Cisco ACS 4.0 and Active Directory

Posted on 2006-05-10
Medium Priority
Last Modified: 2013-12-04
I've got a domain testsetup, consisting of a domain controller (Win2003 Enterprise SP1), AAA-server (Cisco ACS 4.0 on Win2003 Enterprise SP1), accesspoint (D-link), Certification Authority and a wireless client. Cisco ACS and CA are on the same machine. My intension is quite obvious: To get the wireless client to connect to AP, authenticate against Cisco ACS using external database (Windows Database). I've used the following guide to configure the systems:


and I've also checked out some of the chapters in "User Guide for Cisco Secure ACS for Windows 4.0":


My Problem:
The wireless client connects to ACS server through AP, but cannot get authenticated. In Reports and Activity - Failed Attempts I see "Authen failed" with Authen-Failure-Code "External user not found" each time the wireless user tries to connect. I do not have any users in Ciscos internal database since I want to use the users from Active Directory. It appears that Cisco ACS can't find any users in Windows Database or that I've missed some steps that tell the ACS-server what users are supposed to get authenticated.

What do I have to do to get the wireless client authenticated through Cisco ACS 4.0 using Active Directory user accounts and credentials?

Feel free to ask for additional details about my configuration, but it seems that my problem is rather limited.

Thx in advance
Question by:JoyIdd
LVL 12

Expert Comment

ID: 16652688
Do you have IAS running on your AD DCs?

ACS (radius) can talk to IAS (radius).

Also ACS should be able to talk LDAP natively with a DC, but I have not gone this route. We use radius to radius communication to get our WLAN switches talking to AD.

Author Comment

ID: 16655884
No, Im not keen on running additional AAA server. Somehow I should tell Cisco ACS to use Active Directory accounts, maybe the wireless group should have some special permissions...


Expert Comment

ID: 16658951
Is your ACS server part of your A/D domain? You will need credentials for this to work.

This document might help (even if it is for ACS 3.2) it did help when I set it up!

Remote agent for authentication:

It was tricky setting this up, but once walking through the link above we were able to get it to work.
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.


Author Comment

ID: 16665371
I followed "User Database" section for Cisco ACS 4.0 already, when it comes to second link, Cisco ACS 4.0 doesn´t seem to support remote agent: "You must use Cisco Secure ACS Remote Agent for Windows, version 3.2, with Cisco Secure ACS Appliance, version 3.2. Other versions of Cisco Secure ACS Appliance are not supported."

I think Ill try to follow "User Database" guide one more time...


Author Comment

ID: 16669581
Alright, here is the solution:

Basicly, the origin of my problem was bad certificate distribution. First of all - the wrong certificates was pushed out to the users. It should be any certificate with "Client Authentication" EKU, such as "User" or "Workstation Authentication". Second of all - the user certificate gets compared to corresponding user account by Cisco ACS. There is 3 ways to do it (2 in Cisco ACS 4.0). The method we currently use is "Certificate CN comparison", which requires the certificate CN to be the same as the name of the Active Directory user account. That is: "User1" account should have certificate CN "User1". The preferred method of comparison is chosen in "System Configuration" - "Global Authentication Setup" - "EAP-TLS Configuration" in Cisco ACS. You can read more about it here:

I hope this solution will get just as popular as "What do i need to open *.BIN files?" topic =)

Thank you all for answering!

Accepted Solution

GranMod earned 0 total points
ID: 16688726
Closed, 500 points refunded.
The Experts Exchange
Community Support Moderator of all Ages

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Loops Section Overview
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question