Cisco Active Directory Agent Installation / Setup

Guide, release 1.0

2011 Year 12 Month 13 Day

Text Part Number: OL-25134-01-J

[Caution] Before using Cisco products, please read the following safety precautions.
Please check ( www.cisco.com/jp/go/safety_warning/ ).
 This document is a reference Japanese translation of a document published by Cisco in
the United States. Regarding link information, at the time the Japanese version was
published, the English version had been updated and the linked page had moved. / subject
to change
Thank you for your understanding.
This is a Japanese translation for reference only, so please refer to the document on
the US site for the official content.

Also, please check with our sales partner or our representative regarding the
description of the contract, etc.

The specifications and product information contained in this manual are subject to change without notice. All representations, information, and
recommendations contained in this manual are believed to be accurate, but without warranties of any kind, express or implied. Use of the products described
in this manual is solely at the user's own risk.

Target product software The license and limited warranty are set forth in the Information Packet accompanying the product . If it is not attached, please contact
your agent.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain
version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENTATION AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED ``AS IS'' WITH ALL FAULTS. CISCO AND THE ABOVE-
NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING ALL WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. shall not be liable for any warranties provided.
In no event shall Cisco or its suppliers be liable for any indirect, consequential, incidental, or special damages, including but not limited to lost
profits or damage to data, arising out of the use of or inability to use this document. In no event shall Cisco or its suppliers be liable to you even if
Cisco or its suppliers have been advised of the possibility.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the US and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks . Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)

The IP addresses used in this manual do not represent actual addresses. Examples, command output, and illustrations in the documentation are for illustrative
purposes only. Any use of actual addresses in illustrative content is unintentional and coincidental.

Cisco Active Directory Agent Installation / Setup Guide, release 1.0

Copyright © 2011 Cisco Systems, Inc.
All rights reserved.

Copyright © 2011–2012, Cisco Systems LLC .

All rights reserved.

CONTENTS

Introduction iii
Target audience
iii
Manual organization iv
Notation iv
Latest information on the manual
Related materials
Manuals for this release v Other related manuals
v
Notice vi
How to obtain manuals and technical information supportvi _

CHAPTER 1 Overview of Cisco Active Directory Agent 1-1

Client device 1-2
 Active Directory Domain controller machine 1-3
Syslog server 1-4

CHAPTER 2 Installing and configuring Active Directory Agent 2-1

Requirement 2-1
Hardware requirements 2-2
Connection requirements 2-2
Windows Firewall exception 2-3 separate Active Directory domain that
must be configured on AD Agent machine controller Must be configured
on the machine
Windows Firewall exception 2-4
open List of ports 2-4
Active Directory requirements 2-5
Installing Active Directory Agent 2-7 Verifying installed
Active Directory Agent 2-7
Uninstalling Active Directory Agent 2-7
Active Directory Agent settings 2-8
AD Agent to send logs to a Syslog server 2-9
AD Domain with AD Agent Settings for acquiring information from the
controller 2-9
Client with AD Agent Settings 2-12 to allow devices to obtain information
from AD Agent

Cisco Active Directory Agent /1.0

OL-25134-01-J i
Installation Setup Guide, Release
 Contents

AP PEND IX A Active Directory Agent command Reference A-1

AD Agent control command A-1
adactrl help A-2
adactrl restart A-2
adactrl show running A-2

adactrl start A-2

adactrl stop A-3

adactrl version A-3

AD Agent コンフィギュレーション コマンド A-3

adacfg help A-4

adacfg help client A-4

adacfg client create A-5

adacfg client erase A-5

adacfg client list A-5

adacfg client status A-6

adacfg help dc A-6

adacfg dc create A-7

adacfg dc erase A-8

adacfg dc list A-8

adacfg help cache A-8

adacfg cache list A-9

adacfg cache clear A-9

adacfg help options A-9

adacfg options list A-10

adacfg options set A-11

adacfg help syslog A-11

adacfg syslog create A-12

adacfg syslog erase A-12

adacfg syslog list A-12

adacfg version A-13

AP PEND IX B customer log Message B-1

AP PEND IX C Windows application event Log C-1

AP PEND IX D Troubleshooting Active Directory Agent issuesD -1

Obtain troubleshooting information D-1
Internal debugging in AD Agent Enabling logs D-2
AD Observer log D-2

Cisco Active Directory Agent /1.0

ii OL-25134-01-J

Installation Setup Guide, Release

Contents

RADIUS server Log D-3 Settings

issue D-4
 Cisco Active Directory Agent /1.0
OL-25134-01-J iii
Installation Setup Guide, Release

Contents
 Cisco Active Directory Agent /1.0
iv OL-25134-01-J
Installation Setup Guide, Release

Introduction

This document provides instructions for installing and configuring Cisco Active Directory Agent .
This document uses the term AD Agent to refer to Cisco Active Directory Agent .
This section describes:
• Target audience
• Manual organization
• notation
• Latest information on the manual
• Related Documents
• Notice
• How to obtain manuals and technical information support

Target audience
is intended for network administrators who use Active Directory Agent during deployment . This
manual aims to equip readers with a working knowledge of networking principles and applications,
and to It is assumed that you have experience as a system administrator.
 Cisco Active Directory Agent /1.0
OL-25134-01-J iii
Installation Setup Guide, Release

Introduction

Manual organization
The topics in this manual are organized as follows:
• Introduction
• Cisco Active Directory Agent Overview
• Installing and configuring Active Directory Agent
• Active Directory Agent commands reference
• "customer log message"
• “ Windows Application event log"

• " Troubleshooting Active Directory Agent Issues" Conventions

In the notation used in this manual, the ^ symbol is Ctrl Represents a key. For example, ^ z The key
combination Ctrl while holding down the key z means to press a key.
Command descriptions use the following conventions:
• system Examples that include prompts represent interactive sessions in which the user enters
commands at the prompt. system The prompt is the current EXEC command Indicates the interpreter
level. For example, prompt Router> is the user level, prompt Router# indicates a privileged
level. Typically, a password is required to access privilege levels.
• Commands and keywords are shown in bold.
• Arguments for which you supply values are in italics .
• Elements in square brackets ( [ ] ) are optional.
• Required keywords are enclosed in curly braces ( {} ) and separated by vertical bars ( | ).
When providing examples, we use the following notation:
• Examples of terminal sessions and console screens are screen Shown in font.
• Information entered by the user is shown in bold on the screen . Shown in font.
• Characters that are not printed, such as passwords, are shown enclosed in angle brackets ( < > ).
• system Default responses to prompts are shown in square brackets ( [] ).
• ! ) at the beginning of a line indicates a comment line.

注意 「要注意」の意味です。機器の損傷またはデータ損失を予防するための注意事項が記述されていま
す。

アドバイ 「時間節約
ワンポイン 」の意味です。ここに紹介している方法で作業を行うと、時間を短縮できます。
ト ス
 Cisco Active Directory Agent /1.0
iv OL-25134-01-J
Installation Setup Guide, Release

はじめに

（注） 「注釈」です。次に進む前に検討する必要がある重要情報、役に立つ情報、このマニュアル以外の参照
資料などを紹介しています。

Latest information on the manual

Table 1 Active Directory Agent Installation / Setup Latest information on the guide
date explanation
2011/06/23 Internationalization is not supported in Chapter 2 . Added a note.
2011/06/13 Cisco AD Agent Release 1.0
Related Documentation
Documentation for this release
Table 2 Lists the available AD Agent Release 1.0 product documentation.

Table 2 Documentation for this release

Reference URL
『 Installation and Setup Guide for the Cisco Active http://www.cisco.com/en/US/docs/security/ibf/set
Directory Agent, Release 1.0 ” up_guide/ad_agent_setup_guide.html
『
Release Notes for the Cisco Active Directory http://www.cisco.com/en/US/docs/security/ibf/rel
Agent, Release 1.0 ease_notes/ibf10_rn.html
Open Source Used in Cisco Active Directory http://www.cisco.com/en/US/docs/security/ibf/op
Agent 1.0 ” en_source_license_document/ipcentral.pdf

Other related manuals

adaptive security Appliance ( ASA ) 5500 Series, Release 8.4.2 Documentation and Cisco IronPort
Web Security Links to the appliance ( WSA ) documentation can be found on Cisco.com at the
following location:
• Cisco ASA 5500 Series Adaptive Security Appliance page
http://www.cisco.com/en/US/products/ps6120/tsd_products_support_series_home.html
• Cisco IronPort Web Security Appliance page
http://www.cisco.com/en/US/products/ ps10164/tsd_products_support_series_home.html
 Cisco Active Directory Agent /1.0
OL-25134-01-J v
Installation Setup Guide, Release

Introduction

Notice
All open files used in Active Directory Agent Release 1.0 sauce For license information,
http://www.cisco.com/en/US/docs/security/ibf/open_source_license_document/ipcentral.pdf Please refer to.

How to obtain manuals and technical information support

How to obtain the manual, technical information For support and other useful information, see the
monthly What's New in Cisco Product Documentation at: A list of new and revised Cisco technical
manuals is also provided.
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
You can subscribe to What 's New in Cisco Product Documentation as an RSS feed. You can also set up
content to be delivered directly to your desktop using a reader application. RSS feeds are a
free service. Cisco currently supports RSS version 2.0 .
 Cisco Active Directory Agent /1.0
vi OL-25134-01-J
Installation Setup Guide, Release

CHAPTER 1
Cisco Active Directory Agent Overview

Cisco Active Directory Agent ( AD Agent ) runs on a Windows machine and is an Active Directory
agent that runs on Windows machines and Controller ( DC ) monitors a collection of machines in
real time and typically Check for authentication-related events that indicate logins, recognize,
analyze, and cache IP address-to-user ID mappings in a database, and A component that makes the
latest mapping available to devices. client Device ( Cisco Adaptive Security Appliance ( ASA )
or Cisco IronPort Web Security Appliances ( such as WSA ) have up-to-date IP-to-user-identity
mapping Communicate with AD Agent using the RADIUS protocol to retrieve the set in one of the
following ways :
• On-demand: AD Agent can connect clients to specific mappings. from the device
Can respond to on-demand queries.
• bulk Download: AD Agent downloads the mappings currently in cache. Client asking for the
entire set Can respond to requests from devices.
On-demand method and bulk Both download method and client Requests from devices can be specially
tagged to indicate that they also include requests for notifications related to subsequent
updates.
For example, client When a device requests a basic on-demand query, the AD Agent responds with
the specific mapping it finds in its cache, but does not send any further updates about that
mapping. However, if the On-Demand query includes a notification request, the initial response
from the AD Agent is similar to the above, but if this particular mapping changes later, the AD
Agent will device (and any other clients that have registered for notifications) devices) to
proactively notify them of this particular mapping change.
Similarly, the client Device is basic bulk When requesting a download, the AD Agent currently
Session containing all mappings in cache Transfers a snapshot of the data, but does not send
subsequent updates. On the other hand, for replication registration requests, the initial
response from AD Agent is similar to the previous case, but later the mapping When any change is made
to the set (such as adding a new mapping or changing a particular mapping), the AD Agent device
(and any other clients that have registered for replication) devices) to proactively notify them
of changes compared to previously sent snapshots.
In addition to IPv4 addresses , the IP-to-user-identity mappings discovered, managed, and provided
by AD Agent include
Can include IPv6 addresses.
AD Agent can send logs to one or more Syslog servers.
any AD domain controller or client AD Agent continues to function even if a device fails . AD
Agent is another domain Get information from controller. However, A.D.
 Agent failover will not occur. Cisco AD Agent 's built-in "watchdog" feature continuously
monitors Windows processes within AD Agent and automatically restarts them if it detects that a
process has crashed.

