Cisco Secure ACS 4.2 Radius and Active Directory - Problem with getting ACS to use AD as an external Database

Posted on 2008-10-16
Last Modified: 2012-05-05
I am setting up a Cisco Secure ACS 4.2 server to act as a radius server for EAP (LEAP and PEAP) authentication on Aironet 1230 Access points.  I am using Windows 2003 server for the ACS, and a Windows 2003 Active Directory server.  The AD server is fine, as it is used for many other things.  

I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO' on the domain etc).

I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.  

If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log, and the wireless user is authenticated to the WLAN.  However, I don;t want to sue the internal database - I want to use AD to authenticate users.  If I use an AD username and password, the user doesn't get authenticated, and i get 'Internal error' in the Failed attempts log.  

If I check the Radius Log on ACS, I get the line :-

RDS 10/16/2008 11:04:04 E 2996 5556 0x0 Error UDB_NT_UNKNOWN_ERR authenticating (username here) - no response sent to NAS

I've scoured google etc, and just cannot come up with any reason why this should be happening.  I've followed all the install guides to the letter.  I need to get this up and running as soon as possible, so am looking forward to finding out if anyone can help me with this one!

Question by:Axemanbob
  • 3
  • 3
LVL 26

Expert Comment

ID: 22731319
ACS has some restriction on using AD. ACS has these limits on group mapping for users who are authenticated by a Windows user database:
- ACS can only support group mapping for users who belong to 500 or fewer Windows groups.
- ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user.

Here is some instruction on ACS shows you how to integrate ACS with AD:


Author Comment

ID: 22731868
Thanks for the Info Kevin, but unfotunately, it does not apply in this case.

I've already set up the ACS AD integration and group mappings.  The users all have less than 500 Windows groups assigned to them (we dont even have 500 Windows groups!).  Also, we are only talkign about one domain (of which the user and ACS and AD are all part of), so the second point does not apply either.

The examples you gave me for setup are just the basic setup, which I have already done.  I think the problem is much deeper than this.

Any more suggestions?
LVL 26

Expert Comment

ID: 22732588
Thanks for the clarification.
In our environment, we only export the AD users and groups then we import it to ACS. After the import, we can map the users and groups with AD to keep them synchronized. So I think ACS only works or works better with its own database. There are a few ways to install ACS depends on where your ACS server is. You can install it on a stand alone server (my case), or install it on domain controller or a server in your domain. My understand is if you want to use AD, your server has to be in the domain.

I found an interesting article that you may be interested:

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.


Author Comment

ID: 22735152
Yes - our server is in the domain.  We actually already use another ACS server on another domain in this way, which is what's so frustrating!  This has been working well for about 4 years now, so I know it works fine with an external database.  The users get dynamically mapped to ACS groups according to their AD groups when they log in.

We already use the other ACS server to authenticate users in AD for EAP-FAST.   Basically, I'm trying to duplicate this setup on the second domain, and that's where I seem to be having problems...!


Accepted Solution

Axemanbob earned 0 total points
ID: 22739039
I've sorted it!  Turns out that ACS seems to be incompatible with x64 version of Server 2003.  This is our default build, so I just installed on top.  This morning, I rebuilt with x86 version, resinstalled ACS and imported the config - authentication flew through with no issues!

Cheers for the suggestions, but it seems that the answer is Cisco Secure ACS is not compatible with 64-bit Windows...

LVL 26

Expert Comment

ID: 22740091
Good to know that. Thanks,

Expert Comment

ID: 34769527
We just resolved almost a similar problem.

Our ACS server is running;
1. TACACS service for Cisco devices authentication using local accounts
2. RADIUS service for HP devices authentication using local accounts
3. RADIUS service for WLAN users authentication (which is integrated with AD)

We noticed that the loacal account authentications were going pretty fine however WLAN users were not able to authenticate and the Authentication Failure Code was Internal Error.

This was due to the fact that we accidently added (joined) a system with the same name and IP address as that of production in our domain which conflicted with the existing SSID. Of course this was done when the production was offline but still the AD had the production's information.

After finding that out, we removed the new system from the network, disjoined the production from domain, deleted the entry of production from domain and rejoined the production back to domain. Things are working again.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Link issue 11 61
Protectings Systems from Malicous Users 4 127
md5 password 3 62
How to safely test out TFTP server software 12 67
Read about achieving the basic levels of HRIS security in the workplace.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question