeper in the system. This page allows configuration of preferred DCs, GCs, DC failover parameters, and timeouts. This folio also provide troubleshooting options like disable encryption. These settings are not intended for normal administration menstruum and should be used only under Cisco Back up guidance.
Related Tasks
Configure Active Directory User Groups
Related Data
■Configure Hallmark Domains
■Identity Resolution Settings
■Supported Grouping Types
■Active Directory Document Retrieval for Certificate-Based Authentication
■Diagnose Active Directory Bug
■Active Directory Alarms and Reports
■View Active Directory Joins for a Node
■Test Users for Active Directory Authentication
■Active Directory Avant-garde Tuning
Prerequisites for Integrating Active Directory and Cisco
The following are the prerequisites to integrate Agile Directory with ACS.
■Use the Network Fourth dimension Protocol (NTP) server settings to synchronize the time between the ACS server and Agile Directory. Y'all can configure NTP settings from ACS CLI.
■If your Active Directory structure has multi-domain forest or is divided into multiple forests, ensure that trust relationships exist between the domain to which ACS is connected and the other domains that take user and machine information to which y'all demand access. For more data on establishing trust relationships, refer to Microsoft Agile Directory documentation.
■You lot must have at least ane global catalog server operational and attainable past ACS, in the domain to which you are joining ACS.
Agile Directory Account Permissions Required for Performing Diverse Operations
| Join Operations | Leave Operations | ACS Machine Accounts |
|---|---|---|
| For the account that is used to perform the join performance, the following permissions are required: ■ ■ ■ It is not mandatory to be a domain administrator to perform a join operation. | For the account that is used to perform the leave operation, the post-obit permissions are required: ■ ■ If yous perform a force leave (go out without the password), information technology will not remove the machine account from the domain. | For the newly created ACS machine account that is used to communicate to the Active Directory connectedness, the post-obit permissions are required: ■ ■ ■ ■ You can precreate the motorcar business relationship in Active Directory, and if the SAM proper name matches the ACS appliance hostname, it should be located during the bring together operation and re-used. If multiple join operations are performed, multiple car accounts are maintained inside ACS, one for each join operation. |
Note : The credentials used for the join or leave functioning are not stored in ACS. Only the newly created ACS auto business relationship credentials are stored.
Network Ports That Must Be Open up for Communication
| Protocol | Port (remote-local) | Target | Authenticated | Notes |
|---|---|---|---|---|
| DNS (TCP/UDP) | Random number greater than or equal to 49152 | DNS Servers/Advertisement Domain Controllers | No | — |
| MSRPC | 445 | Domain Controllers | Aye | — |
| Kerberos (TCP/UDP) | 88 | Domain Controllers | Yes (Kerberos) | MS AD/KDC |
| LDAP (TCP/UDP) | 389 | Domain Controllers | Yes | — |
| LDAP (GC) | 3268 | Global Catalog Servers | Yes | — |
| NTP | 123 | NTP Servers/Domain Controllers | No | — |
| IPC | 80 | Other ACS Nodes in the Deployment | Yep (Using RBAC credentials) | — |
DNS Server
While configuring your DNS server, brand sure that you take care of the following:
■All DNS servers configured in ACS must be able to resolve all forward and opposite DNS queries for all domains you wish to use.
■All DNS server must be able to answer SRV queries for DCs, GCs, and KDCs with or without additional Site information.
■We recommend that y'all add the server IP addresses to SRV responses to ameliorate performance.
■Avert using DNS servers that query the public Internet. They tin can cause delays and leak information well-nigh your network when an unknown name has to be resolved
Joining ACS to Agile Directory Domain
Yous can bring together the ACS nodes from same deployment to different Advert domains. However, each node can be joined to a single AD domain. The policy definitions of those ACS nodes are not changed and that uses the same AD identity store.
The AD settings are not displayed past default, and they are not joined to an Ad domain when you lot first install ACS. When yous open the AD configuration page, you can see the listing of all ACS nodes in the distributed deployment.
When yous configure an Advertizing identity store, ACS also creates the following:
■A new dictionary for that shop with 2 attributes: the ExternalGroup attribute and another aspect for whatsoever attribute that is retrieved from the Directory Attributes page.
■A new attribute, IdentityAccessRestricted. You tin can manually create a custom condition for this aspect.
■A custom condition for group mapping from the ExternalGroup attribute—the custom condition proper noun is AD1:ExternalGroups—and another custom condition for each attribute that is selected in the Directory Attributes page (for case, AD1:cn).
Annotation : If ACS is connected to the Ad structure having multi-domain wood or divided into multiple forests, ACS must be reachable from the AD when you run a DNS query. Otherwise, the global itemize server is non accessible to ACS, and would slow down the communication with the AD.
You tin edit the predefined condition name, and you can create a custom condition from the Custom condition page. Run across Creating, Duplicating, and Editing a Custom Session Condition.
To join a unmarried node or multiple nodes to an Advertising Domain, consummate the following steps:
1. Choose Users and Identity Stores > External Identity Stores > Active Directory.
The Active Directory page appears.
