« AnyConnect Secure Mobility Client version 3.1 - Untrusted VPN Server blockedChanging Tivoli Endpoint Manager service startup from Automatic (Delayed Start) to Automatic »

ACS v5 should be able to query only desired Domain Controllers – Active Directory/DNS Workaround

11/08/12

Permalink 03:38:21 pm, by Brandon Culler Email , 552 words
Categories: Cisco Security, Cisco ACS

Cisco ACS v5 should be able to query only desired Domain Controllers – Active Directory/DNS Workaround

Background:
Currently in ACS 5.x, ACS queries DNS in order to get a list of all the Domain Controllers in the domain

 

In a typical Enterprise deployment, it would be common to have a Domain Controller at each local site. More than likely, ACS will be located in datacenters geographically distributed around the globe. The goal is to have ACS authenticate against the local Domain Controller in the same Datacenter.


Issues:

ACS uses DNS to determine which Domain Controller to authenticate each attempt. This default behavior will result in ACS authenticating against every Domain Controller in your environment. See Cisco Bug ID CSCte92062 for additional details.

 

Example Config

(Ex.) Sample ACS configuration: Sample Site: Charlotte, NC

ACS located in Charlotte, NC CLT0 Servers CLT0DC01

Hostname = CLT0-ACS01

IP Address = 192.168.1.10 Sample Site: Redditch, UK

Subnet Mask = 255.255.255.0 BHX0 Server: BHX0DC01

Default Gateway = 192.168.1.1


Validation: Pre-Change

To perform the next set of test, you must be running a minimum code release of 5.4.0.46. From CLI, issue the following command: acs troubleshoot adinfo -a

 

CLT0-ACS01/admin# acs troubleshoot adinfo -a

This command is only for advanced troubleshooting and may incur a lot of network traffic

Do you want to continue?  (yes/no) yes

Local host name:   CLT0-ACS01

Joined to domain: demo.local

Joined as:         CLT0-ACS01.demo.local

Pre-win2K name:    CLT0-ACS01

Current DC:        BHX0DC01.demo.local(this Domain Controller was in Europe, this ACS is in Charlotte, NC)

Preferred site:    <unavailable>

Subnet site:

Warning! Unable to locate computer's subnet site in Active Directory.

Please advise your system administrator.

Zone:              NULL

Last password set: 2012-10-17 10:58:48 EDT

CentrifyDC mode:   connected

Licensed Features: Enabled

 

Workaround:


Step 1:

In Active Directory: Sites & Services à Subnets: You will need to create a “subnet” in which each ACS resides


Step 2:

In Active Directory: Sites & Services à Sites: You will need to map that same subnet to the appropriate “site”. This should be the site in which you want ACS to authenticate against the desired/local Domain Controllers.


Step 3:

After you have allowed enough time for replication, Disjoin & Rejoin ACS to the Domain. This step will rejoin ACS to the appropriate Domain Controller

· Create a subnet: 192.168.1.0/24

· Edit the CLT0 Site & Add the Subnet: 192.168.1.0/24


Validation Post Change:

From CLI, issue the following command: acs troubleshoot adinfo -a

CLT0-ACS01/admin# acs troubleshoot adinfo -a

This command is only for advanced troubleshooting and may incur a lot of network traffic

Do you want to continue?  (yes/no) yes

Local host name:   CLT0-ACS01

Joined to domain: demo.local

Joined as:         CLT0-ACS01.demo.local

Pre-win2K name:    CLT0-ACS01

Current DC:        CLT0DC01.demo.local(this Domain Controller is in the Charlotte Datacenter)

Preferred site:    CLT0 (the correct server this is mapped to in AD Sites & Services)

Zone:              NULL

Last password set: 2012-10-17 10:58:48 EDT

CentrifyDC mode:   connected

Licensed Features: Enabled


Conclusion:

By utilizing AD Sites & Services, we are able to have ACS authenticate against the desired Domain Controller(s).

Please note – Cisco ISE uses DNS in order to get a list of all the Domain Controllers in the domain and then authenticates against all of them. This same concept of utilizing AD Sites & Services will ensure Cisco ISE authenticates against the desired Domain Controller vs. any random Domain Controller in the environment.

Priveon, Inc.

Today's complex security and networking solutions require a great deal of knowledge to successfully support and operate. Priveon uses the field experience of its expert staff to develop and maintain a positive reinforcement loop between business practices and to provide the latest information to our customers. The information posted here is supported by Priveon subject-matter experts.

Search

XML Feeds

Archives