Download cisco secure acs agent

If you enable audit policies, Event Viewer entries with this username will make it easier to diagnose permissions problems related to failed Cisco Secure ACS authentication attempts.

To the user account you create, grant "Read all properties" permission for all Active Directory folders containing users that Cisco Secure ACS must be able to authenticate. Granting permissions for Active Directory folders is done by accessing Active Directory using the Microsoft Management Console and configuring the security properties for the folders containing users who are to be authenticated by Cisco Secure ACS.

Tip You can access the security properties of an Active Directory folder containing users by right-clicking the folder, selecting Properties, and clicking the Security tab. Click Add to include the username. For more information, see Windows Server Active Directory.

Step 5 Configure Local Security Policies. For the user account created in the preceding step, add the user to the following local security policies:. For more information, see Configuring Local Security Policies. Step 6 Configure Services. Configure the remote agent service to run as the user you added to the security policies in the preceding step. For more information, see Configuring the Remote Agent Service. Especially for authentication of users in Active Directory, the remote agent needs DNS to operate correctly on your network.

If you configure such features using hostnames rather than IP addresses and DNS does not operate correctly, those features may fail, as would authentication requests sent to Active Directory.

On the domain controller running the remote agent, configure the network connection that the remote agent uses so that the network connection lists each trusted and child domain as a DNS suffix. Note Only perform this step if, after performing the preceding steps, Windows authentication and group mapping for users who belong to trusted domains or child domains are unreliable. As a final means of ensuring communication with other domain controllers, on the domain controller running the remote agent, configure a LMHOSTS file to include entries for each domain controller of a trusted or child domain containing users who Cisco Secure ACS needs to authenticate.

When the remote agent runs on a member server and you need to authenticate users with a Windows user database, the additional configuration required varies, depending upon your Windows networking configuration. Most of the steps below are always applicable when the remote agent runs on a member server; other steps are required only in certain conditions, as noted at the beginning of the step.

Step 1 Verify Domain Membership. One common configuration error that prevents Windows authentication is the erroneous assignment of the member server to a workgroup with the same name as the Windows domain that you want to use to authenticate users. While this may seem obvious, we recommend that you verify that the computer running the remote agent is a member server of the correct domain.

Tip To determine domain membership of a computer, on the Windows desktop, right-click My Computer , select Properties , select the Network Identification tab, and read the information provided on that tab. If the computer running the remote agent is not a member of the domain that your deployment plans require, correct this before continuing this procedure.

Step 3 Verify Server Service Status. Step 5 Create User Account. Tip If you have uninstalled and reinstalled the remote agent and you completed this item previously, it is required only if you want to use a different user account to run the remote agent service.

Step 6 Configure Local Security Policies. To the user account created in the preceding step, add the user to the following local security policies:. Step 7 Configure Services. On the member server running the remote agent, configure the network connection that the remote agent uses so that the network connection lists each domain as a DNS suffix.

Note Only perform this step if, after performing the preceding steps, Windows authentication and group mapping are unreliable. As a final means of ensuring communication with domain controllers, on the member server running the remote agent, configure a LMHOSTS file to include entries for each domain controller containing users that Cisco Secure ACS needs to authenticate. This includes domain controllers of child domains. You should have already created a user account that you intend to use to run the remote agent service.

For full configuration requirements, see the applicable procedure: Configuring for Member Server Authentication or Configuring for Domain Controller Authentication.

Step 1 Using the local administrator account, log in to the computer running the remote agent. The Local Security Settings window displays a list of policies with associated settings. The two policies that you must configure are:. Step 4 For the Act as part of the operating system policy and again for the Log on as a service policy, follow these steps:. Double-click the policy name. The domain of the domain controller that is running the remote agent must contain a domain user account that you can use to run the remote agent service as explained in subsequent steps of this procedure.

For more information on creating a domain user account, see the Microsoft website. If you enable audit policies, Event Viewer entries with this username will make it easier to diagnose permissions problems with failed ACS authentication attempts. To the user account that you create, grant Read all properties permission for all AD folders containing users that ACS must authenticate. Step 6 Configure local security policies. To the user account that you created in the preceding step, add the user to the following local security policies:.

Step 7 Configure services. Click the WINS tab. Step 9 Ensure DNS operation. If you configure such features by using hostnames, rather than IP addresses, and DNS does not operate correctly. Moreover those features might fail, as would authentication requests that are sent to AD. Step 10 Specify DNS suffixes. On the member server that is running the remote agent, configure the network connection that the remote agent uses so that the network connection lists each domain as a DNS suffix:.

If ACS must authenticate users belonging to a trusted or child domain, and if the remote agent cannot rely on DNS to contact the domain controllers in those domains, you must enable WINS on your network. Note Only perform this step if, after performing the preceding steps, Windows authentication and group mapping are unreliable. As a final means of ensuring communication with domain controllers, on the member server that is running the remote agent, configure an LMHOSTS file to include entries for each domain controller containing users that ACS must authenticate.

You should also include domain controllers of child domains. This procedure is required only if one of the following conditions is true. The remote agent runs on a:. You should have already created a user account that you intend to use to run the remote agent. For full configuration requirements, see the applicable procedure:.

Step 1 By using the local administrator account, log in to the computer that is running ACS. The Local Security Settings window displays a list of policies with associated settings. You must configure these two policies:. Step 4 For the Act as part of the operating system policy and Log on as a service policy:. Double-click the policy name. Click Add. In the box below the Add button, enter the username for the user account.

Note The username must be in domain-qualified format. Click Check Names. The username must exist in the domain specified in c. Click OK. Windows verifies the existence of the username in c. The Enter Network Password dialog box closes.