2. Select a single node or multiple nodes and click Join.
The Join page appears.
three. Consummate the fields in the Join folio as described in Join/Examination Connectedness Page.
| Pick | Description |
|---|---|
| Active Directory Domain Proper name | Proper noun of the Advert domain to which you want to join ACS. |
| Username | Enter the username of a predefined AD user. An Advertizing account which is required for the domain admission in ACS, should have either of the following: ■ ■ Cisco recommends that you disable the lockout policy for the ACS business relationship and configure the AD infrastructure to transport alerts to the administrator if a wrong password is used for that business relationship. This is because, if you enter a wrong password, ACS will not create or modify its auto account when it is necessary and therefore possibly deny all authentications. |
| Password | Enter the user password. The password should have a minimum of eight characters, using a combination of at to the lowest degree one lower case letter, 1 upper case letter, one numeral, and one special character. All special characters are supported. |
iv. Click:
■Bring together to join the selected nodes to the AD domain. The status of the nodes are changed according to the join results.
■Abolish to cancel the connection.
Disconnecting Nodes from the AD Domain
To disconnect a single node or multiple nodes from an Advert Domain, consummate the post-obit steps:
1. Choose Users and Identity Stores > External Identity Stores > Agile Directory.
The Agile Directory folio appears.
2. Select a unmarried node or multiple nodes and click Leave.
The Leave Connection page appears.
3. Complete the fields in the Exit Connection page as described in Go out Connectedness Page.
| Option | Description |
|---|---|
| Username | Enter the username of a predefined AD user. An Advertising account which is required for the domain access in ACS, should take either of the following: ■ ■ Cisco recommends that you disable the lockout policy for the ACS account and configure the Advertisement infrastructure to transport alerts to the administrator if a incorrect countersign is used for that account. This is because, if yous enter a wrong countersign, ACS will not create or modify its machine account when it is necessary and therefore possibly deny all authentications. |
| Password | Enter the user countersign. |
| Practise not try to remove machine account | Check this bank check box to disconnect the selected nodes from the Advertising domain, when y'all do not know the credentials or have whatever DNS problems. This operation disconnects the node from the AD domain and leaves an entry for this node in the database. But administrators tin can remove this node entry from the database. |
iv. Click:
■Leave to disconnect the selected nodes from Ad domain.
■Cancel to cancel the functioning.
Configuring Authentication Domains
If you join ACS to an Active Directory domain, ACS has visibilities to other domains with which it has a trust relationship. By default, ACS permits hallmark against all those trusted domains. You lot can restrict ACS to a subset of hallmark domains while interacting with the Active Directory deployments. Configuring authentication domains enables y'all to select specific domains for each join betoken and then that the authentications are performed confronting the selected domains only. Authentication domains improve security because they instruct ACS to authenticate users only from selected domains and not from all domains trusted from join signal. Authentication domains also improve performance and latency of authentication request processing considering authentication domains limit the search area (that is, where accounts matching to incoming username or identity volition be searched). It is especially important when incoming username or identity does non contain domain markup (prefix or suffix). Due to these reasons, configuring hallmark domains is a best practice, and we highly recommended it.
To configure Authentication Domains:
ane. Choose Users and Identity Stores > External Identity Stores > Active Directory, and so click the Hallmark Domains tab.
A table appears with a list of your trusted domains. By default, ACS permits hallmark against all trusted domains.
two. To permit only specified domains, bank check the bank check box side by side to the domains for which you want to allow authentication, and click Enable Selected.
In the Authenticate cavalcade, the status of the selected domains are changed to Yes.
Supported Group Types
ACS supports the following security grouping types:
■Universal
■Global
■Born
Congenital in groups do not accept a unique security identifier (SID) across domains and to overcome this, Cisco prefixes their SIDs with the domain name to which they belong.
ACS uses the Advertizement attribute tokenGroups to evaluate a user's grouping membership. ACS machine account must accept permission to read tokenGroups attribute. This aspect can contain approximately the first 1015 groups that a user may be a fellow member of (the bodily number depends on Active Directory configuration and tin exist increased by reconfiguring Active Directory.) If a user is a fellow member of more groups than this, Cisco does non use more than than the commencement 1015 in policy rules.
Configure Agile Directory User Groups
Yous must configure Active Directory user groups for them to be available for use in authorisation policies. Internally, ACS uses security identifiers (SIDs) to resolve group name ambiguity issues and to enhance group mappings. SID provides accurate grouping assignment matching.
Before you lot Brainstorm
Ensure that ACS is connected to the Active Directory domain.
Process
i. Choose Users and Identity Stores > External Identity Stores > Active Directory, and then click the Directory Groups tab.
The Directory Groups page appears. The Selected Directory Groups field lists the AD groups you lot selected and saved. The Ad groups you selected in the External User Groups page are listed and tin be available equally options in group mapping conditions in rule tables.
If you take more groups in other trusted domains or forests that are not displayed, you can use the search filter to narrow downwardly your search results. You can besides add together a new Advertisement group using the Add together button.
Note : ACS does not retrieve domain local groups. It is not recommended to use domain local groups in ACS policies. The reason is that the membership evaluation in domain local groups tin be fourth dimension consuming. And then, by default, the domain local groups are not evaluated.
2. Click Select to run into the bachelor AD groups on the domain (and other trusted domains in the same forest).
The External User Groups dialog box appears displaying a list of AD groups in the domain, as well equally other trusted domains in the same forest.
If you lot have more groups that are not displayed, utilise the search filter to refine your search and click Get.