Cisco Active Directory Agent /1.0

OL-25134-01-J 1-1

Installation Setup Guide, Release

 Chapter 1. Cisco Active Directory Agent Overview

Figure 1-1 shows a sample Indicates the role of AD Agent in the scenario .

Figure 1-1 AD Agent in the solution

In this example, a user logs in from a computer and requests access to a server, which generates
web traffic. client The device intercepts web traffic and sends a RADIUS request to AD Agent asking
about the user logged into the computer . AD Agent has modern IP-to-user-identity mapping The client
manages the set and sends user information to the client. Send to device. client The device uses
the user ID information to Decide whether to grant access to the user.
AD Agent communicates with the following components in your network:
• client device
• Active Directory Domain controller machine
• Syslog server

Note: AD Agent supports up to 100 clients Devices and up to 30 domains controller machine and can internally
cache up to 64,000 IP-to-user-identity mappings.

client device
client The device actively obtains (and passively receives) the latest IP-to-user-identity mapping
from AD Agent .
client A device can obtain mappings from AD Agent in the following ways :
• Query AD Agent for each new IP
• Local across database of user IDs and IP addresses keep a copy
client The device has the latest IP-to-user-identity mapping Receives sets from the AD Agent and also
sends mapping updates learned through other mechanisms to the AD Agent . For example, an ASA device
updates AD Agent with:
• New mappings learned during web authentication fallback ( for IP addresses that AD Agent could not
map to user IDs )

Cisco Active Directory Agent /1.0

OL-25134-01-J
Installation Setup Guide, Release
 Cisco Active Directory Agent /1.0
1-2 OL-25134-01-J
Installation Setup Guide, Release

第1章 Cisco Active Directory Agent の概要

• New mapping learned from VPN session

• VPN/ cut-through Mapping deletion upon logoff or disconnection learned from proxies, NetBIOS
probes, and MAC checks
These updates are sent as RADIUS Accounting-Request messages.

（注） AD Agent に通知を送信するように ASA デバイスを設定する方法については、 ASA エンドユーザ マ

ニュアルを参照してください。

Active Directory Domain controller machine

Active Directory is part of this solution, but it is managed by an Active Directory administrator.
Reliability and accuracy of data is based on Active Directory domains Determined by control data.
AD Agent is an Active Directory domain Monitor, learn, and read events from controllers.
AD Agent only monitors authentication events that use Kerberos for user authentication .
AD Agent monitors are typically triggered by logins, but can also be triggered by the following
activities:
• Using the Windows “ runas ” command

• Using the Windows “ net user ” command

AD Agent runs on an Active Server running the supported Windows Server versions listed below.
Directory domain controller You can monitor up to 30 machines .
• Windows Server 2003
• Windows Server 2008
• Windows Server 2008 R2

（注） Windows Server 2003 R2 はサポートされていません。

Active Directory domain running Windows Server 2008 or Windows Server 2008 R2 controller It is
important to ensure that the appropriate Microsoft hotfixes are installed on your machine ( see “
Active Directory Requirements” on page 2-5 ) . AD Agent is a domain controller installed directly
on the machine or on the domain controller You must apply the hotfix regardless of whether you
are monitoring the machine remotely.
Similarly, each Active Directory domain controller It is important to ensure that the audit policy
on your machine allows auditing of successfully completed authentication attempt operations
(see " AD Domains in AD Agent" ). (See “Settings for acquiring information from the
controller” on P.2-9 ) .
AD Agent can monitor domains that have a trust relationship configured with the domain to which
the AD Agent machine is a member. AD Agent supports the following Active Directory structures:
• single forest, single domain
• single forest, multi domain
• multi forest
 1-3
Chapter 1. Cisco Active Directory Agent Overview

Syslog server
AD Agent can forward logs containing management and troubleshooting information to one or more
Syslog servers. The contents of these logs are
Customers located in the C:\IBF\radiusServer\runtime\logs\localStore\ directory Same as log.
Syslog mechanism ensures that a target has a Syslog server running and can receive Syslog messages.
This information is delivered remotely to your machine.

Cisco Active Directory Agent /1.0

OL-25134-01-J
Installation Setup Guide, Release
 Cisco Active Directory Agent /1.0
1-4 OL-25134-01-J
Installation Setup Guide, Release
 CHAPTER 2
Installing Active Directory Agent and
setting

Active Directory Agent is software that is packaged as a Windows installer. It's an application.
Installed on Windows machine and client You need to configure your device and AD domain
controller. This chapter consists of the following topics:
• requirements
• Installing Active Directory Agent
• Verify installed Active Directory Agent
• Uninstalling Active Directory Agent
• " Active Directory Agent Settings" ( P.2-8 )
– “ Configuring AD Agent to Send Logs to a Syslog Server” on page 2-9
– " AD Domain with AD Agent Settings for acquiring information from the controller” ( P.2-
9)
– " Client with AD Agent Settings to allow devices to obtain information from AD Agent
( P.2-12 )

（注） ASA デバイスに関連する設定については、 ASA エンドユーザ マニュアルを参照してくださ

い。

requirements
This section describes the following items:
• “Hardware Requirements” ( P.2-2 )
• “Connection requirements” ( P.2-2 )
• "open Port list” ( P.2-4 )
• " Active Directory Requirements" ( P.2-5 )

Hardware requirements
To install Active Directory Agent , you need one of the following:

• Windows 2003 machine

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
OL-25134-01-J twent
y1
 第2章 Active Directory Agentのインストールと設定
要件
• Windows 2008 machine
• Windows 2008 R2 マシン

（注） Windows 2003 R2 はサポートされていません。

（注） 国際化はサポートされていません。

This AD Agent machine is the Active Directory domain you want to monitor. controller, or a separate
dedicated Windows machine.
your solution requires installing multiple AD Agent machines, please note the following:
• domain controller There is no limit to the number of AD Agent machines that are not machines .
• One domain for a given AD domain controller You can install AD Agent directly on a machine only .
In either case, the AD Agent machine is shown in Table 2-1 Must meet the minimum hardware
specification requirements listed below.

Table 2-1 Minimum Hardware Specification Requirements for AD Agent Machine

component specification
CPU Intel Xeon 2.66 GHz Q9400 (Quad core)
system memory 4 GB SDRAM
hard Free disk space 500GB

Connection requirements
For AD Agent to function properly, all client devices configured with this AD Agent , Active Directory
domain controller The machine must be able to freely communicate with the target Syslog server.
Windows Firewall (or other compatible third party) firewall software
a) is an AD Agent machine or an Active Directory domain controller Firewall on each endpoint, if
running on the machine Your software must set the necessary exceptions for free communication.
requirements

This section uses Windows Firewall as an example and details the exceptions that must be defined
on all endpoints running Windows Firewall .
• “ Windows Firewall Exceptions That Must Be Set on the AD Agent Machine ” on page 2-3
• "Separate Active Directory Domain controller Windows Firewall exceptions that must be configured
on the machine ” ( P.2-4 )
Other compatible third parties firewall For software, refer to the vendor's documentation for
instructions on how to set up the applicable exceptions.

Windows Firewall exceptions that need to be configured on the AD Agent machine

Windows Firewall is enabled on the AD Agent machine , you must do the following:
a. Explicitly define Windows Firewall exceptions for the following programs :
– C:\IBF\adObserver\ADObserver.exe
– C:\IBF\radiusServer\runtime\win32\bin.build\rt_daemon.exe

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
tw OL-25134-01-J
en
ty
2
 第2章 Active Directory Agent のインストールと設定

the AD Agent machine is running Windows Server 2008 or Windows Server 2008 R2 , the following
Windows command Define these exceptions using lines ( type each command on one line).
– netsh advfirewall firewall add rule name="Cisco AD Agent (AD Observer)" dir=in
action=allow program="C:\IBF\adObserver\ADObserver.exe" enable=yes

– netsh advfirewall firewall add rule name="Cisco AD Agent (RADIUS Server)" dir=in
action=allow program="C:\IBF\radiusServer\runtime\win32\bin.build\rt_daemon.exe"
enable=yes

the AD Agent machine is running Windows Server 2003 ( with SP1 or higher installed), the
following Windows command Define these exceptions using lines ( type each command on one
line).
– netsh firewall add allowedprogram C:\IBF\adObserver\ADObserver.exe "Cisco AD Agent
(AD Observer)" ENABLE

– netsh firewall add allowed program

C:\IBF\radiusServer\runtime\win32\bin.build\rt_daemon.exe "Cisco AD Agent (RADIUS
Server)" ENABLE

Note: Windows Firewall is not supported in the original Windows Server 2003 . Windows Server 2003
SP1 now supports Windows Firewall , but Windows Firewall is disabled by default. Windows
Firewall is enabled by default in Windows Server 2003 SP2 .

1.adacfg dc create Active Directory domain separate from AD Agent machine using command
controller When configuring the machine, you must also define a Windows Firewall exception
on the AD Agent machine to allow the necessary WMI- related communication.

Note The AD Agent machine and a separate domain from this machine controller Windows Firewall is
enabled on the machine and AD Agent is configured for the AD domain. controller You must
set up WMI exceptions on each machine whenever you need to communicate with them . If
Windows Firewall is not running on either machine , WMI exceptions are not needed on
that machine. AD domain There is one controller and the AD Agent is connected to this
domain. WMI exceptions are also not required if running on the same machine as the
controller .
the AD Agent machine is running Windows Server 2008 or Windows Server 2008 R2 , the following
Windows command Define this WMI related exception using lines (each command is typed on one
line):
netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new
enable=yes
AD Agent machine is running Windows Server 2003 ( with SP1 or higher installed), use the following
Windows commands : Define this WMI related exception using lines (each command is typed on one
line):
– netsh firewall add portopening protocol=tcp port=135 name="Cisco AD Agent
(WMI_DCOM_TCP135)"

– netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe

name="Cisco AD Agent (WMI_UNSECAPP)"

Separate Active Directory domain controller Windows Firewall exceptions that need to
be configured on your machine
On the AD Agent machine adacfg client create Separate Active Directory domains configured using
commands controller If the machine has Windows Firewall enabled, its domain controller You will

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
OL-25134-01-J twent
y3
 第2章 Active Directory Agentのインストールと設定
要件
need to define a Windows Firewall exception that will allow any WMI- related communication you
want on your machine .
this domain controller If your machine is running Windows Server 2008 or Windows Server 2008 R2 , the
following Windows command You can configure this WMI- related exception using the line ( type the
command on one line).
netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new
enable=yes

this domain controller If your machine is running Windows Server 2003 ( SP1 or later installed), the
following Windows command You can configure this WMI- related exception using the line ( type the
command on one line).
netsh firewall set service RemoteAdmin enable

open list of ports

Table 2-2 When the AD Agent connects to the client Device and Active Directory domain Transmission
Control Protocol ( TCP ) ports and users used to communicate with the controller datagram
Indicates some of the protocol ( UDP ) ports. AD Agent requires these ports to be open.

