?
Solved

Cisco Secure ACS 4.2 Radius and Active Directory - Problem with getting ACS to use AD as an external Database

Posted on 2008-10-16
7
Medium Priority
?
11,906 Views
Last Modified: 2012-05-05
I am setting up a Cisco Secure ACS 4.2 server to act as a radius server for EAP (LEAP and PEAP) authentication on Aironet 1230 Access points.  I am using Windows 2003 server for the ACS, and a Windows 2003 Active Directory server.  The AD server is fine, as it is used for many other things.  

I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO' on the domain etc).

I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.  

If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log, and the wireless user is authenticated to the WLAN.  However, I don;t want to sue the internal database - I want to use AD to authenticate users.  If I use an AD username and password, the user doesn't get authenticated, and i get 'Internal error' in the Failed attempts log.  

If I check the Radius Log on ACS, I get the line :-

RDS 10/16/2008 11:04:04 E 2996 5556 0x0 Error UDB_NT_UNKNOWN_ERR authenticating (username here) - no response sent to NAS

I've scoured google etc, and just cannot come up with any reason why this should be happening.  I've followed all the install guides to the letter.  I need to get this up and running as soon as possible, so am looking forward to finding out if anyone can help me with this one!

Thanks,
0
Comment
Question by:Axemanbob
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 26

Expert Comment

by:lnkevin
ID: 22731319
ACS has some restriction on using AD. ACS has these limits on group mapping for users who are authenticated by a Windows user database:
- ACS can only support group mapping for users who belong to 500 or fewer Windows groups.
- ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user.

Here is some instruction on ACS shows you how to integrate ACS with AD:
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c9bd1.shtml#windows
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c9bd1.shtml#c1


K
0
 

Author Comment

by:Axemanbob
ID: 22731868
Thanks for the Info Kevin, but unfotunately, it does not apply in this case.

I've already set up the ACS AD integration and group mappings.  The users all have less than 500 Windows groups assigned to them (we dont even have 500 Windows groups!).  Also, we are only talkign about one domain (of which the user and ACS and AD are all part of), so the second point does not apply either.

The examples you gave me for setup are just the basic setup, which I have already done.  I think the problem is much deeper than this.

Any more suggestions?
Thanks!
0
 
LVL 26

Expert Comment

by:lnkevin
ID: 22732588
Thanks for the clarification.
In our environment, we only export the AD users and groups then we import it to ACS. After the import, we can map the users and groups with AD to keep them synchronized. So I think ACS only works or works better with its own database. There are a few ways to install ACS depends on where your ACS server is. You can install it on a stand alone server (my case), or install it on domain controller or a server in your domain. My understand is if you want to use AD, your server has to be in the domain.

I found an interesting article that you may be interested:
http://www.ciscopress.com/articles/article.asp?p=474238&seqNum=3

K
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:Axemanbob
ID: 22735152
Yes - our server is in the domain.  We actually already use another ACS server on another domain in this way, which is what's so frustrating!  This has been working well for about 4 years now, so I know it works fine with an external database.  The users get dynamically mapped to ACS groups according to their AD groups when they log in.

We already use the other ACS server to authenticate users in AD for EAP-FAST.   Basically, I'm trying to duplicate this setup on the second domain, and that's where I seem to be having problems...!


0
 

Accepted Solution

by:
Axemanbob earned 0 total points
ID: 22739039
I've sorted it!  Turns out that ACS seems to be incompatible with x64 version of Server 2003.  This is our default build, so I just installed on top.  This morning, I rebuilt with x86 version, resinstalled ACS and imported the config - authentication flew through with no issues!

Cheers for the suggestions, but it seems that the answer is Cisco Secure ACS is not compatible with 64-bit Windows...

Cheers.
0
 
LVL 26

Expert Comment

by:lnkevin
ID: 22740091
Good to know that. Thanks,
0
 
LVL 1

Expert Comment

by:ccsenet
ID: 34769527
We just resolved almost a similar problem.

Our ACS server is running;
1. TACACS service for Cisco devices authentication using local accounts
2. RADIUS service for HP devices authentication using local accounts
3. RADIUS service for WLAN users authentication (which is integrated with AD)

We noticed that the loacal account authentications were going pretty fine however WLAN users were not able to authenticate and the Authentication Failure Code was Internal Error.

This was due to the fact that we accidently added (joined) a system with the same name and IP address as that of production in our domain which conflicted with the existing SSID. Of course this was done when the production was offline but still the AD had the production's information.

After finding that out, we removed the new system from the network, disjoined the production from domain, deleted the entry of production from domain and rejoined the production back to domain. Things are working again.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month12 days, 19 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question