Avatar of Mark Mahacek
Mark Mahacek
Flag for United States of America asked on

Cisco ACS authenticaion across trusts

We have a Cisco ACS server that connects to our Active Directory. We have forest trusts setup with some other organizations that are part of our WAN.  We would like to configure our ACS to be able to authenticate users across the trusts, but have not been able to get this working yet.  Any tips our resources would be appreciated.
Active DirectoryNetworkingNetwork ManagementNetwork SecurityNetworking Hardware-Other

Avatar of undefined
Last Comment
Mark Mahacek

8/22/2022 - Mon
Craig Beck

Which version of ACS do you have?
Mark Mahacek

ASKER
ACS 5.2.6
Active Directory Native 2003
Craig Beck

Ok, you can use the AD method to connect to one domain, but for multiple domains (trusted or not) you need to use LDAP for the second, third, nth domain thereafter.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Mark Mahacek

ASKER
Is it possible to have ACS connect to one domain, then use domain trusts to have that AD check the other domains and return the authentication to ACS?

We are having the issues specifically working with our wireless lan controllers.

We use MSCHAPv2 and both TLS and EAP, which doesn't allow for multiple LDAP sources.

See table B-5 in the following page: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html#wp1014889
Craig Beck

That should work, providing you have a two-way trust.

The ACS will query an available DC in the domain to which it is joined, then the DC should forward the request to a DC in the appropriate domain if required.
Mark Mahacek

ASKER
I have validated our two-way trusts.  I have selective authentication enabled, and have an external user in a local group that is defined in our ACS.  The error we get in ACS is a "subject not found."
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Craig Beck

What conditions have you set?
Mark Mahacek

ASKER
The access policy has three conditions:
-Membership in a specific AD group.  We have added external users as members of our group.
-EAP authentication
-End station filter
Craig Beck

So you can't match a policy if your user is in a different AD group to one you specified, as you can't specify groups in remote domains.

Can you screenshot the policy?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Mark Mahacek

ASKER
I have attached a couple screen shots.
pic1.jpg
pic2.jpg
pic3.jpg
Craig Beck

Can you post the AAA RADIUS Authentication log which shows the failure (click on the looking glass)?
Mark Mahacek

ASKER
Error message attached.
pic4.jpg
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Craig Beck

Ok, go to Users and Identity Stores -> External Identity Stores -> Active Directory, then click on the Directory Groups tab.

Click Select, then in the Search Base DN box, can you set the remote domain as the Base DN?

So, if your local domain is mydomain.local, and your remote domain is myotherdomain.local the Base DN would be changed:

from:
DC=mydomain,DC=local

to:
DC=myotherdomain,DC=local


Then click Go...

Do you see security groups from the remote domain?
Mark Mahacek

ASKER
We get no results when setting the other domain as the base dn.
Craig Beck

Hmmm that should work.  Can your ACS 'see' the remote domain controllers?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Mark Mahacek

ASKER
I will be back in the office tomorrow and will check, but I believe we can ping all the domain controllers.
Mark Mahacek

ASKER
Yes, our ACS server can ping the host name for the domain controllers in the remote domains.
Craig Beck

I would try removing all access conditions and just use the default authorization rule with the permit all result to ensure you can actually receive a successful authentication response from the AD.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Mark Mahacek

ASKER
ACS is reporting "subject not found" that it can't find the remote user, not a permission denied error.
Craig Beck

Can you check the Authentication details to see which Identity Store was used to locate the user?
Mark Mahacek

ASKER
ACS only has one identity store, our internal AD.  See my previous post for a copy of the error. #a39026712
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Craig Beck

There must be an issue between your DCs.  I am not understanding why you can't query groups in your remote domain if the trust is working both ways.

Can you confirm that a user in your primary domain can authenticate properly?
Mark Mahacek

ASKER
Yes, our primary domain users are logging in without any issues. We are able to authenticate cross forest users to other AD services (such as Exchange) that do not go through ACS.
Craig Beck

Do you have anything in the event logs on your DCs when you try to authenticate a user in the remote domain via ACS?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Mark Mahacek

ASKER
Found something in the remote domain's log:
Event ID: 675 (Account Logon)
Failure Audit
Pre-authentication failed:
User Name: test
User ID: %{SID HIDDEN}
Service Name: krbtgt/domain
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 10.x.x.x
Craig Beck

That is a Kerberos problem between the two domains.  The 0x19 failure code indicates that pre-authentication failed because of a bad password, or it can be because of one of the reasons listed here:

http://www.eventid.net/display.asp?eventid=675&eventno=62&source=Security&phase=1

Check the time on the ACS is within 5 minutes of the time on the remote DCs, and that all date/time settings are correct.  If possible, let your servers and your ACS sync with an external time source.
Mark Mahacek

ASKER
Both domains use the same satellite time server to sync clocks over NTP.  I have verified the password is correct.
Your help has saved me hundreds of hours of internet surfing.
fblack61
Craig Beck

Ok, one of the issues in the link above must be the reason why you can't query the remote domain from AD, and why the user authentication fails.  The ACS server needs nothing else other than to be joined to the AD domain in order to pass authentication requests.
Mark Mahacek

ASKER
Both domains are functional 2003 mode.  The remote domain only has 2003 DCs and the local domain has a mix of 2008 and 2003 DC's.  According to that article, this error would be a false report in a 2003 forest.
ASKER CERTIFIED SOLUTION
Craig Beck

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Mark Mahacek

ASKER
Status update - We are now seeing errors in ACS stating that the remote user failed to provide a correct username and password, even though I have verified it is correct.  We are working with Cisco support to resolve this issue.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Craig Beck

IIRC you saw this error on your DCs already.  It is 100% a trust issue if you are seeing the same errors on the ACS.
Mark Mahacek

ASKER
We are still working with Cisco support, but do not have a solution yet.
Mark Mahacek

ASKER
We have not been able to resolve this issue yet, but we are starting to see some other domain trust issues coming up, which points us in that direction.
Thank you for your assistance.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck