Cisco ACS 4.0 and Active Directory

Posted on 2006-05-10
Last Modified: 2013-12-04
I've got a domain testsetup, consisting of a domain controller (Win2003 Enterprise SP1), AAA-server (Cisco ACS 4.0 on Win2003 Enterprise SP1), accesspoint (D-link), Certification Authority and a wireless client. Cisco ACS and CA are on the same machine. My intension is quite obvious: To get the wireless client to connect to AP, authenticate against Cisco ACS using external database (Windows Database). I've used the following guide to configure the systems:

and I've also checked out some of the chapters in "User Guide for Cisco Secure ACS for Windows 4.0":

My Problem:
The wireless client connects to ACS server through AP, but cannot get authenticated. In Reports and Activity - Failed Attempts I see "Authen failed" with Authen-Failure-Code "External user not found" each time the wireless user tries to connect. I do not have any users in Ciscos internal database since I want to use the users from Active Directory. It appears that Cisco ACS can't find any users in Windows Database or that I've missed some steps that tell the ACS-server what users are supposed to get authenticated.

What do I have to do to get the wireless client authenticated through Cisco ACS 4.0 using Active Directory user accounts and credentials?

Feel free to ask for additional details about my configuration, but it seems that my problem is rather limited.

Thx in advance
Question by:JoyIdd
    LVL 12

    Expert Comment

    Do you have IAS running on your AD DCs?

    ACS (radius) can talk to IAS (radius).

    Also ACS should be able to talk LDAP natively with a DC, but I have not gone this route. We use radius to radius communication to get our WLAN switches talking to AD.
    LVL 1

    Author Comment

    No, Im not keen on running additional AAA server. Somehow I should tell Cisco ACS to use Active Directory accounts, maybe the wireless group should have some special permissions...

    LVL 4

    Expert Comment

    Is your ACS server part of your A/D domain? You will need credentials for this to work.

    This document might help (even if it is for ACS 3.2) it did help when I set it up!

    Remote agent for authentication:

    It was tricky setting this up, but once walking through the link above we were able to get it to work.
    LVL 1

    Author Comment

    I followed "User Database" section for Cisco ACS 4.0 already, when it comes to second link, Cisco ACS 4.0 doesn´t seem to support remote agent: "You must use Cisco Secure ACS Remote Agent for Windows, version 3.2, with Cisco Secure ACS Appliance, version 3.2. Other versions of Cisco Secure ACS Appliance are not supported."

    I think Ill try to follow "User Database" guide one more time...

    LVL 1

    Author Comment

    Alright, here is the solution:

    Basicly, the origin of my problem was bad certificate distribution. First of all - the wrong certificates was pushed out to the users. It should be any certificate with "Client Authentication" EKU, such as "User" or "Workstation Authentication". Second of all - the user certificate gets compared to corresponding user account by Cisco ACS. There is 3 ways to do it (2 in Cisco ACS 4.0). The method we currently use is "Certificate CN comparison", which requires the certificate CN to be the same as the name of the Active Directory user account. That is: "User1" account should have certificate CN "User1". The preferred method of comparison is chosen in "System Configuration" - "Global Authentication Setup" - "EAP-TLS Configuration" in Cisco ACS. You can read more about it here:

    I hope this solution will get just as popular as "What do i need to open *.BIN files?" topic =)

    Thank you all for answering!

    Accepted Solution

    Closed, 500 points refunded.
    The Experts Exchange
    Community Support Moderator of all Ages

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Scale it in WD Gold

    With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

    In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now