（注） このリストには、 WMI により使用される動的割り振り（ランダム）ポート番号は含まれていません。

Table 2-2 Opening AD Agent list of ports

port number protocol service
8888 TCP setting change
(local host)
514 UDP Syslog
1645 on all UDP Legacy RADIUS
interfaces
requirements

Table 2-2 Opening AD Agent List of ports (continued)

port number protocol service
1646 on all UDP Legacy RADIUS Accounting
interfaces
1812 on all UDP RADIUS
interfaces
1813 on all UDP RADIUS Accounting
interfaces
configuration changes and RADIUS are hard-coded and cannot be changed. Other software that uses
these port numbers on the AD Agent machine Do not run the application.
For example, the AD Agent machine must not have another RADIUS server running.

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
tw OL-25134-01-J
en
ty
4
 第2章 Active Directory Agent のインストールと設定

Active Directory requirements

AD Agent is a domain To communicate with the controller, the following prerequisites must be
met:
• Authenticate while user logs in to ensure security For each individual whose logs are monitored
by AD Agent
Each AD domain The controller must be running one of the following supported Windows Server
versions:
– Windows Server 2003 –
Windows Server 2008
– Windows Server 2008 R2

（注） Windows Server 2003 R2 はサポートされていません。

（注） 国際化はサポートされていません。

• Also, each domain running Windows Server 2008 or Windows Server 2008 R2 controller The
machine must have the applicable Microsoft hotfix installed. AD Agent is a domain controller
installed directly on the machine or on the domain controller You must install the hotfix
regardless of whether you are monitoring your machine remotely.
Domain running Windows Server 2008 The following two Microsoft hotfixes must be installed on
the controller :
a. http://support.microsoft.com/kb/958124
This patch installs memory in Microsoft 's WMI Fix the leak. this memory If you do not
fix the leak, the AD Agent will Unable to connect to controller and get "up" status.
b. http://support.microsoft.com/kb/973995
This patch installs memory in Microsoft 's WMI Fix the leak. this memory If you do not
fix the leak, Active Directory will block required authentication-related events from
entering your domain. There are sporadic situations where the controller security log
cannot be written to. In this case, the AD Agent will User authenticated via controller
Unable to learn mapping for part of login.
Domain running Windows Server 2008 R2 controller The following Microsoft hotfixes must be
installed on the machine ( if SP1 is not installed):
http://support.microsoft.com/kb/981314
This patch installs memory in Microsoft 's WMI Fix the leak. this memory If you do not
fix the leak, Active Directory will block required authentication-related events from
entering your domain. Controller security Occasional situations occur where the log cannot
be written to. In this case, the AD Agent will User authenticated via controller Unable to
learn mapping for part of login.
• Similarly, users can perform authentication during login and security Logs are monitored by AD Agent
separate AD domain On the controller, the "Audit Policy" ( part of the Group Policy Management
settings) allows a successful logon to log on to that AD domain . controller The machine's
Windows security log must be configured to generate the required events. " AD Domain with AD
Agent Refer to "Settings for acquiring information from the controller" ( P.2-9 ) .
• adacfg dc create Single domain using command controller Also before configuring the machine ( AD

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
OL-25134-01-J twent
y5
 第2章 Active Directory Agentのインストールと設定
要件
Domain set on Agent machine controller All domains that you want to monitor for user
authentication (through the machine) ( e.g. D[i] ) with which a trust relationship has been
established ( e.g. J ), make sure the AD Agent is joined first.
Possible scenarios are listed below depending on the structure of your Active Directory domain.
1. single forest, single Domain: All domains controller to the machine
one domain ( D[i] ), which is the domain J is the same as The AD Agent machine
initially runs this single Must be joined to the domain. There is no need to set
up trust relationships with other domains because they are not used.
2. single forest, multi Domain: Single A unique two-way trust relationship is already set up
between all domains in the forest. Therefore, the AD Agent initially uses one domain within
this forest. J Participate in this domain J is the domain controller Domain corresponding to
the machine D[i] does not have to be the same as either. domain J and each D[i] There is an
inherent trust relationship with the domain, so there is no need to explicitly set up a
trust relationship.
3. multi forest, multi domain: domain J The forest to which the domain belongs is Conte
roller correspond to the machine It may be different from the forest to which one or more
domains in D [i] belong. In this case, each D[i] domains and domains J You must explicitly
ensure that a valid trust relationship is set up in one or both of the following ways:
a. Two domains ( D[i] and You can set up a two-way external trust relationship between J ).
b. domain D[i] Forest and domain corresponding to J You can set up a two-way forest trust
relationship between the corresponding forests.
To set up trust relationships, go to Start > All Programs > Administrative Tools > Active Directory
Domains and Trusts] Choose.

Note: If this requirement is not met and the AD Agent machine is not joined to a domain that has the
required trust relationship configured with the domain associated with a particular DC machine, use
adacfg dc create When I perform an operation to configure that DC machine using commands , it appears to
complete successfully. However, that DC machine may start experiencing various issues such as very
high CPU load.

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
tw OL-25134-01-J
en
ty
6
第2章 Active Directory Agent のインストールと設定

Installing Active Directory Agent

Installing Active Directory Agent

Active Directory Agent , follow these steps:

step 1 Copy the Active Directory Agent installer executable file to the Windows machine where you want
to install Active Directory Agent .
Step 2 AD_Agent-v1.0.0.32-build-539.Installer.exe Run the file.
The Cisco AD Agent Setup dialog box appears.
Step 3 [Yes] Click to continue with the installation.
The installer installs AD Agent to the C:\IBF\ directory on your Windows machine .
You can check the progress of the installation process. When the installation is completed
successfully, a [Completed] message is displayed.

Step 4 [Close] Click to exit the installer.

Verify installed Active Directory Agent

Active Directory Agent is running after installation , follow these steps:

step 1 Windows Command Line Prompt ( Start > All Programs > Accessories > Command Prompt ).

Step 2 cd C:\IBF\CLI Enter.

Step 3 adactrl.exe show running Enter.
You will see output similar to the following:
running C:\\IBF\\watchdog\\radiusServer.bat since 2010-12-27 T15:32:31
running C:\\IBF\\watchdog\\adObserver.bat since 2010-12-27 T15:32:38

This output provides information about when AD Agent internal processes started running on this
machine.

Uninstalling Active Directory Agent

Active Directory Agent , follow these steps:

step 1 Navigate to the C:\IBF\ folder.

By default, Active Directory Agent is installed in the C:\IBF\ directory on Windows machines .

Step 2 AD_Agent.Uninstaller.exe Run the file.

AD Agent will be uninstalled.
 第2章 Active Directory Agentのインストールと設定
Active Directory Agentの設定

Cisco Active Directory Agent Installation / Setup Guide, release 1.0

OL-25134-01-J 2-7

Active Directory Agent settings

After installing AD Agent , first ensure that the necessary exceptions are configured on the AD
Agent machine if a firewall such as Windows Firewall is running on the AD Agent machine.
( See “ Windows Firewall Exceptions That Must Be Set on the AD Agent Machine” on page 2-3 ) . Then A.D.
The following must be configured on the Agent :
• Active Directory domain where users perform authentication while logging in controller. this
domain Security for this controller to learn new mappings from the controller The log is
Monitored by AD Agent .

（注） また、導入するバックアップ ドメイン コントローラをすべて含める必要があります。

• ASA device) that is configured to obtain an IP-to-user-identity mapping from the AD Agent machine
.
You can also configure AD Agent to send logs to a Syslog server.

(Note) AD domain controller and client If you first configure a Syslog server in AD Agent before configuring
devices , troubleshooting information is available on the Syslog server in addition to the localStore .
Keeping this troubleshooting information on your Syslog server can be helpful if you run into problems
during setup.

After installing AD Agent , wait a moment (approximately 30 seconds) for AD Agent to properly
initialize before running the adacfg command.
• adacfg commands when AD Agent is not running , you will receive the following message:
Error: HTTP request sending failed with error “Couldn't connect to server”! For
further syntax information, use adacfg help.

• adacfg commands before the AD Agent is fully initialized , you receive the following message:
Caught exception: Module PipConfigurator not initialized!

This section describes the following items:

• “ Configuring AD Agent to Send Logs to a Syslog Server” on page 2-9
• " AD Domain with AD Agent Settings for acquiring information from the controller” ( P.2-9 )
• " Client with AD Agent "Settings to allow devices to obtain information from AD Agent " ( P.2-12
)

Note: This section only describes the settings you need to make on AD Agent . For the solution to work
properly, the client AD Agent and AD Domain on Device You also need to configure your
controller. For more information, see ASA End Users Please refer to the manual .

Active Directory Agent settings

Cisco Active Directory Agent /1.0

tw OL-25134-01-J
en Installation Setup Guide, Release
ty
8
 第2章 Active Directory Agent のインストールと設定

AD Agent to send logs to a Syslog server

You can configure AD Agent to send logs to a Syslog server for administrative purposes and
troubleshooting information .

To configure AD Agent to send logs to a Syslog server:

step 1 Log in to the AD Agent Windows machine.

Step 2 command line At the prompt, cd C:\IBF\CLI Enter.
Step 3 Enter the following command:
adacfg syslog create -name < syslog-target-nickname > -ip < IP-address > [ -facility < syslog-facility >]
Description:
• syslog-target-nickname is the friendly name you want to assign to your Syslog server.
• IP address is the IP address of the Syslog server .
• syslog-facility The values are LOCAL0 to LOCAL7 . Default is LOCAL6 .
The following message is displayed:
Reply: Command completed successfully.

AD Domain with AD Agent Settings for acquiring information from

the controller
Active Directory domains that perform authentication while users log in Controllers must be
configured separately on AD Agent . This will cause the AD Agent to use that specific domain.
Controller security Monitor logs and check the domain You can learn new IP-to-user-identity
mappings from the controller .

（注） 導入するバックアップ ドメイン コントローラ マシンをすべて含める必要があります。

specific AD domain controller To configure AD Agent to retrieve information from your

machine , follow these steps:

Step 1 AD domain controller Windows Server operating system running on the machine system's
Verify that the version is a supported version. ( " Active Directory Requirements"
( See P.2-5 ) .
Step 2 AD Domain controller If your machine is running Windows Server 2008 or Windows Server 2008 R2 ,
ensure that the applicable Microsoft hotfix is installed on your machine ( see Active Directory
Requirements, page 2-5 ) . ). AD domain running Windows Server 2008 or 2008 R2 without the
specified hotfix applied Do not use a controller.
Step 3 Firewall such as Windows Firewall Software is an AD domain controller AD domain , if enabled on your
machine controller Verify that the required firewall exceptions are defined on your machine (see
"Separate Active Directory Domain") controller Must be configured on the machine
Windows Firewall Exceptions” on page 2-4 ) .