3. Enter the Advertisement groups or select them from the list, then click OK.
To remove an AD grouping from the list, click an Ad group, and then click Deselect.
iv. Click:
■ Save Changes to relieve the configuration.
■ Discard Changes to discard all changes.
■If AD is already configured and you desire to delete it, click Clear Configuration after you lot verify that there are no policy rules that apply custom conditions based on the AD dictionary.
Note : If you delete a group and create a new group with the same name as original, yous must click Update SID Values to assign new SID to the newly created group. Afterward an upgrade, the SIDs are automatically updated after the first join. You lot must map the newly created group having the updated SIDs to the policy again for the authorisation rule to hit correctly and pass the authentication.
Annotation : When configuring the AD Identity Store on ACS 5.10, the security groups divers on Active Directory are enumerated and can exist used, only distribution groups are not shown. Agile Directory Distribution groups are non security-enabled and tin simply be used with e-mail applications to send e-mail to collections of users. Please refer to Microsoft documentation for more information on distribution groups.
Note : Logon authentication may fail on Agile Directory when ACS tries to authenticate users who vest to more than 1015 groups in external identity stores. This is due to the Local Security Authentication (LSA) limitations in Active Directory.
Configure Active Directory Attributes
Yous must configure Agile Directory attributes to be able to use them in weather condition in authorization policies.
Before y'all Begin
Ensure that ACS is connected to the Active Directory domain.
Procedure
1. Choose Users and Identity Stores > External Identity Stores > Active Directory, and so click the Directory Attributes tab.
ii. Complete the fields in the Agile Directory: Attributes page as described in Table v:
| Option | Clarification |
|---|---|
| Name of example Field of study to Select Attributes | Enter the proper name of a user or computer found on the joined domain. You can enter the user'south or the reckoner's CN or distinguished proper noun. The set up of attributes that are displayed belong to the discipline that you specify. The prepare of attributes are different for a user and a computer. |
| Select | Click to admission the Attributes secondary window, which displays the attributes of the name you entered in the previous field. |
| Attribute Name List Displays the attributes you take selected in the secondary Selected Attributes window. Yous can select multiple attributes together and submit them. | |
| Attribute Name | ■ – – ■ |
| Blazon | Attribute types associated with the attribute names. Valid options are: ■ ■ ■ ■ ■ |
| Default | Specified attribute default value for the selected attribute: ■ ■ ■ ■ ■ |
| Policy Status Name | Enter the custom status proper noun for this attribute. For example, if the custom condition name is AAA, enter AAA in this field and not AD1 : att_name. |
| Select Attributes Secondary Window Available from the Attributes secondary window just. | |
| Search Filter | Specify a user or automobile proper name. ■ ■ |
| Aspect Name | The name of an attribute of the user or machine name yous entered in the previous field. |
| Attribute Type | The blazon of aspect. |
| Attribute Value | The value of an attribute for the specified user or machine. |
3. Do one of the following:
■Click Relieve Changes to save the configuration.
■ Click Discard Changes to discard all changes.
■If AD is already configured and yous desire to delete information technology, click Clear Configuration after you verify that there are no policy rules that utilize custom conditions based on the Ad dictionary.
Configure Active Directory Car Access Restrictions
To configure the Machine Access Restrictions, consummate the following steps:
one. Choose Users and Identity Stores > External Identity Stores > Active Directory, then click the Machine Access Restrictions tab.
2. Complete the fields in the Agile Directory: Machine Admission Restrictions folio as described in Table 6:
| Option | Clarification |
|---|---|
| Enable Machine Access Restrictions | Check this check box to enable the Automobile Access Restrictions controls in the spider web interface. This ensures that the machine authentication results are tied to user hallmark and authority. If yous enable this characteristic, you must set the Aging fourth dimension. |
| Aging time (hours) | Time after a motorcar was authenticated that a user can be authenticated from that car. If this time elapses, user authentication fails. The default value is 6 hours. The valid range is from 1 to 8760 hours. |
| MAR Cache Distribution | |
| Cache entry replication timeout | Enter the time in seconds after which the cache entry replication gets timed out. The default value is 5 seconds. The valid range is from 1 to 10. |
| Enshroud entry replication attempts | Enter the number of times ACS has to perform MAR cache entry replication. The default value is 2. The valid range is from 0 to v. |
| Cache entry query timeout | Enter the time in seconds after which the cache entry query gets timed out. The default value is ii seconds. The valid range is from 1 to 10. |
| Cache entry query attempts | Enter the number of times that ACS has to perform the cache entry query. The default value is i. The valid range is from 0 to 5. |
| Node | Lists all the nodes that are connected to this Ad domain. |
| Cache Distribution Grouping | Enter the Cache Distribution Group of the selected node. This accepts any text string to a maximum of 64 characters. The Cache Distribution Group does not allow the special characters "(" and ")". |
3. Do one of the following:
■ Click Save Changes to salvage the configuration.
■ Click Discard Changes to discard all changes.
■If Advertisement is already configured and you want to delete it, click Articulate Configuration later you lot verify that in that location are no policy rules that use custom conditions based on the AD dictionary.