The Local Policy Setting dialog box closes. The domain-qualified username specified in c. Verify that the username that is specified in c. If it does not, repeat these steps. Tip To see the username that you added, you might have to widen the Local Setting column. Note The Effective Setting column does not dynamically update.

This procedure includes subsequent verification steps for ensuring that the Effective Setting column contains the required information. After you configure the Act as part of the operating system policy and the Log on as a service policy, the user account appears in the Local Setting column for the policy that you configured.

Step 5 Verify that the security policy settings that you changed are in effect on the computer that is running ACS:. Close the Local Security Settings window.

To refresh the information in the Effective Setting column, close the window. Open the Local Security Settings window again. The Local Security Settings window displays an updated list of policies with their associated settings. For the Act as part of the operating system policy and again for the Log on as a service policy, verify that the username that you added to the policy appears in the Effective Setting column.

Note If the username that you configured in the policies does not appear in the Effective Setting column for both policies, the security policy settings on the domain controller might conflict with the local setting. Press Enter. Note If you enter a hostname, be sure that DNS is operating correctly or that the appliance hostname is in the local hosts file.

Tip You can edit the IP address or hostname of the configuration provider after completing the installation. For more information, see Configuring a Remote Agent. Step 10 Do one of the following, depending on what format you want to use for the:. The installation script records your log format selection in the CSAgent. The following message and prompt appear:. Step 11 To continue with the installation, enter Y , and press Enter.

Note If you enter N , the installation exits and the remote agent software is not installed. Note The installation provides a default configuration, including specifying the configuration provider; however, you may want to configure the ports on which the remote agent communicates with the configuration provider and other ACS SEs.

Note Uninstalling a Solaris remote agent requires root privileges or permission to use the sudo command. Step 1 On the Solaris server running the remote agent, log in as root. Tip Give the user account an easily recognizable name, such as ACSuser. If you enable audit policies, Event Viewer entries with this username will make it easier to diagnose permissions problems that are related to failed ACS authentication attempts.

To the user account that you create, grant Read all properties permission for all Active Directory folders containing users that ACS must be able to authenticate.

To grant permission for Active Directory folders, access Active Directory from the Microsoft Management Console and configure the security properties for the folders that contain users whom ACS will authenticate. Tip You can access the security properties of an Active Directory folder of users by right-clicking the folder, selecting Properties , and choosing the Security tab.

Click Add to include the username. For more information, see Windows Server Active Directory. Step 5 Configure Local Security policies. Tip If you have upgraded or reinstalled the remote agent and you completed this step for the previous installation, it is required only if you want to use a different user account to run the remote agent service.

For the user account that you created in the preceding step, add the user to the following local security policies:. For more information, see Configuring Local Security Policies. Step 6 Configure services. Configure the remote agent service to run as the user that you added to the security policies in the preceding step. For more information, see Configuring the Remote Agent Service. Click the WINS tab. Step 8 Ensure DNS operation.

Especially for authentication of users in Active Directory, the remote agent needs DNS to operate correctly on your network. If you configure such features by using hostnames, rather than IP addresses, and DNS does not operate correctly, those features might fail, as would authentication requests that are sent to Active Directory.

Step 9 Specify DNS suffixes. On the domain controller that is running the remote agent, configure the network connection that the remote agent uses so that the network connection lists each trusted and child domain as a DNS suffix:.

Choose the DNS tab. Configure the Append these DNS suffixes list, as applicable. You must enable WINS on your network if ACS must authenticate users belonging to a trusted or child domain, and if the remote agent cannot rely on DNS to contact the domain controllers in those domains.

Note Only perform this step if, after performing the preceding steps, Windows authentication and group mapping for users who belong to trusted domains or child domains are unreliable. As a final means of ensuring communication with other domain controllers, on the domain controller that is running ACS, configure a LMHOSTS file to include entries for each domain controller of a trusted or child domain containing users whom ACS must authenticate.

When the remote agent runs on a member server and you must authenticate users with a Windows user database, the additional configuration that is required varies, depending on your Windows networking configuration.

Most of the following steps are always applicable when the remote agent runs on a member server; other steps are required only in certain conditions, as noted at the beginning of the step. Perform only those steps that always apply and that apply to your Windows networking configuration. Step 1 Verify domain membership. One common configuration error that prevents Windows authentication is the erroneous assignment of the member server to a workgroup with the same name as the Windows domain that you want to use to authenticate users.

While this error might seem obvious, ensure that you verify that the computer running the remote agent is a member server of the correct domain. If the computer that is running the remote agent is not a member of the domain that your deployment plans require, correct this situation before continuing the procedure. To satisfy Windows requirements for authentication requests, ACS must specify the Windows workstation in to which the user is attempting to log.

Step 3 Verify the server service status. The ACS authentication service depends on the server service, which is a standard service in Microsoft Windows. On the computer that is running the remote agent, verify that the server service is running and that its Startup Type is set to Automatic.

No changes are required on ACS, only Windows. In addition to the setting in step a, if you use NTLM version 2 you must also ensure that:.

Step 5 Create a user account. Tip If you have upgraded or reinstalled the remote agent and you completed this item previously, this step is required only if you want to use a different user account to run the remote agent service.

The domain of the domain controller that is running the remote agent must contain a domain user account that you can use to run the remote agent service as explained in subsequent steps of this procedure. If you enable audit policies, Event Viewer entries with this username will make it easier to diagnose permissions problems with failed ACS authentication attempts. To grant permission for Active Directory folders, access Active Directory by using the Microsoft Management Console and configure the security properties for the folders that contain users whom ACS will authenticate.

Step 6 Configure local security policies. To the user account that you created in the preceding step, add the user to the following local security policies:.

Step 7 Configure services. Step 9 Ensure DNS operation.