Cisco Acs 4.2 Unknown User Policy And Windows AD Integration Authentication Example

 

 

Table of Contents



1.1.      Introduction to Unknown user policy
1.2.      General Authentication of Unknown Users
1.3.      Windows Authentication of Unknown Users
1.4.      Unknown User Policy Options
1.5.      Configuration example for Cisco ACS 4.2 authenticating Wi-Fi users to Windows AD
1.6.      Cisco Remote installation agent as shown by this link
1.7.      Post installation tasks for the Remote Agent can be found on Cisco site here
1.8.      Adding that remote agent host in the Cisco ACS 4.2
1.9.      Selecting Policy for querying unknown users
1.10.        Some common error messages and their resolutions

 

Introduction to Cisco ACS Unknown user policy


 

The bellow extracts are taken from Cisco’s website and elaborated the different options available About Unknown User Authentication
The Unknown User Policy is a form of authentication forwarding. In essence, this feature is an extra step in the authentication process. If a username does not exist in the ACS internal database, ACS forwards the authentication request of an incoming username and password to external databases with which it is configured to communicate. The external database must support the authentication protocol used in the authentication request.
The Unknown User Policy enables ACS to use a variety of external databases to attempt authentication of unknown users. This feature provides the foundation for a basic single sign-on capability through ACS. Because external user databases handle the incoming authentication requests, you do not have to maintain the credentials of users within ACS, such as passwords. This eliminates the necessity of entering every user multiple times and prevents data-entry errors inherent to manual procedures.

 

General Authentication of Unknown Users


 

If you have configured the Unknown User Policy in ACS, ACS attempts to authenticate unknown users:
1. ACS checks its internal user database. If the user exists in the ACS internal database (that is, it is a known or discovered user), ACS tries to authenticate the user with the authentication protocol of the request and the database that is specified in the user account. Authentication passes or fails.
2. If the user does not exist in the ACS internal database (that is, it is an unknown user), ACS tries each external user database that supports the authentication protocol of the request, in the order that the Selected Databases list specifies. If authentication with one of the external user databases passes, ACS automatically adds the user to the ACS internal database, with a pointer to use the external user database that succeeded on this authentication attempt. Users who are added by unknown user authentication are flagged as such within the ACS internal database and are called discovered users.
The next time the discovered user tries to authenticate, ACS authenticates the user against the database that was successful the first time. Discovered users are treated the same as known users.
3. If the unknown user fails authentication with all configured external databases, the user is not added to the ACS internal database and the authentication fails.

 

Windows Authentication of Unknown Users


 

Because the same username can recur across the trusted Windows domains against which ACS authenticates users, ACS treats authentication with a Windows user database as a special case.
To perform authentication, ACS communicates with the Windows operating system of the computer that is running ACS. Windows uses its built-in facilities to forward the authentication requests to the appropriate domain controller.

 

Unknown User Policy Options


 

On the Configure Unknown User Policy page, you can specify what ACS does for unknown user authentication. The options for configuring the Unknown User Policy are:
Fail the attempt—Disables unknown user authentication; therefore, ACS rejects authentication requests for users whom the ACS internal database does not contain. Selecting this option excludes the use of the Check the following external user databases option.
Check the following external user databases—Enables unknown user authentication; therefore, ACS uses the databases in the Selected Databases list to provide unknown user authentication.
Selecting this option excludes the use of the Fail the attempt option.
External Databases—Of the databases that you have configured in the External User Databases section, lists the databases that ACS does not use during unknown user authentication.
Selected Databases—Of the databases that you have configured in the External User Databases section, lists the databases that ACS does use during unknown user authentication. ACS attempts the requested service—authentication—by using the selected databases one at a time in the order that you specified. For more information about the significance of the order of selected databases
Configure Enable Password Behavior—Determines the initial TACACS+ Enable Password setting in the Advanced TACACS+ Settings section of newly created dynamic users.
If The Internal database is selected, the TACACS+ Enable Password setting in the configuration of a new dynamic user will be set to Use Separate Password. Edit the TACACS+ Enable Password for the user to perform TACACS+ enable authentications.
If The database in which the user profile is held is selected, the TACACS+ Enable Password setting in the configuration of a new dynamic user will be set to Use External Database Password, and the database by which the user was correctly authenticated will be selected in the selection box on the user record. This configuration affects the initial setting of the new dynamic user. Once ACS has cached the user, you can override the TACACS+ Enable Password setting, and use the Configure Enable Password Behavior.