Read-Only Domain Controllers
The post-obit operations are supported on read-only domain controllers:
■Kerberos user authentication
■User lookup
■Attribute and grouping fetch
Active Directory Supported Hallmark Protocols and Features
Active Directory supports features such as user and machine authentications, changing Agile Directory user passwords with some protocols. The following table lists the authentication protocols and the corresponding features that are supported by Agile Directory.
| Authentication Protocols | Features |
|---|---|
| EAP-FAST and password based Protected Extensible Authentication Protocol (PEAP) | User and automobile authentication with the power to change passwords using EAP-FAST and PEAP with an inner method of MS-CHAPv2 and EAP-GTC |
| Password Hallmark Protocol (PAP) | User and Machine authentication |
| Microsoft Challenge Handshake Authentication Protocol Version one (MS-CHAPv1) | User and Machine hallmark |
| Microsoft Challenge Handshake Hallmark Protocol Version 2 (MS-CHAPv2) | User and Auto authentication |
| Extensible Authentication Protocol-Generic Token Card (EAP-GTC) | User and Machine authentication |
| Extensible Hallmark Protocol-Ship Layer Security (EAP-TLS) | ■ ■ ■ |
| Extensible Authentication Protocol- Flexible Authentication via Secure Tunneling-Ship Layer Security (EAP-FAST-TLS) | ■ ■ ■ |
| Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS) | ■ ■ ■ |
| Lightweight Extensible Hallmark Protocol (Spring) | User authentication |
Active Directory User Authentication Process Flow
When authenticating or querying a user, ACS checks the post-obit:
■MS-CHAP and PAP authentications check if the user is disabled, locked out, expired or out of logon hours and the hallmark fails if some of these weather are truthful.
■EAP-TLS authentications checks if the user is disabled or locked out and the authentication fails if some of these atmospheric condition is met.
Additionally, y'all can set the IdentityAccessRestricted aspect if conditions mentioned above (for example, user disabled) are met. IdentityAccessRestricted attribute is ready in order to support legacy policies and is not required in ACS 5.8 because authentication fails if such conditions (for example, user disabled) are met.
Supported Username Formats
The following are the supported username types:
■SAM, for example: jdoe
■NetBIOS prefixed SAM, for example: ACME\jdoe
■UPN, for instance: jdoe@acme.com
■Alt UPN, for example: john.doe@peak.co.uk
■Subtree, for instance: johndoe@finance.acme.com
■SAM machine, for example: laptop$
■NetBIOS prefixed automobile, for example: Superlative\laptop$
■FQDN DNS machine, for instance: host/laptop.acme.com
■Hostname only automobile, for example: host/laptop
Active Directory Password-Based Authentication
Countersign Authentication Protocol (PAP) and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) are password-based protocols. MS-CHAP credentials can be authenticated merely by MS-RPC. ACS provides two options for PAP authentication - MS-RPC and Kerberos. Both MS-RPC and Kerberos are every bit secure options. MS-RPC for PAP authentication is a default and recommended option considering:
■Information technology provides consistency with MS-CHAP
■It provides more clear fault reporting
■It allows more efficient advice with Active Directory. In case of MS-RPC, ACS sends authentication requests to a domain controller from the joined domain only and the domain controller handles the request.
In case of Kerberos, ACS needs to follow Kerberos referrals from the joined domain to the user's business relationship domain (that is, ACS needs to communicate with all domains on the trust path from the joined domain to the user's account domain).
ACS examines the username format and calls the domain managing director to locate the appropriate connection. Subsequently the domain controller for the account domain is located, ACS tries to authenticate the user against it. If the password matches, the user is granted access to the network.
Countersign-based auto authentication is very similar to user-based hallmark, except if the motorcar name is in host/prefix format. This format (which is a DNS namespace) cannot be authenticated equally is by ACS and is converted to NetBIOS-prefixed SAM format earlier it is authenticated.
Active Directory Certificate Retrieval for Certificate-Based Authentication
ACS supports certificate retrieval for user and machine authentication that uses the EAP-TLS protocol. The user or car record on Active Directory includes a certificate attribute of the binary data type. This certificate aspect can incorporate one or more certificates. ACS identifies this aspect as userCertificate and does not allow you to configure any other name for this attribute. ACS retrieves this document and uses it to perform binary comparing.
The certificate authentication profile determines the field where the username is taken from in guild to lookup the user in Active Directory to be used for retrieving certificates, for example, Subject Alternative Proper noun (SAN) or Mutual Name. Afterwards ACS retrieves the certificate, it performs a binary comparison of this document with the client document. When multiple certificates are received, ACS compares the certificates to check for one that matches. When a friction match is found, the user or machine authentication is passed.
Add a Certificate Authentication Profile
You must create a certificate authentication profile if you want to use the Extensible Hallmark Protocol-Transport Layer Security (EAP-TLS) document-based hallmark method. Instead of authenticating via the traditional username and password method, ACS compares a document received from a client with one in the server to verify the actuality of a user.
The document authentication profile defines the X509 certificate information to be used for a certificate- based access request. You tin select an attribute from the certificate to be used as the username. You can select a subset of the certificate attributes to populate the username field for the context of the request. The username is and then used to identify the user for the residuum of the request, including the identification used in the logs.