Cisco Active Directory Agent Installation / Setup Guide, release 1.0

OL-25134-01-J 2-9
 第2章 Active Directory Agent
Active Directory Agent の設定
Installation and configuration

Step 4 domain controller Ensure that the domain associated with the machine has the appropriate trust
relationship configured with the domain that the AD Agent machine will join.
Step 5 Audit Policy ( part of the Group Policy Management settings) allows successful logon to controller
Machine Windows Security Make sure the log is configured to generate the events you want
(usually this is the Windows default setting, but you should explicitly confirm that this
setting is correct). To check this, go to Start > Programs > Administrative Tools > Group Policy
Management. Choose. Group Policy Management left navigation In the pane:
a. [Domains] Navigate to the appropriate domain under .
b. navigation Expand the tree.
c. [Default Domain Policy] Right-click.
d. [Edit] Select a menu item. This will open the Group Policy Management Editor .
e. In the left navigation pane of the Group Policy Management Editor :
f. Default Domain Policy > Computer Configuration > Policies > Windows Settings > Security
Settings] Choose.
– For Windows Server 2003 or Windows Server 2008 ( other than R2 ), select [Local Policies] >
[Audit Policy] Choose. Two policy items ( [Audit Account Logon Events] and [Audit Logon
Events] ) and the corresponding [Policy Setting] [Success ] Verify that the state is
directly or indirectly included. [Success] To include the status indirectly, set the
Policy Setting to Not Defined. Set. In this case, the valid values are inherited from the
higher-level domain, so [Success] You must set the Policy Setting for that higher domain to
explicitly include the state .
– For Windows Server 2008 R2 : Advanced Audit Policy Configuration > Audit Policies > Account
Logon Choose. Two policy items ( [Audit Kerberos Authentication Service] and [Policy
Setting] corresponding to [Audit Kerberos Service Ticket Operations] As mentioned above,
[Success] Verify that the state is directly or indirectly included.
g. [Audit Policy] If any field settings have been changed, you must run gpupdate /force to force
the new settings to take effect.
Step 6 Log in to the AD Agent Windows machine.
Step 7 command line At the prompt, cd C:\IBF\CLI Enter.
Step 8 Enter the following command:
adacfg dc create -name < DC-nickname > -host < DC-hostname-or-FQDN > -domain
< full-DNS-name-of-AD-domain > -user < username-member-of-Domain-Admins-group > -password
< password-of-user >
explanation:
• DC-nickname is the domain A friendly name to assign to the controller.
• DC-hostname-or-FQDN is the AD domain monitored by AD Agent controller The host name or
fully qualified domain name of the machine.
• full-DNS-name-of-AD-domain is the full DNS name of the AD domain .
• username-member-of-Domain-Admins-group is the domain controller machine security Username of
an existing account used to monitor logs.
This account has a domain controller machine security The necessary permissions must be granted
to read the log. AD group of the domain specified in the " -domain " option
You can easily and reliably perform this operation by specifying an account belonging to "
Domain Admins ."
Active Directory Agent settings

Cisco Active Directory Agent /1.0

tw OL-25134-01-J
en Installation Setup Guide, Release
ty
10
第2章 Active Directory Agent のインストールと設定

Domain Admins group can obtain the required permissions if they meet all of the
requirements below .
– The account belongs to the AD group " Distributed COM Users ".
– account, domain controller You have been granted access to the machine's WMI namespace
(specifically the " CIMV2 " namespace). To set this permission, use the wmimgmt.msc
snap-in or group Use policy (all domains controller (if reflected on the machine). For more
information,
http://blogs.msdn.com/b/spatdsg/archive/2007/11/21/set-wmi-namespace-security-via-gpo-scri
pt.aspx Please refer to.
– domain controller machine security event The account has permission to read logs. You can
set this permission using the CustomSD key in the registry or using Group Policy (all
domains controller (if reflected on the machine). For more information:
http://msdn.microsoft.com/en-us/library/aa363648%28v= vs.85%29.aspx Please refer to.
• password-of-user is the password associated with the specified username.
The following message is displayed:
Reply: Command completed successfully.

Currently configured AD domain controller Machine and its up or down To see a list of status,
use adacfg dc list Use the command: Run this command regularly and add the AD domain controller
You can double check the machine status.
specific AD domain Create a controller adacfg dc create After running the command, that AD
domain Please wait for a while (about 1 minute) until the controller status changes from the
initial setting of " down " to " up " or " down(no-retry) ".
• “ up ” state means that the AD domain Indicates that a connection to the controller has
been established. In some cases, specific AD domains controller From the first time a machine
is " up ", previous mappings are retrieved from that machine and adacfg cache list You will
have to wait a few more minutes (or longer) before you can see it with the command.
• " down(no-retry) " state means that a connection cannot be established (for example, due to
incorrect credentials), and
Indicates that the AD Agent does not retry establishing a connection.
• " down " state means that the AD Agent is currently running on that AD domain . controller
Indicates that you are not connected to the machine, but will periodically retry
establishing a connection.
Also, adacfg dc erase Any domain from AD Agent using command You can also delete controller
settings.
For more information about these commands, see `` adacfg dc list '' ( PA-8 ) , `` adacfg cache list
'' ( PA-9 ) , and
See " adacfg dc erase " ( PA-8 ) .

Cisco Active Directory Agent Installation / Setup Guide, release 1.0

OL-25134-01-J 2-11
Active Directory Agent の設定

Chapter 2. Active Directory Agent

Installation and configuration

Client with AD Agent Settings that allow devices to retrieve

information from AD Agent
AD Agent is a client Each client in AD Agent responds to requests from devices (requests to
receive mapping information from this AD Agent ). You will need to configure your device ( e.g.
ASA ).

（注） 1 つの AD Agent では最大 100 のクライアント デバイス（ ASA デバイスなど）がサポートされていま

す。

specific client To configure AD Agent to communicate with devices , follow these steps:

step 1 Log in to the AD Agent Windows machine.

Step 2 command line At the prompt, cd C:\IBF\CLI Enter.
Step 3 Enter the following command:
adacfg client create -name <client-nickname> -ip <IP-address>[/<prefix-length-for-IP-range>]
-secret <RADIUS-shared-secret>
explanation:
• client-nickname is a friendly name that you assign to a specific client device.
• IP-address/<prefix-length-for-IP-range> is a specific client Specify the device's IP address. You
can optionally define a subnet range.
• RADIUS-shared-secret is the shared secret that the RADIUS protocol uses for communication.
this secret is that client A key configured on the device.

Note: Make sure you have entered the correct RADIUS-shared-secret . Otherwise, the client Requests
from the device are ignored.

The following message is displayed:

Reply: Command completed successfully!

To view a list of currently configured client devices adacfg client list From any client from AD
Agent using the command To delete device settings adacfg client erase Use the command: For more
information about these commands, see adacfg client list ( PA-5 ) and adacfg client erase ( PA-5 ) .
Step 4 Specific Client Follow the instructions for the device to make the client aware of this AD Agent
machine. Configure your device.

Cisco Active Directory Agent /1.0

tw OL-25134-01-J
en Installation Setup Guide, Release
ty
12
 APPENDIX A
Active Directory Agent commands Refer
lenth

This appendix provides an alphabetical list of Active Directory Agent -specific commands. The
command has the following modes:
• adactrl : Used to start, stop, restart AD Agent and monitor AD Agent execution status.
• adacfg : Client with Active Directory Agent device, Active Directory domain Used to configure the
controller and Syslog server.
For each command, this appendix provides a brief description of its use, command syntax, usage
guidelines, and usage examples. This appendix is organized as follows:
• " AD Agent Control Commands" ( PA-1 )
• AD Agent configuration Command” ( PA-3 )

AD Agent control commands

This section describes the following commands:
• adactrl help
• adactrl restart
• adactrl show running
• adactrl start
• adactrl stop
• adactrl version

（注） すべての adactrl コマンドでは大文字と小文字が区別されます。

control command

adactrl help
Displays a list of adactrl commands and their syntax.

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
OL-25134-01-J A- 1
 付録 A Active Directory Agentコマンド リファレンス
AD Agent
syntax
adactrl help

例
C:¥IBF¥CLI>adactrl help
Cisco AD Agent adctrl -- version 1.0.0.32, build 539
Usage: adactrl COMMAND where COMMAND can be:
start - to start the AD Agent stop - to stop the AD
Agent restart - to restart the AD Agent show running - to show
the running status of the AD Agent version - to view info on AD
Agent version currently installed help - to view this help

adactrl restart
AD Agent を停止して再起動します。

構文
adactrl restart

例
C:¥IBF¥CLI>adactrl restart OK

adactrl show running

Displays the status of AD Agent 's internal components ( radiusServer and adObserver ).

syntax
adactrl show running

example
C:\IBF\CLI> adactrl show running
running C:\\IBF\\watchdog\\radiusServer.bat since 2011- 1- 5 T10:25:44 running
C:\\IBF\\watchdog\\adObserver.bat since 2011- 1- 5 T10:25:44

adactrl start
Start AD Agent .

syntax
adactrl start

example
C:\IBF\CLI> adactrl start
OK

adactrl stop
Stop AD Agent .

syntax

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
A- OL-25134-01-J
2
 付録 A Active Directory Agent コマンド リファレンス
AD Agent コンフィギュレーションコマンド
adactrl stop

example
C:\IBF\CLI> adactrl stop
OK

adactrl version
Displays the version of AD Agent installed on a Windows machine.

syntax
adactrl version

example
C:\IBF\CLI> adactrl version
Cisco AD Agent adactrl -- version 1.0.0.32, build 539
(Built from sources last modified 2011-04-21 12:20:17 +0300)

AD Agent configuration command

This section describes the following commands:
• adacfg help
• adacfg help client
• adacfg client create
• adacfg client erase
• adacfg client list
• adacfg client status
• adacfg help dc
• adacfg dc create
• adacfg dc erase
• adacfg dc list
• adacfg help cache
• adacfg cache list
• adacfg cache clear
configuration command

• adacfg help options

• adacfg options list
• adacfg options set
• adacfg help syslog
• adacfg syslog create

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
OL-25134-01-J A- 3
 付録 A Active Directory Agentコマンド リファレンス
AD Agent
• adacfg syslog erase
• adacfg syslog list • adacfg version

（注） adacfg コマンドでは大文字と小文字が区別されません。

adacfg help
adacfg Displays summary information about the command syntax.

syntax
adacfg help

example
C:\IBF\CLI> adacfg help
Cisco AD Agent adacfg -- version 1.0.0.32, build 539
Usage: adacfg [COMMAND] where COMMAND can be:
client - to manage client-devices of AD Agent dc - to manage AD domain-controller
machines monitored by AD Agent syslog - to manage syslog-targets of AD Agent
options - to manage configurable settings for AD Agent cache - to manage cache of
identity- mappings maintained by AD Agent version - to view info on AD Agent
version currently installed help - to view this help
help COMMAND - to view the help for specified COMMAND

adacfg help client

Client related adacfg Displays a detailed syntax summary of the command.

