Home | Net Issues | Net How To | Wireless | Case Studies | Articles | Forums | Services | Donations | Careers | About Us | Contact Us|
Web Cisco
 

How to Configure Remote Agent for Domain Controller Authentication

When ACS Remote Agent for Windows runs on a domain controller and you need to authenticate users

with a Windows user database, the additional configuration required varies, depending upon your

Windows networking configuration. Some of the subsequent steps are always applicable when the

remote agent runs on a domain controller; other steps are required only in certain conditions, as noted at

the beginning of the step.

Perform only those steps that always apply and those that apply to your Windows networking

configuration:

Step 1 Add CISCO workstation.

To satisfy Windows requirements for authentication requests, ACS must specify the Windows

workstation in to which the user tries to log. Because ACS cannot determine this information from

authentication requests that AAA clients send, it uses a generic workstation name for all requests. Use

CISCO as the name of the workstation.

In the local domain, and in each trusted domain and child domain that ACS will use to authenticate users,

ensure that:

• A computer account named CISCO exists.

• All users that Windows will authenticate have permission to log in to the computer named CISCO.

For more information, see the Microsoft documentation for your operating system.

Step 2 Verify the server service status.

The remote agent depends on the Server service, which is a standard service in Microsoft Windows. On

the computer that is running the remote agent, verify that the Server service is running and that its

Startup Type is set to Automatic.

Tip To configure the Server service, use the local administrator account to log in to the computer that is

running ACS. Choose Start > Programs Administrative Tools > Services. The services appear

alphabetically.

For more information, see the Microsoft documentation for your operating system.

Step 3 Verify the NTLM version.

Note This step is required only if ACS authenticates users who belong to trusted domains or child domains.

ACS supports authentication of Windows credentials by using LAN Manager (LM), NTLM version 1,

or NTLM version 2 protocols. LAN Manager is considered the weakest protocol and NTLM version 2

is the strongest. You can support one or more protocols, but must ensure that:

a. Regardless of the version of NTLM that you use, you must configure the LAN Manager

Authentication level settings. In the applicable Windows security policy editor, choose Local

Policies > Security Options; locate the LAN Manager Authentication Level policy; and set the

policy. For example, if you are using LM or NTLM version 1, set it to Send LM & NTLM

responses. For information on the various options and NTLM version 2 settings, see the appropriate

NTLM authentication-level documentation on the Microsoft website.

 

 

 

Post your questions, comments, feedbacks and suggestions

Contact a consultant

Related Topics

 
[ads/clicksorfast.htm]

 

  This web is provided "AS IS" with no warranties.
Copyright © 2002-2007 ChicagoTech.net, All rights reserved. Unauthorized reproduction forbidden.