You can use the certificate hallmark contour to recollect certificate information to further validate a certificate presented by an LDAP or Advertizing client. The username from the certificate authentication profile is used to query the LDAP or AD identity store. ACS compares the client certificate against all certificates retrieved from the LDAP or Advert identity shop, one subsequently another, to meet if 1 of them matches. ACS either accepts or rejects the request.
For ACS to accept a request, only ane certificate from either the LDAP or the Advertisement identity store must match the client certificate.
When ACS processes a document-based request for authentication, one of 2 things happens: the username from the document is compared to the username in ACS that is processing the request, or ACS uses the information that is defined in the selected LDAP or Advertising identity store to validate the document information.
You lot can duplicate a certificate authentication profile to create a new contour that is the same, or similar to, an existing certificate authentication profile. Afterwards duplication is complete, yous access each profile (original and duplicated) separately, to edit or delete them.
ACS 5.eight now supports certificate proper name constraint extension. It accepts the client certificates whose issuers contain the name constraint extension. It checks the client certificates for CA and sub-CA certificates. This extension defines a proper name space for all discipline names in the subsequent certificates in a document path. Information technology applies to both the subject distinguished proper noun and the subject alternative name. These restrictions are applicative just when the specified proper name grade is present in the client document. The ACS authentication fails if the client certificate is excluded or not permitted by the namespace.
Supported Proper noun Constraints:
■Directory name
■DNS
■Email
■URL
Unsupported Name Constraints:
■IP address
■Other name
To create, indistinguishable, or edit a certificate authentication profile, consummate the post-obit steps:
1. Cull Users and Identity Stores > Certificate Authentication Contour.
The Certificate Authentication Profile folio appears.
2. Exercise 1 of the following:
■Click Create.
■Check the cheque box next to the certificate authentication profile that you desire to duplicate, so click Duplicate.
■Click the certificate hallmark profile that you want to modify, or check the check box next to the name and click Edit.
The Certificate Authentication Profile Backdrop page appears.
iii. Complete the fields in the Document Hallmark Profile Properties page as described in Table 8:
| Option | Description |
|---|---|
| General | |
| Proper noun | Enter the name of the certificate authentication profile. |
| Description | Enter a clarification of the document authentication profile. |
| Document Definition | |
| Principal Username X509 Aspect | Available set of main username attributes for x509 hallmark. The selection includes: ■ ■ ■ ■ ■ ■ ■ |
| Perform Binary Certificate Comparing with Certificate retrieved from LDAP or Active Directory | Check this check box if yous want to validate certificate information for hallmark confronting a selected LDAP or Advertizing identity store. If you select this choice, you must enter the proper noun of the LDAP or Advertisement identity shop, or click Select to select the LDAP or AD identity store from the available list. |
4. Click Submit.
The Certificate Authentication Profile page reappears.
Alter Password Changes, Machine Authentications, and Machine Access Restriction Settings
Earlier Y'all Begin
You must join ACS to the Active Directory domain.
Procedure
1. Choose Users and Identity Stores > External Identity Stores > Active Directory.
Active Directory General tab appears.
2. Modify as required to enable the Countersign Change, Machine Authentication, dial-in check, and call back check for dial-in clients. Countersign Modify and Machine Authentication are enabled by default.
3. Cheque the Utilize Kerberos for Manifestly Text Authentications bank check box if yous want to utilise Kerberos for obviously-text authentications. The default and recommended option is MS-RPC.
Authorization Confronting an Active Directory Instance
The following sections explicate the mechanism that ACS uses to authorize a user or a machine against Active Directory.
Active Directory Aspect and Group Retrieval for Apply in Dominance Policies
ACS retrieves user or machine attributes and groups from Active Directory for use in authorization policy rules. These attributes tin be used in ACS policies and determine the authorization level for a user or machine. ACS retrieves user and machine Active Directory attributes after successful authentication and can besides retrieve attributes for an authority that is independent of hallmark.
ACS may use groups in external identity stores to assign permissions to users or computers; for example, to map users to sponsor groups. You should note the following restrictions on group memberships in Agile Directory:
Policy dominion weather condition may reference any of the following: a user's or reckoner's master group, the groups of which a user or computer is a straight member, or indirect (nested) groups.
Domain local groups outside a user'due south or estimator's account domain are not supported.
Attributes and groups are retrieved and managed per Active Directory domain. They are used in authorization policy (by selecting first the bring together indicate and so the aspect). You cannot define attributes or groups per telescopic for authorisation, but yous can use scopes for authentication policy. When y'all use a telescopic in authentication policy, it is possible that a user is authenticated via 1 join point, but attributes and/or groups are retrieved via some other bring together point that has a trust path to the user's business relationship domain. You can utilize authentication domains to ensure that no two join points in 1 scope have any overlap in authentication domains.
Encounter Microsoft-imposed limits on the maximum number of usable Active Directory groups: http://technet.microsoft.com/en-u.s.a./library/agile-directory-maximum-limits-scalability(v=WS.10).aspx
An authorization policy fails if the rule contains an Active Directory grouping proper name with special characters such as /!@\#$%^&*()_+~.
Identity Resolution Settings
Some type of identities include a domain markup, such as a prefix or a suffix. For example, in a NetBIOS identity such equally ACME\jdoe, "Superlative" is the domain markup prefix, similarly in a UPN identity such equally jdoe@acme.com, "acme.com" is the domain markup suffix. Domain prefix should match to the NetBIOS (NTLM) name of the Active Directory domain in your organization and domain suffix should match to the DNS name of Active Directory domain or to the alternative UPN suffix in your organization. For example jdoe@gmail.com is treated every bit without domain markup because gmail.com is not a DNS name of Active Directory domain.