 

 

So much for the theory in practice things look a little different in practice as show on the configuration example below.

Configuration example for Cisco ACS 4.2 authenticating Wi-Fi users to Windows AD


 

Cisco Remote agent installation as shown by this link


 

In order for the Cisco ACS server to communicate successfully with Windows domain a small piece of software called Cisco Remote Agent is required.That software can be downloaded from Cisco's web site or its shipped with your Cisco ACS CD .Make sure you install it on a Machine that’s part of the Domain you want to query and point it to your Cisco ACS server as part of the installation process.
Also Make sure that you have valid domain credentials as part of the installation usually domain administrator privileges are required in order to be able to start the services and run certain batch jobs in the background.

 

Post installation tasks for the Remote Agent can be found on Cisco site here  


 

the print screens bellow describe that lengthy document with little more visual detail for those of us who are not intimately familiar with the windows environment.

 

The below print screen makes sure that the account you used to install the agent has privileges on the box to start the ACS services in case of restart

cisco-acs-logon-account



The below print screen describes the security policy needed to be modified on the machine in order to send LM&NTLM responses to that server.Its an operational requirement of the ACS remote agent.If your machine belongs to an AD domain and it has security policy pushed to it automatically you need to exclude the machine where the remote agent has been installed from it so that you may modify these particular settings


cisco-acs-ad-security-privileges

 

The below print screen describes the security policy needed to be assigned to the agent to be able to log on as a service

 

cisco-acs-ad-security-privileges1


The below print screen describes the security policy needed for the acs remote agent to act as part of the operating system.

 

cisco-acs-ad-security-privileges2

 

The below print screen describes the security policy needed for the remote agent to log on as a batch job

 

cisco-acs-ad-security-privileges3


The end result is you need to be able to see the remote agent logs querying the AD successfully as shown below .That only happens after successfully completing the whole document and having some users test their active directory credentials either via logging on to some tacacs devices or utilizing their Wi Fi access connection.


cisco-remote-agent-successfult-authentication-logs

 

Adding that remote agent host in the Cisco ACS 4.2


 

It’s important to note that the available services must come up as windows icon that confirms that the agent has been installed correctly and it’s plugged into AD properly and it’s able to query the AD.

adding-remote-agent-on-cisco-acs

 

Selecting Policy for querying unknown users


 

 

Selecting Policy for querying unknown users

configuring policy for unknown users

 

configuring Policy for querying unknown users1

 

 

configuring Policy for querying unknown users2.jpeg

 

configuring Policy for querying unknown users3

 

windows remote agent selection cisco acs

 

external user authentication selection

 

 

Some common error messages and their resolutions


 

Any error coming in failed attempt starting from External DB states issue with external database authentication it can be windows, LDAP, ODBC or something else.

Common error messages:

  • Authentication type not supported by External DB

 

Solution: http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K24308566

  • External DB account Restriction

 

Solution: http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K19031787

  • ACS External DB is not operational

This mostly happens in ACS solution engine when issues are with remote agent or if ACS for windows machine is not on the domain.

  • External DB user invalid or bad password

http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K65242111

The following messages are output when ACS does not have Reachability to Active Directory. -

"External DB user invalid or bad password" - "Internal Error"

 

Recommended Reading


 

  1. Cisco ACS Best Practices document
  2. Cisco ASA Best Practices and Security Hardening Document.
  3. Cisco-vpn-ipsec-configuration-examples
  4. Cisco-ids-ips-aip-idsm-configuration-examples
  5. Detailed Cisco ACS 5.2 installation and configuration example with print screens

Share The Link And Enjoy Thanks !

 

For a free assessment and recommendations on how to optimize your current Cisco ACS solution contact us here