syntax
adacfg help client

example
C:\IBF\CLI> adacfg help client
Cisco AD Agent adacfg -- version 1.0.0.32, build 539
Usage: adacfg client [SUBCOMMAND] [ARGS] where
SUBCOMMAND can be:
create - to configure a new client
list - to list all previously configured clients erase - to
erase a previously configured client status - to view status of
clients subscribed for notification help - to view this help
detailed syntax (write command on a single line!):
adacfg client create -name <client-nickname>
-ip <IP-address>[/<prefix-length-for-IP-range>]
-secret <RADIUS-shared-
secret> adacfg client list adacfg client erase
-name <client-nickname> adacfg client status

adacfg client create

new client Configure your device.

syntax
adacfg client create -name <client-nickname> -ip <IP-address>[/<prefix-length-for-IP-range>]

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
A- OL-25134-01-J
4
 付録 A Active Directory Agent コマンド リファレンス
AD Agent コンフィギュレーションコマンド

-secret <RADIUS-shared-secret>
Description:
• client-nickname : client A friendly name that can be assigned to the device.
• IP-address : Client Device IP address.
• prefix-length-for-IP-range : You can optionally define an IP subnet range.
• RADIUS-shared-secret : Client via RADIUS protocol RADIUS shared secret used to communicate
with the device . this secret is the client A key configured on the device. example
C:\IBF\CLI> adacfg client create -name asa1 -ip 10.77.202.1/32 -secret cisco123
Reply: Command completed successfully!

adacfg client erase

Erase previously configured clients.

syntax
client erase -name <client-nickname>
client-nickname is the client The name of the device.

example
C:\IBF\CLI> adacfg client erase -name asa1
Reply: Command completed successfully!

adacfg client list

All clients configured so far List devices.

syntax
adacfg client list

configuration command

example
C:\IBF\CLI> adacfg client list
Name IP/Range ----
--------asa1
10.77.204.2 asa2
10.77.101.3 asa3
10.77.101.4

adacfg client status

Displays the synchronization status of clients registered for notifications ( on-demand queries
that also include notification requests, or replication registration requests).

syntax
adacfg client status

example

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
OL-25134-01-J A- 5
 付録 A Active Directory Agentコマンド リファレンス
AD Agent
C:\IBF\CLI> adacfg client status
Subscribed-IP Sync Status
------------- ------------
10.77.101.2 In-Sync
10.77.101.3 Out-Of-Sync
10.77.101.4 Out-Of-Sync 10.77.101.5
In-Sync

adacfg help dc
DC related adacfg Displays a detailed syntax summary of the command.

syntax
adacfg help dc

例
C:¥IBF¥CLI>adacfg help dc
Cisco AD Agent adacfg -- version 1.0.0.32, build 539
Usage: adacfg dc [SUBCOMMAND] [ARGS] where
SUBCOMMAND can be:
create - to configure a new AD domain-controller machine list -
to list all previously configured AD domain-controller machines erase
- to erase a previously configured AD domain-controller machine help
- to view this help
detailed syntax (write command on a single line!):
adacfg dc create -name <DC-nickname>
-host <DC-hostname-or-FQDN>
-domain <full-DNS-name-of-AD-domain>
-user <username-member-of-Domain-Admins-group>
-password <password-of-user> adacfg dc list
adacfg dc erase -name <DC-nickname>

adacfg dc create
new AD domain controller Configure the machine.

syntax
adacfg dc create -name < DC-nickname > -host < DC-hostname-or-FQDN > -domain
< full-DNS-name-of-AD-domain > -user < username-member-of-Domain-Admins-group > -password
<password-of-user>
Description : _
• DC-nickname : Active Directory domain Controller name.
• DC-hostname-or-FQDN : AD domain Controller hostname or Active Directory domain Fully
qualified domain name ( FQDN ) of the controller.

• full-DNS-name-of-AD-domain : Full DNS name of the AD domain .

• username-member-of-Domain-Admins-group :Domain controller machine security Username of an
existing account used for log monitoring.
This account has a domain controller machine security The necessary permissions must be
granted to read the log. AD group of the domain specified in the " -domain " option
You can easily and reliably perform this operation by specifying an account belonging to " Domain Admins. "
vinegar.
Domain Admins group can obtain the required permissions if they meet all of the
requirements below .
– The account belongs to the AD group " Distributed COM Users ".

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
A- OL-25134-01-J
6
 付録 A Active Directory Agent コマンド リファレンス
AD Agent コンフィギュレーションコマンド
– account, domain controller You have been granted access to the machine's WMI namespace
(specifically the " CIMV2 " namespace). To set this permission, use the wmimgmt.msc
snap-in or group Use policy (all domains controller (if reflected on the machine). For more
information,
http://blogs.msdn.com/b/spatdsg/archive/2007/11/21/set-wmi-namespace-security-via-gpo-scri
pt.aspx Please refer to.
– domain controller machine security event The account has permission to read logs. You can
set this permission using the CustomSD key in the registry or using Group Policy (all
domains controller (if reflected on the machine). Details
For more information: http://msdn.microsoft.com/en-us/library/aa363648%28v=vs.85%29.aspx
Please refer to.
• password-of-user : Password corresponding to the above username.

example
C:\IBF\CLI> adacfg dc create -name abc-dc1 -host amer.acs.com -domain acs.com -user xyz
-password axbycz
Warning: please make sure that this DC machine has:
[1] all necessary patches installed, and
[2] a properly configured Audit Policy.
For more details, visit:
http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/README_FIRST.html

Command completed successfully!

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
OL-25134-01-J A- 7
 Appendix A Active Directory Agent Commands reference
AD Agent コンフィギュレーション コマンド

adacfg dc erase
Previously configured AD domain controller Erase the machine.

syntax
dc erase -name <DC-nickname>

example
C:\IBF\CLI>adacfg dc erase -name abc-dc1 Reply: Command
completed successfully!

adacfg dc list
AD domains configured so far controller List machines.

syntax
adacfg dc list

example
C:\IBF\CLI>adacfg dc list
C:\IBF\CLI>adacfg dc list
Name Host/IP Username Domain-Name Latest Status ---- ------- --------
----------- ---------- --abc-dc1 amer.acs.com domainAdmin ACS up abc-dc2
amer2.acs.com domainAdmin down abc-dc3 amer3.acs.com domainAdmin down(no-
retry)

adacfg help cache

Cache related adacfg Displays a detailed syntax summary of the command.

syntax
adacfg help cache

example
C:\IBF\CLI> adacfg help cache
Cisco AD Agent adacfg -- version 1.0.0.32, build 539 Usage: adacfg
cache [SUBCOMMAND] where SUBCOMMAND can be:
list - to view the currently cached mappings clear - to clear the
currently cached mappings help - to view this help
detailed syntax:
adacfg cache list adacfg cache clear

Cisco Active Directory Agent /1.0

A-8 OL-25134-01-J
Installation Setup Guide, Release
 付録 A Active Directory Agent コマンド リファレンス
AD Agent コンフィギュレーションコマンド

adacfg cache list

Displays currently cached mappings.

syntax
adacfg cache list

example
C:\IBF\CLI> adacfg cache list
IP User-Name Domain Response-to-Probe Mapping-Type Mapping-Origin Create-Time
------------ ------ ----------------- ------------ ---- ---------- -----------
10.77.100.1 User1 AD1 true DC AD1 2011-01-05T09:37:17Z
10.77.100.2 User2 AD1 true DC AD1 2011-01-05T09:37:21Z

adacfg cache clear

Clears currently cached mappings.

syntax
adacfg cache clear

example
C:\IBF\CLI> adacfg cache clear
Removed 10 records.

(Note) Please wait until the cache is completely cleared. The time it takes to clear the cache depends
on the number of mappings currently cached.
it will take about a minute to completely clear it . Also, while performing this process,
adacfg cache list Invoking the command may indicate that the mapping still exists or may return
an SQL error indicating "database is locked", but such results can be safely ignored . cache After the
clear operation is completed internally adacfg cache list When I run the command, " Total
mappings count " is returned as 0 .

adacfg help options

Options related adacfg Displays a detailed syntax summary of the command.

syntax
adacfg help options

example
C:\IBF\CLI> adacfg help options
Cisco AD Agent adacfg -- version 1.0.0.32, build
539 Usage: adacfg options [SUBCOMMAND] [ARGS]
where SUBCOMMAND can be:
list - to view the current settings of the configurable options set
- to configure one or more of the configurable options
help - to view this help
detailed syntax:
adacfg options list adacfg options set [-<optionName>
<optionValue>] [...] an <optionName>/<optionValue> pair can
be:
Cisco Active Directory Agent /1.0
OL-25134-01-J A- 9
Installation Setup Guide, Release
 付録 A Active Directory Agentコマンド リファレンス
AD Agent コンフィギュレーションコマンド

[-userLogonTTL <number-of-minutes>]
Time duration after which logged-in user is marked as being logged-out.

[-dcStatusTime <number-of-seconds>]
Time span between consecutive monitorings of DC-machine up/down status.

[-dcHistoryTime <number-of-seconds>]
Amount of time before the present from which to start reading
the security logs of DC-machines that are configured (via
'adacfg dc create') for the first time ever.

[-notifyAttributes <text>]
Comma-separated list of attributes to be sent in notifications to
subscribed client-devices.

Fully expanded list: domain,time-stamp,responds-to-probe,mapping-

type,mapping-origin

Wildcard equivalent to the fully expanded list:

*

[-logLevel <level>]
Logging level for the customer logs (localStore and syslogs).

Valid values: FATAL, ERROR, WARN, INFO, or DEBUG Default value:

INFO

adacfg options list

Displays the current settings for configuration options.

syntax
adacfg options list

example
C:\IBF\CLI> adacfg options list
Option Value ---------------
----userLogonTTL 1440
dcHistoryTime 86400
dcStatusTime 60
notifyAttributes * logLevel
INFO

adacfg options set

Sets one or more configuration options .

syntax
adacfg options set [-<optionName> <optionValue>] [...] The optionName and
optionValue pair can be any or all of the following:
• [userLogonTTL <number-of-minutes> ] : Login Duration after which a user is marked as
logged out.
• [dcStatusTime <number-of-seconds> ] : DC machine up or down consecutively Status monitoring
interval.
• [dcHistoryTime <number-of-seconds> ] : DC machine security configured using ' adacfg dc
create ' The amount of time before starting to read the log for the first time.

Cisco Active Directory Agent /1.0

A- OL-25134-01-J
10 Installation Setup Guide, Release
 付録 A Active Directory Agent コマンド リファレンス
AD Agent コンフィギュレーションコマンド

• [ notifyAttributes <text> ] : Registered clients Comma-separated list of attributes specified

in notifications sent to devices. You can specify any or all of the following attributes:
– domain , time-stamp , responds-to-probe , mapping-type , mapping-origin
– * (wildcard equivalent for all attributes)
• [logLevel <level> ] :Customer Logs ( localStore and Syslog ) level. Valid values are FATAL ,
ERROR , WARN , INFO , and DEBUG . The default level is INFO .