The identity resolution settings allows y'all to configure important settings to tune the security and performance balance to match your Active Directory deployment. You tin use these settings to tune authentications for usernames and hostnames without domain markup. In cases when ACS is not aware of the user's domain, it tin can be configured to search the user in all the authentication domains. Even if the user is found in one domain, ACS will wait for all responses in lodge to ensure that there is no identity ambivalence. This might exist a lengthy procedure, subject to the number of domains, latency in the network, load, and and then on.
Avoid Identity Resolution Bug
It is highly recommended to use fully qualified names (that is, names with domain markup) for users and hosts during authentication. For example, UPNs and NetBIOS names for users and FQDN SPNs for hosts. This is especially of import if you hit ambiguity errors often, such as, several Active Directory accounts match to the incoming username; for instance, jdoe matches to jdoe@emea.acme.com and jdoe@amer.acme.com. In some cases, using fully qualified names is the merely way to resolve issue. In others, it may be sufficient to guarantee that the users have unique passwords. And then, information technology is more efficient and leads to less countersign lockout problems if unique identities are used initially.
Configure Identity Resolution Settings
Note : This configuration task is optional. You can perform it to reduce authentication failures that can ar because of various reasons such equally cryptic identity errors.
Before You lot Begin
You must bring together ACS to the Active Directory domain. Multiple join is not supported in ACS 5.eight
Process
1. Choose Users and Identity Stores > External Identity Stores > Active Directory.
ACS displays the Agile Directory General tab and its details.
2. Define the following settings for identity resolution for usernames or machine names nether the Identity Resolution section. This setting provides you advanced control for user search and authentication.
The commencement setting is for the identities without a markup. In such cases, you can select whatever of the post-obit options:
■ Reject the request —This option volition neglect the authentication for users who do non take any domain markups, such equally a SAM proper noun. This is useful in instance of multi join domains where ACS will accept to look upwardly for the identity in all the joined global catalogs, which might non exist very secure. This option forces the users to use names with domain markups.
■ Merely search in the "Authentication Domains" from the joined wood—This option will search for the identity but in the domains in the forest of the bring together point which are specified in the hallmark domains section. This is the default choice and identical to ACS five.7 behavior for SAM account names.
■ Search in all the "Authentication Domains" sections —This option will search for the identity in all hallmark domains in all the trusted forests. This might increase latency and bear on performance.
The option is made based on how the authentication domains are configured in ACS. If only specific authentication domains are selected, only those domains will be searched (for both "joined wood" or "all forests" selections).
■ Only search in the "Joined Domain" —(Introduced in ACS five.8 patch ix release) This option will search for the identity only in the joined domain.
Annotation : If you take selected the Only search in the "Joined Domain" option and are downgrading from an ACS v.eight patch 9 or afterward release to a lower release, ensure that y'all deselect this option, and select 1 of the other three options (Reject the request, But search in the "Authentication Domains", or Search in all the "Authentication Domains" sections).
The 2d setting is used if ACS cannot communicate with all Global Catalogs (GCs) that it needs to in order to comply with the configuration specified in the "Authentication Domains" section. In such cases, you can select any of the following options:
■ Proceed with available domains — This option volition go on with the hallmark if it finds a match in any of the bachelor domains.
■ Drop the request — This option volition drop the hallmark request if the identity resolution encounters some unreachable or unavailable domain.
Troubleshooting Tools
ACS provides several tools to diagnose and troubleshoot Active Directory errors.
Diagnose Active Directory Issues
The Diagnostic Tool is a service that runs on every ACS node. It allows you lot to automatically exam and diagnose the Active Directory deployment and execute a ready of tests to detect bug that may cause functionality or performance failures when ACS uses Active Directory.
At that place are multiple reasons for which ACS might be unable to bring together or authenticate against Active Directory. This tool helps ensure that the prerequisites for connecting ACS to Active Directory are configured correctly. It helps detect issues with networking, firewall configurations, clock sync, user authentication, then on. This tool works as a step-by-footstep guide and helps you gear up problems with every layer in the middle, if needed.
You tin can run the following three test without joining ACS to Agile Directory to check if the AD Daemon is running properly:
■System wellness - check AD service
■System health - check DNS configuration
■System health - bank check NTP
To diagnose Active Directory problems:
i. Cull Users and Identity Stores > External Identity Stores > Agile Directory, so click the Diagnostic Tools tab.
The Diagnostic Tools tab displays the list of all bachelor tests that you tin run on ACS to bank check Active Directory domain functions.
2. Bank check the check box or check boxes next to the tests that you desire to run.
three. Click:
■ Run Selected Tests to run only the selected tests.
■ Run All Tests to run all the tests.
■ Stop All Running Tests to stop ACS from running all tests.
Y'all tin run across the test results in Result and Remedy columns.
Agile Directory Alarms and Reports
Alarms
ACS provides diverse alarms and reports to monitor and troubleshoot Active Directory related activities.
