Cisco Secure ACS 4.2 Radius and Active Directory - Problem with getting ACS to use AD as an external Database

Posted on 2008-10-16
Last Modified: 2012-05-05
I am setting up a Cisco Secure ACS 4.2 server to act as a radius server for EAP (LEAP and PEAP) authentication on Aironet 1230 Access points.  I am using Windows 2003 server for the ACS, and a Windows 2003 Active Directory server.  The AD server is fine, as it is used for many other things.  

I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO' on the domain etc).

I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.  

If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log, and the wireless user is authenticated to the WLAN.  However, I don;t want to sue the internal database - I want to use AD to authenticate users.  If I use an AD username and password, the user doesn't get authenticated, and i get 'Internal error' in the Failed attempts log.  

If I check the Radius Log on ACS, I get the line :-

RDS 10/16/2008 11:04:04 E 2996 5556 0x0 Error UDB_NT_UNKNOWN_ERR authenticating (username here) - no response sent to NAS

I've scoured google etc, and just cannot come up with any reason why this should be happening.  I've followed all the install guides to the letter.  I need to get this up and running as soon as possible, so am looking forward to finding out if anyone can help me with this one!

Question by:Axemanbob
  • 3
  • 3
LVL 26

Expert Comment

ID: 22731319
ACS has some restriction on using AD. ACS has these limits on group mapping for users who are authenticated by a Windows user database:
- ACS can only support group mapping for users who belong to 500 or fewer Windows groups.
- ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user.

Here is some instruction on ACS shows you how to integrate ACS with AD:


Author Comment

ID: 22731868
Thanks for the Info Kevin, but unfotunately, it does not apply in this case.

I've already set up the ACS AD integration and group mappings.  The users all have less than 500 Windows groups assigned to them (we dont even have 500 Windows groups!).  Also, we are only talkign about one domain (of which the user and ACS and AD are all part of), so the second point does not apply either.

The examples you gave me for setup are just the basic setup, which I have already done.  I think the problem is much deeper than this.

Any more suggestions?
LVL 26

Expert Comment

ID: 22732588
Thanks for the clarification.
In our environment, we only export the AD users and groups then we import it to ACS. After the import, we can map the users and groups with AD to keep them synchronized. So I think ACS only works or works better with its own database. There are a few ways to install ACS depends on where your ACS server is. You can install it on a stand alone server (my case), or install it on domain controller or a server in your domain. My understand is if you want to use AD, your server has to be in the domain.

I found an interesting article that you may be interested:

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.


Author Comment

ID: 22735152
Yes - our server is in the domain.  We actually already use another ACS server on another domain in this way, which is what's so frustrating!  This has been working well for about 4 years now, so I know it works fine with an external database.  The users get dynamically mapped to ACS groups according to their AD groups when they log in.

We already use the other ACS server to authenticate users in AD for EAP-FAST.   Basically, I'm trying to duplicate this setup on the second domain, and that's where I seem to be having problems...!


Accepted Solution

Axemanbob earned 0 total points
ID: 22739039
I've sorted it!  Turns out that ACS seems to be incompatible with x64 version of Server 2003.  This is our default build, so I just installed on top.  This morning, I rebuilt with x86 version, resinstalled ACS and imported the config - authentication flew through with no issues!

Cheers for the suggestions, but it seems that the answer is Cisco Secure ACS is not compatible with 64-bit Windows...

LVL 26

Expert Comment

ID: 22740091
Good to know that. Thanks,

Expert Comment

ID: 34769527
We just resolved almost a similar problem.

Our ACS server is running;
1. TACACS service for Cisco devices authentication using local accounts
2. RADIUS service for HP devices authentication using local accounts
3. RADIUS service for WLAN users authentication (which is integrated with AD)

We noticed that the loacal account authentications were going pretty fine however WLAN users were not able to authenticate and the Authentication Failure Code was Internal Error.

This was due to the fact that we accidently added (joined) a system with the same name and IP address as that of production in our domain which conflicted with the existing SSID. Of course this was done when the production was offline but still the AD had the production's information.

After finding that out, we removed the new system from the network, disjoined the production from domain, deleted the entry of production from domain and rejoined the production back to domain. Things are working again.

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Moving your enterprise fax infrastructure from in-house fax machines and servers to the cloud makes sense — from both an efficiency and productivity standpoint. But does migrating to a cloud fax solution mean you will no longer be able to send or re…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question