Note AD Agent uses NOTICE logs. Some customers using levels (levels between " INFO " and "
WARN ") log Generates a message, but adacfg options set -logLevel You cannot explicitly
select NOTICE as the logLevel setting using the command . For more information, see
Appendix B, “Customer log See Message .

adacfg help syslog

Syslog related adacfg Displays a detailed syntax summary of the command.

syntax
adacfg help syslog

example
C:\IBF\CLI> adacfg help syslog
Cisco AD Agent adacfg -- version 1.0.0.32, build
539 Usage: adacfg syslog [SUBCOMMAND] [ARGS]
where SUBCOMMAND can be:
create - to configure a new syslog-target list - to list all
previously configured syslog-targets erase - to erase a
previously configured syslog-target help - to view this help
detailed syntax (write command on a single line!):
adacfg syslog create -name <syslog-target-nickname>
-ip <IP-address>
[-facility <syslog-facility>] valid syslog facility
values: LOCAL0 - LOCAL7 default syslog facility
value: LOCAL6 adacfg syslog list adacfg syslog erase
-name <syslog-target-nickname>

adacfg syslog create

Configure a new Syslog target.

syntax
adacfg syslog create -name < syslog-target-nickname > -ip < IP-address > [ -facility < syslog-facility
>] Description:
• syslog-target-nickname : Name of the Syslog server.
• IP-address : IP address of the Syslog server .
• syslog-facility : Facility value ( LOCAL0 to LOCAL7 ). Default is LOCAL6 .

example
C:\IBF\CLI> adacfg syslog create -name mysyslog -ip 10.77.202.1 -facility LOCAL6
Reply: Command completed successfully!

Cisco Active Directory Agent /1.0

OL-25134-01-J A- 11
Installation Setup Guide, Release
 付録 A Active Directory Agentコマンド リファレンス
AD Agent コンフィギュレーションコマンド

adacfg syslog erase

Clears previously configured Syslog targets.

syntax
syslog erase -name <syslog-target-nickname>
syslog-target-nickname is the name of the Syslog target connected to AD Agent .

example
C:\IBF\CLI> adacfg syslog erase -name mysyslog
Reply: Command completed successfully.

adacfg syslog list

List all Syslog targets configured so far .

syntax
adacfg syslog list

example
C:\IBF\CLI> adacfg syslog list
Name IP Facility ----- --- --------
mysyslog 10.77.202.4 LOCAL6

adacfg version
Displays the version of AD Agent installed on a Windows machine.

syntax
adacfg version

example
C:\IBF\CLI> adacfg version
Cisco AD Agent adacfg -- version 1.0.0.32, build 539
<Built from sources last modified 2011-04-21 12:20:17 +0300>

Cisco Active Directory Agent /1.0

A- OL-25134-01-J
12 Installation Setup Guide, Release
 付録 A Active Directory Agent コマンド リファレンス
AD Agent コンフィギュレーションコマンド

Cisco Active Directory Agent /1.0

OL-25134-01-J A- 13
Installation Setup Guide, Release
 APPENDIX B
customer log message

This appendix describes the different customers generated by AD Agent ( based on the current value of the
logLevel configuration option). log Shows messages by functional category.
To change the “ logLevel ” setting: adacfg options set –logLevel Use the command:

(Note) Some logs The message is in the " NOTICE " log level ( between " INFO " and " WARN "), but " NOTICE " cannot
be selected when setting " logLevel " using the above-mentioned adacfg command.

Logs to the following scales, starting with the least detailed: Indicates a range of levels. " NOTICE " shown
in italics is not an option that can be set in " logLevel ". shown in bold
" INFO " is the default setting for " logLevel ".
FATAL < ERROR < WARN < NOTICE < INFO < DEBUG

Note: When troubleshooting problems, use the default setting " INFO ", which has the highest level of detail.
It is often helpful to change it to " DEBUG ". However, this setting can have a negative impact on AD Agent
performance. We recommend that you revert the logLevel setting once the issue is resolved .

Similarly, changing the logLevel from its default setting of INFO to the least verbose WARN can have a
positive impact on AD Agent performance. However, this setting does not print INFO or NOTICE level messages
(messages that may be important for administrative or auditing purposes).
Past customers log Message local The archive is
It is kept in the " C:\IBF\radiusServer\runtime\logs\localStore " directory. These log messages can be found using
adacfg syslog create It will also be forwarded to any remote Syslog targets configured using the command .
Table B-1 to the customer Messages for logged AD Agent -specific messages code, log level, message
class, message Indicates text, description. This list contains all generated
It does not contain any messages. Other messages , such as generic RADIUS -related messages, are
not included.

Table B-1 AD Agent Logs message

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
OL-25134-01-J B- 1
 付録 B カスタマー ログ メッセージ

Message logging
sage level message class message text explanation
code
Starting and stopping AD Agent

(A more extensive set of messages is logged in the Windows Application Event Log ). For more information, see
Appendix C
Windows application event Please refer to "Log" .
31502 INFO STARTUP-SHUTDOWN Started Runtime The AD Agent RADIUS Server
subcomponent has started .
"

setting change
68000 NOTICE IBF_CONFIG_CHANGE Created DC configuration AD Agent adacfg dc create domain using
command controller The machine is now
configured.

68001 NOTICE IBF_CONFIG_CHANGE Deleted DC configuration From AD Agent adacfg dc erase domain
using command controller Machine
configuration deleted.

68002 NOTICE IBF_CONFIG_CHANGE Created RADIUS-client AD Agent adacfg client create Top
configuration client using Device is configured.

68003 NOTICE IBF_CONFIG_CHANGE Deleted RADIUS-client adacfg client erase client using
configuration command Device configuration removed
from AD Agent .
Update mapping
12862 INFO IBF_RADIUS_SERVER Updated mapping in Identity In AD Agent 's internal cache
Cache Added or updated IP-address-to-user-
identity mapping.
12855 INFO IBF_RADIUS_SERVER Dropped Identity Cache the logon time was too long ago
mapping-update due to (relative to the " userLogonTTL "
userLogonTTL configuration option), the incoming call
IP-address-to-user-identity mapping
update ignored by AD Agent .

12856 INFO IBF_RADIUS_SERVER Dropped Identity Cache Incoming IP-address-to-user-identity

mapping-update: older than mapping update was ignored by AD
existing mapping Agent . This means that the associated
logon time is currently set by AD
Agent .
This is because it is older than the
cached mapping for the same IP
address.
Table B-1 AD Agent Logs Message (continued)
Message
sage
code logging
level message class message text explanation
12859 INFO IBF_RADIUS_SERVER Dropped Identity Cache Incoming IP-address-to-user-identity
mapping-update having mapping update was ignored by AD
timestamp in future Agent . This is because the associated
logon time is in the future.

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
B- OL-25134-01-J
2
 付録 B カスタマー ログ メッセージ

12861 INFO IBF_RADIUS_SERVER Dropped Identity Cache Incoming IP-address-to-user-identity

mapping-update: same time as mapping update was ignored by AD
existing mapping Agent . This means that the associated
logon time is currently set by AD
Agent .
the same cached IP address and
username mapping.
12867 WARN IBF_RADIUS_SERVER Approaching stress limit on The number of cached mappings in AD
Identity Cache mapping- Agent is approaching its maximum
updates capacity limit.
Currently over 100,000 mappings
It is cached. cache
The number of mappings contained in
200,000 is reached, AD Agent ignores
subsequent incoming mapping updates.

12868 ERROR IBF_RADIUS_SERVER Dropped Identity Cache Maximum capacity limit for AD Agent
mapping-updates: stress limit mappings
exceeded number ( 200,000 mappings), any new
incoming mapping updates will be
ignored.
12893 INFO IBF_RADIUS_SERVER Deleted mapping in Identity AD Agent 's internal cache
Cache IP-address-to-user-identity mapping has
been removed.
synchronous request
12869 INFO IBF_RADIUS_SERVER Detected Synch request with Session data for all mappings
registration for notifications currently in AD Agent 's cache Clients
that want to receive snapshots the
device requested.
The client is requesting to register
for replication with AD Agent .

12860 INFO IBF_RADIUS_SERVER Detected synch request with Session data for all mappings
no registration for currently in AD Agent 's cache Clients
notifications that want to receive snapshots the
device requested.
The client has not requested to
register for replication with AD
Agent .

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
OL-25134-01-J B- 3
 Table B-1 付録 カスタマー
ADBAgent ログ メッセージ
Logs Message (continued)

Message
sage
code logging
level message class message te
12870 INFO IBF_RADIUS_SERVER Detected
without ch
state

12871 INFO IBF_RADIUS_SERVER Detected d

Request

12872 WARN IBF_RADIUS_SERVER Approachi

max regist

12873 ERROR IBF_RADIUS_SERVER Dropped re

capacity lim

12884 INFO IBF_RADIUS_SERVER Sent RAD

with Notif

11223 INFO Dynamic-Authorization Received

11224 INFO Dynamic-Authorization Received

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
B- OL-25134-01-J
4
 付録 B カスタマー ログ メッセージ

CoA-Based traffic
Table B-1 AD Agent Logs Message (continued)

メッ
セージ ロギング
メッセージ テキスト 説明
co
de level message class session data Transfer snapshot
12878 INFO IBF_RADIUS_SERVER Stopping current transfer of Clients currently in progress Session
session data snapshot to device data Stopping snapshot
transfer.

12881 INFO IBF_RADIUS_SERVER Started transfer of session data client Session data to device A new
snapshot snapshot transfer has started.
(Note) This log item is
Used only for snapshot
transfers using RADIUS
packets. The first packet is
Marked with #12881 .
The last packet is #12883
will be marked. All packets
during this time will be
marked with #12882 .

12882 INFO IBF_RADIUS_SERVER Continued transfer of session Clients currently in progress Session
data snapshot to device data The snapshot transfer
continues.
(Note) This log item is for three or
more
Only large snapshot transfers
using RADIUS packets
used for. 1st pa
The packet is marked #12881
and the last packet is
Marked with #12883 .
All packets during this time
are
Marked with #12882 .
12883 INFO IBF_RADIUS_SERVER Finished transfer of session client Session data to device Snapshot
data snapshot transfer completed successfully.
that fit into one RADIUS packet are
marked with this log entry only
However, #12881 or #12882 log entries
are not marked.

On-Demand queries tected On-

12864 Demand
Entity-Request
INFOIBF_RADIUS_SERVERDe from PEP

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
OL-25134-01-J B- 5
 Table B-1 付録 カスタマー
ADBAgent ログ メッセージ
Logs Message (continued)

client A device requested to without

receive a mapping for a subsequent
specific IP address (with or notification
requests).

Message
sage
code logging
level message class message t
12866 INFO IBF_RADIUS_SERVER Could no
Identity C

キープアライブ要求
12885 INFO IBF_RADIUS_SERVER Detected Kee
from PEP
ドメインステータスクエリー
12890 INFO IBF_RADIUS_SERVER Prepared Dom
Query-Respo

ドメインコントローラステータスのトラッキング
12892 INFO IBF_AD_MONITOR ActiveDirecto
controller stat

その他

12888 WARN IBF_RADIUS_SERVER Internal W

12889 ERROR IBF_RADIUS_SERVER Internal E

5200 NOTICE Passed-Attempt IBF reque

5400 NOTICE Failed-Attempt IBF reque

Generic Pass/Fail status

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
B- OL-25134-01-J
6
 付録 B カスタマー ログ メッセージ

(Each log like this entries indicate corresponding

entries with the same value for the associated
[IbfSessionID] attribute)
Table B-1 AD Agent Logs Message (continued)
Message
sage
code logging
level message class message text explanation
5405 NOTICE Failed-Attempt RADIUS Request dropped The AD Agent received a RADIUS
packet and silently dropped it due to
the reason indicated by the value of
the [FailureReason] attribute.
This [Failed-Attempt] log entry or
other similar (generic)
[Failed-Attempt] log entry's
[FailureReason] are shown in the next
subsection of this table.