The following alarms are triggered for Agile Directory errors and issues:
■Configured nameserver not available
■Joined domain is unavailable
■Hallmark domain is unavailable
■Active Directory forest is unavailable
■Advertizement Connector had to be restarted
■AD: ACS account password update failed
■Advert: Machine TGT refresh failed
Reports
Yous can monitor Agile Directory related activities through the following two reports:
■RADIUS Authentications Study—This study shows detailed steps of the Active Directory authentication and authorization. You tin find this study here: Operations > Reports > Auth Services Condition > RADIUS Authentications.
■AD Connector Operations Report—The Ad Connector Operations written report provides a log of background operations performed past Advertising connector, such as ACS server password refresh, Kerberos ticket management, DNS queries, DC discovery, LDAP, and RPC connections management. If you meet any Active Directory failures, you can review the details in this written report to identify the possible causes. Yous tin can detect this written report here: Operations > Reports > Auth Services Status > AD Connector Operations.
Active Directory Advanced Tuning
The advanced tuning feature provides node-specific settings used for back up action under the supervision of Cisco support personnel, to conform the parameters deeper in the system. These settings are not intended for normal administration period, and should be used only nether guidance.
AD Connector Internal Operations
The following sections describe the internal operations that have place in the AD connector.
Domain Discovery Algorithm
ACS performs domain discovery in iii phases:
1. Queries joined domains—Discovers domains from its forest and domains externally trusted to the joined domain.
ii. Queries root domains in its wood—Establishes trust with the woods.
3. Queries root domains in trusted forests—Discovers domains from the trusted forests.
Additionally, ACS discovers DNS domain names (UPN suffixes), alternative UPN suffixes and NTLM domain names.
The default domain discovery frequency is every two hours. You can modify this value from the Advanced Tuning page, but but in consultation with the Cisco support personnel.
DC Discovery
AD connector selects a domain controller (DC) for a given domain as follows:
1. Performs a DNS SRV query (not scoped to a site) to get a full list of domain controllers in the domain.
2. Performs DNS resolution for DNS SRVs that lack IP addresses.
3. Sends CLDAP ping requests to domain controllers according to priorities in the SRV record and processes only the first response, if any. The CLDAP response contains the DC site and customer site (for example, site to which the Cisco machine is assigned).
4. If the DC site and client site are the same, the response originator (that is, DC) is selected.
v. If the DC site and client site are not the aforementioned, the AD Connector performs a DNS SRV query scoped to the discovered client site, gets the listing of domain controllers serving the client site, sends CLDAP ping requests to these domain controllers, and processes simply the starting time response, if whatsoever. The response originator (that is, DC) is selected. If there is no DC in the client's site serving the site or no DC currently available in the site, then the DC detected in Step 2 is selected.
You can influence the domain controllers that ACS uses by creating and using an Active Directory site. Run across the Microsoft Active Directory documentation on how to create and use sites.
ACS as well provides the ability to ascertain a listing of preferred DCs per domain. This list of DCs volition be prioritized for selection earlier DNS SRV queries. Simply this list of preferred DCs is not an exclusive list. If the preferred DCs are unavailable, other DCs are selected. You can create a list of preferred DCs in the following cases:
■The SRV records are bad, missing or not configured.
■The site clan is incorrect or missing or the site cannot be used.
■The DNS configuration is incorrect or cannot exist edited.
DC Failover
Domain controller (DC) failover can be triggered by the following conditions:
■The Advert connector detects if the currently selected DC becomes unavailable during the LDAP, RPC, or Kerberos communication attempt. The DC might be unavailable because it is down or has no network connectivity. In such cases, the AD connector initiates DC selection and fails over to the newly selected DC.
■The DC is up and responds to the CLDAP ping, just Advert connector cannot communicate with it for some reason, for instance if the RPC port is blocked, the DC is in the cleaved replication country, or the DC has not been properly decommissioned. In such cases, the AD connector initiates DC pick with a black list ("bad" DC is placed in the black listing) and tries to communicate with the selected DC. Neither the DC selected with the blacklist nor the blacklist is buried.
DNS Failover
Y'all can configure up to three DNS servers and one domain suffix. If yous are using Active Directory identity store sequence in ACS, you lot must ensure that all the DNS servers can answer forward and contrary DNS queries for any possible Active Directory DNS domain yous desire to use. DNS failover happens only when the offset DNS is down, the failover DNS should have the same recorder as the commencement DNS. If a DNS server fails to resolve a query, the DNS client does non attempt another DNS server. By default, DNS server retries the query twice and timeout the query in 3 seconds.
Resolve Identity Algorithm
For an identity, different algorithms are used to locate the user or machine object based on the type of identity, whether a password was supplied, and whether whatever domain markup is present in the identity. Post-obit are the different algorithms used past ACS to resolve different types of identities.
Resolving SAM Names
If the identity is a SAM name (username or machine name without whatsoever domain markup), ACS searches the forest looking for the identity. If there is a unique lucifer, ACS determines its domain or the unique proper name and gain with the AAA flow.
If the SAM proper noun is non unique and ACS is configured to use a password less protocol such every bit EAP-TLS, there are no other criteria to locate the right user, and then ACS fails the authentication with an "Cryptic Identity" error. However, if the user certificate is present in Active Directory, ACS uses binary comparison to resolve the identity.
