Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Cisco Secure ACS 4.2 Radius and Active Directory - Problem with getting ACS to use AD as an external Database

Posted on 2008-10-16
Medium Priority
Last Modified: 2012-05-05
I am setting up a Cisco Secure ACS 4.2 server to act as a radius server for EAP (LEAP and PEAP) authentication on Aironet 1230 Access points.  I am using Windows 2003 server for the ACS, and a Windows 2003 Active Directory server.  The AD server is fine, as it is used for many other things.  

I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO' on the domain etc).

I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.  

If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log, and the wireless user is authenticated to the WLAN.  However, I don;t want to sue the internal database - I want to use AD to authenticate users.  If I use an AD username and password, the user doesn't get authenticated, and i get 'Internal error' in the Failed attempts log.  

If I check the Radius Log on ACS, I get the line :-

RDS 10/16/2008 11:04:04 E 2996 5556 0x0 Error UDB_NT_UNKNOWN_ERR authenticating (username here) - no response sent to NAS

I've scoured google etc, and just cannot come up with any reason why this should be happening.  I've followed all the install guides to the letter.  I need to get this up and running as soon as possible, so am looking forward to finding out if anyone can help me with this one!

Question by:Axemanbob
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 26

Expert Comment

ID: 22731319
ACS has some restriction on using AD. ACS has these limits on group mapping for users who are authenticated by a Windows user database:
- ACS can only support group mapping for users who belong to 500 or fewer Windows groups.
- ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user.

Here is some instruction on ACS shows you how to integrate ACS with AD:


Author Comment

ID: 22731868
Thanks for the Info Kevin, but unfotunately, it does not apply in this case.

I've already set up the ACS AD integration and group mappings.  The users all have less than 500 Windows groups assigned to them (we dont even have 500 Windows groups!).  Also, we are only talkign about one domain (of which the user and ACS and AD are all part of), so the second point does not apply either.

The examples you gave me for setup are just the basic setup, which I have already done.  I think the problem is much deeper than this.

Any more suggestions?
LVL 26

Expert Comment

ID: 22732588
Thanks for the clarification.
In our environment, we only export the AD users and groups then we import it to ACS. After the import, we can map the users and groups with AD to keep them synchronized. So I think ACS only works or works better with its own database. There are a few ways to install ACS depends on where your ACS server is. You can install it on a stand alone server (my case), or install it on domain controller or a server in your domain. My understand is if you want to use AD, your server has to be in the domain.

I found an interesting article that you may be interested:

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.


Author Comment

ID: 22735152
Yes - our server is in the domain.  We actually already use another ACS server on another domain in this way, which is what's so frustrating!  This has been working well for about 4 years now, so I know it works fine with an external database.  The users get dynamically mapped to ACS groups according to their AD groups when they log in.

We already use the other ACS server to authenticate users in AD for EAP-FAST.   Basically, I'm trying to duplicate this setup on the second domain, and that's where I seem to be having problems...!


Accepted Solution

Axemanbob earned 0 total points
ID: 22739039
I've sorted it!  Turns out that ACS seems to be incompatible with x64 version of Server 2003.  This is our default build, so I just installed on top.  This morning, I rebuilt with x86 version, resinstalled ACS and imported the config - authentication flew through with no issues!

Cheers for the suggestions, but it seems that the answer is Cisco Secure ACS is not compatible with 64-bit Windows...

LVL 26

Expert Comment

ID: 22740091
Good to know that. Thanks,

Expert Comment

ID: 34769527
We just resolved almost a similar problem.

Our ACS server is running;
1. TACACS service for Cisco devices authentication using local accounts
2. RADIUS service for HP devices authentication using local accounts
3. RADIUS service for WLAN users authentication (which is integrated with AD)

We noticed that the loacal account authentications were going pretty fine however WLAN users were not able to authenticate and the Authentication Failure Code was Internal Error.

This was due to the fact that we accidently added (joined) a system with the same name and IP address as that of production in our domain which conflicted with the existing SSID. Of course this was done when the production was offline but still the AD had the production's information.

After finding that out, we removed the new system from the network, disjoined the production from domain, deleted the entry of production from domain and rejoined the production back to domain. Things are working again.

Featured Post

Enroll in October's Free Course of the Month

Do you work with and analyze data? Enroll in October's Course of the Month for 7+ hours of SQL training, allowing you to quickly and efficiently store or retrieve data. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

596 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question