5413 NOTICE Failed-Attempt RADIUS AD Agent is RADIUS

Accounting-Request dropped We received an Accounting-Request
packet and silently dropped it due to
the reason indicated by the value of
the [FailureReason] attribute.
This [Failed-Attempt] log entry or
other similar (generic)
[Failed-Attempt] log entry's
[FailureReason] are shown in the next
subsection of this table.

[Failure Reason] message

( [Failed-Attempt] log [FailureReason] codes listed
in entries but not in this subsection of this
table should be treated as AD Agent internal
errors)
11007 DEBUG RADIUS Could not locate Network RADIUS packet was received from an
Device or AAA Client IP address that is not associated with
any currently configured client
device . Make sure this device is
configured using ' adacfg client create
'.

11011 WARN RADIUS RADIUS listener failed One or more UDP ports used to receive
RADIUS requests could not be opened.
Ensure that no other processes are
using ports 1812 , 1813 , 1645 , or
1646 on the AD Agent machine.

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
OL-25134-01-J B- 7
 Table B-1 付録 カスタマー
ADBAgent ログ メッセージ
Logs Message (continued)

11012 ERROR RADIUS RADIUS

invalid he

11013 INFO RADIUS RADIUS

process

Message
sage
code logging
level message class message te
11014 ERROR RADIUS RADIUS
invalid att

11021 ERROR RADIUS RADIUS

password.
necessary

11029 WARN RADIUS Unsupport

type

11030 WARN RADIUS Pre-parsin

packet fail

11031 WARN RADIUS RADIUS

valid Requ

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
B- OL-25134-01-J
8
 付録 B カスタマー ログ メッセージ

11036 ERROR RADIUS The Message-Authenticator RADIUS packet was received that
RADIUS attribute is invalid. contained an invalid [Message-
Authenticator] attribute. client to the
device
AD Agent , configured properly, and
functioning properly. Same for both
client device and AD Agent
the RADIUS shared secret is
configured properly.

11037 ERROR RADIUS Dropped accounting request A RADIUS Accounting-Request packet

received via unsupported port. was received on an unsupported UDP
port number. client Deva
that your device is compatible with
AD Agent , properly configured, and
functioning properly.
Table B-1 AD Agent Logs Message (continued)
Message
sage
code logging
level message class message text explanation
11038 ERROR RADIUS RADIUS packet invalid in header
Accounting-Request header A RADIUS Accounting-Request packet
contains invalid was received that included an
Authenticator field. [Authenticator] field. Make sure your
client devices are compatible with
AD Agent , configured properly, and
functioning properly.
client Ensure that the same RADIUS
shared secret is properly configured
on both the device and AD Agent .

11039 INFO RADIUS RADIUS authentication An internal log related error was
request rejected due to critical detected.
This may be caused by not having
logging error enough free disk space.
11040 INFO RADIUS RADIUS accounting request An internal log related error was
dropped due to critical logging detected.
This may be caused by not having
error. enough free disk space.
11050 WARN RADIUS RADIUS request dropped due An internal log related error was
to system overload detected.
This may be caused by not having
enough free disk space.
11052 ERROR RADIUS Authentication request A RADIUS request packet was
dropped due to unsupported received on an unsupported UDP port
port number number. client Make sure your device
is compatible with AD Agent ,
configured properly, and functioning
properly.

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
OL-25134-01-J B- 9
 Table B-1 付録 カスタマー
ADBAgent ログ メッセージ
Logs Message (continued)

11053 WARN RADIUS Invalid at

radius pac
attributes
limit

11103 ERROR RADIUS-Client RADIUS-

error durin

Message
sage
code logging
level message class message te
11213 WARN Dynamic-Authorization No respon
Network A
communic
notificatio

11214 WARN Dynamic-Authorization An invalid

from Netw
lost comm
notificatio

32006 WARN Logging Could not

32016 FATAL Logging System re

space limi

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
B- OL-25134-01-J
10
 APPENDIX C
Windows application event log

This appendix describes how AD Agent software (customer log (in addition to the message)
Windows application event Indicates a summary of events to log.
• AD Agent itself (actually an internal "watchdog" function) was started or stopped as the AD Agent software was
installed, uninstalled, and the AD Agent machine rebooted.
• AD Agent 's internal " AD Observer " and " RADIUS Server" components are adactrl Started or stopped manually using
commands.
• AD Agent 's internal AD Observer and RADIUS Server components automatically stop or restart after the AD Agent
software's watchdog feature detects a crash or critical error in one or more of these processes. It was done.
To see these events on Windows , use the " Event Viewer " tool located at:
Event Viewer (Local) > Applications and Services Log > Cisco AD Agent All these events have the following attributes and
values:
• Source : Cisco AD Agent
• Level : Information
• Task Category : None

Cisco Active Directory Agent /1.0 Installation

Setup Guide,
OL-25134-01-J C-1 Release
 Appendix C Windows Applications event log

Table C-1 lists the event ID , message, and message for these events. Indicates text, description.

Table C-1 Windows Applications event log

event
ID message text explanation
Ten Watchdog Service Was Started AD Agent internal watchdog Service has started.
This message typically appears immediately after installing AD Agent
or
Appears after rebooting the Agent machine.

11 Watchdog Service Was Shutdown AD Agent internal watchdog Service has stopped.
This message typically appears when uninstalling AD Agent . It may
also appear if you manually stop or restart Cisco AD Agent in the
Windows Services panel.
20 C:\\IBF\\watchdog\\radiusServer.bat AD Agent 's RADIUS Server subcomponent ( adactrl Either started
Was Started manually (using a command) or restarted automatically (after a
crash or failure).

20 C:\\IBF\\watchdog\\adObserver.bat " AD Observer " subcomponent of AD Agent ( adactrl command) or

Was Started restarted automatically (after a crash or failure).

twenty C:\\IBF\\watchdog\\radiusServer.bat RADIUS Server subcomponent of AD Agent crashed or stopped after

one Was Shutdown detecting a failure.

twenty C:\\IBF\\watchdog\\adObserver.bat " AD Observer " subcomponent of AD Agent crashed or stopped after
one Was Shutdown detecting a failure.

twenty rt_daemon.exe Was Shutdown AD Agent 's RADIUS Server subcomponent ( adactrl was stopped
one manually (using the command).

twenty ADObserver.exe Was Shutdown " AD Observer " subcomponent of AD Agent ( adactrl was stopped
one manually (using the command).

twenty C:\\IBF\\watchdog\\radiusServer.bat " RADIUS Server" subcomponent of AD Agent failed to start

two Failed to start properly.

twenty C:\\IBF\\watchdog\\adObserver.bat " AD Observer " subcomponent of AD Agent failed to start

two Failed to start properly.
Cisco Active Directory Agent /1.0
C- OL-25134-01-J
2
Installation Setup Guide, Release
 APPENDIX D
Troubleshooting Active Directory Agent
issues

This appendix contains information to help you identify and resolve problems that you may encounter
while using AD Agent . This appendix is organized as follows:
• “Obtaining troubleshooting information” ( PD-1 )
• " Internal Debugging in AD Agent "Enabling Logs" ( PD-2 )
• "Configuration issues" ( PD-4 )

Obtain troubleshooting information

Troubleshooting information is generated by AD Agent for authorized customers. It can be obtained
from the log. These logs are located in the AD Agent machine directory
C:\IBF\radiusServer\runtime\logs\localStore It is located in
Additionally, AD Agent customers You can also send logs to a Syslog server. For information about
configuring a syslog server to receive these logs , see Configuring AD Agent to Send Logs to a
Syslog Server , page 2-9 .
adacfg options set -logLevel Both localStore and Syslog customers using the command You can control the
level of detail in your logs.
Related customers log For a list of messages, see Appendix B, “Customer log See Message .
By default, log The level is set to INFO and only informational messages are reported. If you are
troubleshooting a specific issue, check this log for additional information. You can change the
level. log Valid options for levels are listed in order of decreasing detail.
• DEBUG
• INFO
• WARN
• ERROR
• FATAL
For more information about this command, see adacfg options set ( PA-11 ) .

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
OL-25134-01-J D- 1
 付録 D の問題のトラブルシューティング
Active Directory Agent

Customers as a helpful source of troubleshooting information. Windows applications in addition to

logs event There is a log. This log can be accessed using the Windows Event Viewer tool ( [Event
Viewer (Local)] >
Applications and Services Log > Cisco AD Agent) . This tool is an AD
Internal debugging in AD Agent Enabling logging

Records start and stop events for the Agent software, internal processes ' AD Observer ' and '
RADIUS Server'. For more information, see Appendix C , Windows Applications event Please refer to
"Log" .
Internal debugging on the AD Agent machine when reporting a problem Whether to enable logging and
the customer You will be asked if you want to send these logs along with your logs. These logs are
useful when diagnosing and resolving issues. These internal debugs To enable logging, see Internal
Debugging in AD Agent See " Enabling Logs" ( PD-2 ) .

Internal debugging in AD Agent Enabling logging

Two types of internal debugs for advanced troubleshooting: You can enable logging.
• " AD Observer Log" ( PD-2 )
• " RADIUS server Log” ( PD-3 )

AD Observer log
C :\IBF\adObserver\logconfig.ini file contains internal debugging information for the AD Observer
subcomponent. log level is specified. By default LOG_LEVEL is set to LOG_NONE .
This configuration allows internal debugging of the AD Observer subcomponent. No logs are
generated.
LOG_LEVEL can have one of the following values:
• LOG_VERBOSE : Most detailed log.
• LOG_DEBUG : Contains troubleshooting and debugging information.
• LOG_INFO : Contains informational messages.
• LOG_WARN : Contains warning messages.
• LOG_ERROR : Error Contains message.
• LOG_FATAL : Critical error Contains only messages.
log The levels range from LOG_VERBOSE (most informative) to LOG_FATAL (least informative),
with decreasing levels in this order. We recommend selecting LOG_DEBUG for troubleshooting
information .
AD Observer internal debugging To enable logging, follow these steps:

step 1 On the AD Agent machine C:\IBF \ adObserver Navigate to the directory.

Step 2 Any text such as [Notepad] in editor logconfig.ini Open the file.
Step 3 This configuration Change the last sentence of the file as follows:
LOG_LEVEL=LOG_VERBOSE

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
D- OL-25134-01-J
2
 付録 D Active Directory Agent の問題のトラブルシューティング

Step 4 logconfig.ini Save the file.