If ACS is configured to use a password-based protocol such every bit PAP, or MSCHAP, Cisco continues to check the passwords. If there is a unique friction match, ACS proceeds with the AAA flow. Yet, if in that location is more 1 account with the same password, ACS fails the authentication with an "Ambiguous Identity" fault.
Yous should avoid username collisions. This non only increases efficiency and security only also prevents accounts from being locked out. For example, there be two "chris" with unlike passwords and ACS receives only the SAM name "chris". In this scenario, ACS will keep trying both accounts with SAM name "chris," before deciding the right i. In such cases, Active Directory can lock out one of the accounts due to incorrect password attempts. Therefore, y'all should effort to use unique usernames or ones with domain markup. Alternatively, you can qualify the SAM names if you lot apply specific network devices for each Agile Directory domain.
Resolving UPNs
If the identity is a UPN, ACS searches each forest'southward global catalogs looking for a match to that UPN identity. If at that place is a unique match, ACS gain with the AAA flow. If there are multiple bring together points with the same UPN and a password was non supplied or does not help in determining the right account, ACS fails the hallmark with an "Ambiguous Identity" error.
ACS as well permits an identity that appears to be a UPN to as well match the user's mail attribute, that is, it searches for "identity=matching UPN or email". Some users log in with their email name (oftentimes via a document) and not a real underlying UPN. This is implicitly washed if the identity looks similar an email address.
Resolving Machine Identities
If it is a machine authentication, with the identity having a host/prefix, ACS searches the forest for a matching servicePrincipalName attribute. If a fully-qualified domain suffix was specified in the identity, for case host/car.domain.com, ACS searches the forest where that domain exists. If the identity is in the form of host/motorcar, ACS searches all forests for the service principal proper noun. If at that place is more than than one lucifer, ACS fails the authentication with an "Ambiguous Identity" error.
If the machine is in another identity format, for example motorcar@domain.com, ACME\laptop$ or laptop$, ACS uses the normal UPN, NetBIOS or SAM resolution algorithm.
Resolving NetBIOS Identities
If the identity has a NetBIOS domain prefix, for example Tiptop\jdoe, ACS searches the forests for the NetBIOS domain. Once plant, information technology so looks for the supplied SAM name ("jdoe" in this instance) in the located domain. NetBIOS domains are not necessarily unique, even in one wood, so the search may observe multiple NetBIOS domains with the same name. If this occurs, and a password was supplied, it is used to locate the right identity. If there is still ambiguity or no password was supplied, ACS fails the authentication with an "Cryptic Identity" error.
Important Notes:
Note : Cisco recommends you to employ more than a 4GB RAM platform for a deployment that has more than 100,000 devices. ACS runtime crashes when you lot utilize a machine with 4GB RAM or less in a deployment that has more than than 100,000 devices.
Note : Previous releases of ACS disconnects the Active Directory domain and displays the status as "joined but disconnected" in the Agile Directory connection details folio, when yous stop the ad-client process manually from ACS CLI. But in ACS five.8, when you finish the advert-client process manually from ACS CLI, ACS disconnects Active Directory domain and displays the status as "None" in Active Directory connection details page. If you start the advertizing-client process once again from ACS CLI, ACS gets connected to the Agile Directory domain and displays the condition as "joined and connected" in Advertisement connection details page.
Notation : ACS displays the "Invalid Password" error message in ACS Reports for the following scenarios when yous authenticate users and administrators against RSA Identity Server or RSA SecurID Server:
one) Invalid Password is entered
2) User is disabled in external identity shop
3) User does not exists in the external identity store
Note : Authentications are non obligated to fail immediately when y'all disable ACS account from Active Directory domain. Authentications can piece of work as long as there are established connections or TGT tickets. Authentications can fail with different errors based on LDAP, Kerberos or RPC depends upon which connection it is using to connect to ACS. Information technology also depends on replication between Domain Controllers.
Note : Previous releases of ACS starts the adclient procedure only later joining the Agile Directory domain in ACS. But, ACS five.8 starts the adclient process soon afterwards installing it.
Note: In ACS 5.viii, y'all must manually join the Active Directory with ACS subsequently upgrading ACS 5.x to ACS v.8. See Installation and Upgrade Guide for Cisco Secure Admission Control System for more information on upgrade methods.
Note : The Windows Advertising account, which joins ACS to the Advertizement domain, can exist placed in its ain organizational unit of measurement (OU). It resides in its own OU either when the account is created or later, with a brake that the appliance proper noun must lucifer the name of the Advert account.
Note : ACS does not support user authentication in AD when a user proper name is supplied with an alternative UPN suffix configured in OU level. The hallmark works fine if the UPN suffix is configured in domain level.
Notation : Administrators can perform operations the bring together or leave operations from the secondary server. When you perform these operations from the secondary server, it affects only the secondary server.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/become/trademarks. 3rd-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
Whatever Internet Protocol (IP) addresses and phone numbers used in this document are non intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes simply. Whatever apply of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
Copyright © 2015-2018, Cisco Systems, Inc. All rights reserved.
Active Directory Login Behavior When a Dc Is Down
DOWNLOAD HERE
Source: https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/ACS-ADIntegration/guide/Active_Directory_Integration_in_ACS_5-8.html
Posted by: AASGetthelatestWorldNews.blogspot.com
comment 0 comments
more_vert