Solved

Cisco Secure ACS 4.2 Radius and Active Directory - Problem with getting ACS to use AD as an external Database

Posted on 2008-10-16
7
11,599 Views
Last Modified: 2012-05-05
I am setting up a Cisco Secure ACS 4.2 server to act as a radius server for EAP (LEAP and PEAP) authentication on Aironet 1230 Access points.  I am using Windows 2003 server for the ACS, and a Windows 2003 Active Directory server.  The AD server is fine, as it is used for many other things.  

I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO' on the domain etc).

I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.  

If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log, and the wireless user is authenticated to the WLAN.  However, I don;t want to sue the internal database - I want to use AD to authenticate users.  If I use an AD username and password, the user doesn't get authenticated, and i get 'Internal error' in the Failed attempts log.  

If I check the Radius Log on ACS, I get the line :-

RDS 10/16/2008 11:04:04 E 2996 5556 0x0 Error UDB_NT_UNKNOWN_ERR authenticating (username here) - no response sent to NAS

I've scoured google etc, and just cannot come up with any reason why this should be happening.  I've followed all the install guides to the letter.  I need to get this up and running as soon as possible, so am looking forward to finding out if anyone can help me with this one!

Thanks,
0
Comment
Question by:Axemanbob
  • 3
  • 3
7 Comments
 
LVL 26

Expert Comment

by:lnkevin
ID: 22731319
ACS has some restriction on using AD. ACS has these limits on group mapping for users who are authenticated by a Windows user database:
- ACS can only support group mapping for users who belong to 500 or fewer Windows groups.
- ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user.

Here is some instruction on ACS shows you how to integrate ACS with AD:
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c9bd1.shtml#windows
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c9bd1.shtml#c1


K
0
 

Author Comment

by:Axemanbob
ID: 22731868
Thanks for the Info Kevin, but unfotunately, it does not apply in this case.

I've already set up the ACS AD integration and group mappings.  The users all have less than 500 Windows groups assigned to them (we dont even have 500 Windows groups!).  Also, we are only talkign about one domain (of which the user and ACS and AD are all part of), so the second point does not apply either.

The examples you gave me for setup are just the basic setup, which I have already done.  I think the problem is much deeper than this.

Any more suggestions?
Thanks!
0
 
LVL 26

Expert Comment

by:lnkevin
ID: 22732588
Thanks for the clarification.
In our environment, we only export the AD users and groups then we import it to ACS. After the import, we can map the users and groups with AD to keep them synchronized. So I think ACS only works or works better with its own database. There are a few ways to install ACS depends on where your ACS server is. You can install it on a stand alone server (my case), or install it on domain controller or a server in your domain. My understand is if you want to use AD, your server has to be in the domain.

I found an interesting article that you may be interested:
http://www.ciscopress.com/articles/article.asp?p=474238&seqNum=3

K
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 

Author Comment

by:Axemanbob
ID: 22735152
Yes - our server is in the domain.  We actually already use another ACS server on another domain in this way, which is what's so frustrating!  This has been working well for about 4 years now, so I know it works fine with an external database.  The users get dynamically mapped to ACS groups according to their AD groups when they log in.

We already use the other ACS server to authenticate users in AD for EAP-FAST.   Basically, I'm trying to duplicate this setup on the second domain, and that's where I seem to be having problems...!


0
 

Accepted Solution

by:
Axemanbob earned 0 total points
ID: 22739039
I've sorted it!  Turns out that ACS seems to be incompatible with x64 version of Server 2003.  This is our default build, so I just installed on top.  This morning, I rebuilt with x86 version, resinstalled ACS and imported the config - authentication flew through with no issues!

Cheers for the suggestions, but it seems that the answer is Cisco Secure ACS is not compatible with 64-bit Windows...

Cheers.
0
 
LVL 26

Expert Comment

by:lnkevin
ID: 22740091
Good to know that. Thanks,
0
 
LVL 1

Expert Comment

by:ccsenet
ID: 34769527
We just resolved almost a similar problem.

Our ACS server is running;
1. TACACS service for Cisco devices authentication using local accounts
2. RADIUS service for HP devices authentication using local accounts
3. RADIUS service for WLAN users authentication (which is integrated with AD)

We noticed that the loacal account authentications were going pretty fine however WLAN users were not able to authenticate and the Authentication Failure Code was Internal Error.

This was due to the fact that we accidently added (joined) a system with the same name and IP address as that of production in our domain which conflicted with the existing SSID. Of course this was done when the production was offline but still the AD had the production's information.

After finding that out, we removed the new system from the network, disjoined the production from domain, deleted the entry of production from domain and rejoined the production back to domain. Things are working again.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now