Step 5 adactrl restart to reflect this change Restart AD Agent using the command :
Now you can do AD Observer internal debugging Logging has been enabled. AD Agent creates the
ADObserverLog.txt file. C:\IBF\adObserver generated in the directory.

Internal debugging in AD Agent Enabling logging

Note Internal debugging of AD Observer subcomponent The mechanism's " LOG_LEVEL " setting is set using
adacfg options set It has nothing to do with the command's -logLevel configuration option.

RADIUS server log

RADIUS server runtime debugging log configuration In the file, various RADIUS servers Internal
debugging of subcomponents You can enable or disable logging. The location of this file is C:\IBF \
radiusServer\runtime\win32\config\RuntimeDebugLog.config is. By default, debug on all
subcomponents Logging is disabled.
This configuration In the file, debug RADIUS server that allows you to turn logging off or on
Subcomponents are listed in sentences of the form:
#components.[Acs.RT.] variable =off
variable can be one of the following subcomponents:
• ConfigVersionManager
• ConfigManager.XmlManager
• Statistics
• ConfigManager
• Logging
• Dictionary
• MessageCatalog.CatalogRepository
• Crypto.CRLHttpWorker
• EventHandler
• EventHandler.EventDispatchTable
RADIUS server Internal debugging of subcomponents To enable logging, follow these steps:

step 1 On the AD Agent machine C:\IBF \ radiusServer\runtime\win32\config Go to.

Step 2 any text in an editor ( such as WordPad ) RuntimeDebugLog.config Open the file.
Step 3 This configuration debug in file RADIUS server to enable logging Word at the end of a line
that lists subcomponents off of on Replace it with
debug For all subcomponents that enable logging, the word off of on Replace it with

（注） この値では大文字と小文字が区別されます。単語 off と on には小文字を使用してください。

Step 4 RuntimeDebugLog.config Save the file.

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
OL-25134-01-J D- 3
 付録 D の問題のトラブルシューティング
Active Directory Agent

RADIUS server by AD Agent configuration File changes are automatically detected and detected on
the RADIUS server debug Logging will be enabled. These logs are located at:
C:\IBF \ radiusServer\runtime\logs\radiusServer_debug.log

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
D- OL-25134-01-J
4
 付録 D Active Directory Agent の問題のトラブルシューティング
設定の問題

Configuration issues
This section describes common configuration issues. This section describes the following items:
• "client "Requests from the device are ignored" ( PD-4 )
• The adacfg client status command "Device reports ' Out-of-Sync ' for unknown reason" ( PD-5 )
• " IP-to-user-identity mappings are cleared from AD Agent cache after a short period of time" ( PD-5 )
• User authenticated by a specific DC machine "Logons are not detected (and processed) by AD
Agent " ( PD-6 )
• " When you run the adacfg dc list command, the domain controller Indicates that the machine has not
reached the ' up ' state" ( PD-7 )
• " AD Agent doesn't work at all" ( PD-8 )
• "The ' adacfg dc list ' command displays the domain controller Indicates that the machine has
reached the ' down(no-retry) ' state" ( PD-8 )
• " Logons fail when you reboot the AD Agent machine" ( PD-9 )

client Requests from device are ignored

client Requests from the device may not be reaching the AD Agent machine
Symptom or problem or may be being ignored.

1. Client to communicate with AD Agent Your device may not be configured

properly.
2. RADIUS traffic may be blocked by Windows Firewall.
Possible cause
3. On the AD Agent machine adacfg client create The RADIUS shared secret
entered when configuring the client device using the command is
incorrect.

1. client Verify that your device is properly configured to communicate

with the AD Agent machine.
2. Windows Firewall or similar firewall If the software is running,
ensure that the necessary firewall exceptions are configured as
described in Connectivity Requirements, page 2-2 .
solution 3. customer Check the logs ( localStore or Syslog ) and check for disabled
[RADIUS]
Check to see if any log messages are logged that indicate the
Authenticator field or the Message-Authenticator attribute. If such a
message is detected, the client Ensure that both the device and AD
Agent are properly configured to use the same RADIUS shared secret.
The adacfg client status command The device is reported as " Out-of-Sync "
IP-to-user-identity mappings are cleared from the AD Agent cache after a short
Symptom or problem
period of time.
adacfg options set The period corresponding to the current setting of the
Possible cause
command's ' userLogonTTL ' configuration option is too short.

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
OL-25134-01-J D- 5
 付録 D の問題のトラブルシューティング
Active Directory Agent
設定の問題

A user Please set a longer logon TTL period. For more information,
solution
See adacfg options set ( PA-11 ) .
However, the cause is unknown.

the AD Agent machine sends the notification update to the client device
Symptom or problem via RADIUS CoA-Request , the client No CoA-ACK received from device .

1. client It is possible that the device is currently down or not properly

configured and did not send the RADIUS CoA-ACK .
2. RADIUS traffic may be blocked by Windows Firewall.
Possible cause 3. client It is possible that the device sends a CoA-ACK , but the AD Agent
machine is dropping this request because the RADIUS shared secret is
incorrect .

1. client Verify that the device is currently up and properly configured to

communicate with the AD Agent machine.
2. Windows Firewall or similar firewall If the software is running,
ensure that the necessary firewall exceptions are configured as
described in Connectivity Requirements, page 2-2 .
solution 3. customer Check the logs ( localStore or Syslog ) and check for disabled
[RADIUS]
Check to see if any log messages are logged that indicate the
Authenticator field or the Message-Authenticator attribute. If such a
message is detected, the client Ensure that both the device and AD
Agent are properly configured to use the same RADIUS shared secret.
IP-to-user-identity mappings are cleared from AD Agent cache after a short period of time
User authenticated by specific DC machine Logons are not detected (and processed) by AD Agent

User authenticated by specific DC machine Logon detected by AD Agent

Symptom or problem (and not processed).

1. Your particular DC machine may not have been properly patched. This
causes authentication events to become security It may not be written
to the log.
2. that DC machine may not be set properly.
3. AD Agent detected a mapping update, but (customer It may have dropped
Possible cause this update for some reason (logged). One possible cause is that the
mapping update contains a timestamp in the future. This means that the
DC machine's clock is AD
Occurs when the Agent machine's clock is more than 10 minutes ahead.

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
D- OL-25134-01-J
6
 付録 D Active Directory Agent の問題のトラブルシューティング
設定の問題

1. specific DC machines are properly patched.

2. a particular DC machine is set correctly.
3. Using the AD Agent machine's localStore repository (or Syslog ),
the AD Agent machine receives the corresponding mapping updates and
does not drop them for any reason.
solution
AD Agent machine drops mapping updates for any reason, ensure that
this issue is corrected. For example, if the mapping update contains a
"future timestamp", ensure that the DC machine's clock and the AD
Agent machine's clock are properly synchronized.

When you run the adacfg dc list command, the domain controller Indicates that the machine has not reached
the ' up ' state

adacfg dc list When you run the command, the domain controller It shows that
Symptom or problem
the machine is not in the " up " state.
1. domain controller version supported by your machine.
Windows Server may not be running.
2. domain The controller may not have been properly patched.
3. Windows Firewall or similar firewall software
The domain controller WMI traffic between your machine and the AD
Agent machine may be blocked.
4. AD Agent machine is not joined to an AD domain or Conte
Possible cause roller There may not be a proper trust relationship set up between the
machine's AD domain and the AD domain that the AD Agent machine joins
.
5. The values entered in the adacfg dc create command may be incorrect.
In particular, the full DNS name of the domain is not entered or the
account Incorrect credentials or domain controller The account may not
have sufficient privileges to read the machine's security log.

solution 1. domain controller Ensure that the version of Windows Server running on
your machine is a supported version and that Windows Server is
properly patched.
2. Windows Firewall or similar firewall If the software is running,
ensure that the required WMI exceptions are properly configured.
3. domain controller Ensure that the AD Agent machine is joined to an
AD domain that has the appropriate trust relationship configured with
the machine's AD domain.
4. Verify that the values you entered in the adacfg dc create command are
correct. Specifically, you are specifying the full DNS name of the
domain, and the domain controller machine security Ensure that you
specify credentials for an account that has sufficient privileges to
read the logs.

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
OL-25134-01-J D- 7
 付録 D の問題のトラブルシューティング
Active Directory Agent
設定の問題

5. AD Observer subcomponents if needed Enable logging and check if it

contains the following:
– The RPC server is unavailable (0x800706ba) : If this message is
included, the domain controller Your machine may be down, or you
may be using a firewall without the required exceptions, blocking
communication.
– Access is Denied (0x80070005) : Contains this message if the
specified account has access to controller machine security You may
not have sufficient privileges to read the logs or your credentials
may be incorrect.

AD Agent not working at all

AD Agent does not work at all and when I enter various CLI commands I
Symptom or problem get an error The message " Couldn't connect to server! " is always
displayed.
some antivirus software The program has found that cygwin1.dll is blocked as
a virtualization-related threat. However, this report should be treated as a
Possible cause
false positive. AD Agent does not contain malware.

1. After running the AD Agent installer executable, install the antivirus Check
the software logs and find C:\IBF\radiusServer\cygwin\bin\cygwin1.dll
(or any other item in the C:\IBF folder) is blocked as a potential
solution threat.
2. such an AD Agent subcomponent is blocked, your antivirus should
explicitly allow the subcomponent to run without blocking it.
Configure the software.
When you run the “ adacfg dc list ” command, the domain controller Indicates that the machine has reached
the " down(no-retry) " state

adacfg dc list When you run the command, the domain controller The machine
Symptom or problem
Indicates that the " down(no-retry) " state has been reached.
domain controller This happens because the machine is not properly
Possible cause patched.
domain controller The WMI service on your machine may be unresponsive.

1. domain controller Verify that your machine is properly patched.

2. domain controller Please restart the WMI service on your machine .
3. AD Agent to retry the connection, do one of the following:
solution
– domain Remove the controller configuration, then adacfg dc create
Recreate it using the command:
– adactrl restart Restart AD Agent using the command :

Logon fails after rebooting AD Agent machine

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
D- OL-25134-01-J
8
 付録 D Active Directory Agent の問題のトラブルシューティング
設定の問題

AD Agent results in the following error:

Symptom or problem Windows could not start the Cisco AD Agent service on Local Computer.
ERROR 1069: The service did not start due to a logon failure

AD Agent has multiple domains (of the same AD domain) controller It may
be installed directly on your machine.
In this case, a dialog box appears with the following message during AD
Agent installation:
Possible cause 'IBF_SERVICE_USER' account already exists. OK to recreate? (Pressing
'No' will abort the installation.)

WARNING: Make sure you are NOT attempting to install AD Agent

directly on more than one DC machine (for the same AD domain)!
This problem occurs because you selected Yes .

1. non-local created in domain Manually set a known value as the password

for the account ' IBF_SERVICE_USER '.

solution 2. AD Agent is installed controller On the machine, select Cisco AD in the

Services panel to use the new password.
``Agent '' item and then restart this service or controller Reboot your
machine.

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
OL-25134-01-J D- 9
 付録 D の問題のトラブルシューティング
Active Directory Agent
設定の問題

Cisco Active Directory Agent /1.0

Installation Setup Guide, Release
D- OL-25134-01-J
10