ACS SE 4.1, Remote Agent

Unanswered Question
Feb 1st, 2007

I'm having issues authenticating (MS-PEAP) a user in a MS Domain/Active Directory on W2K or W2003. I have installed the latest remote agent and the ACS sees the agent. I can define a local user to the ACS and authenticate with no problems. However, I have configured the unknown user properly and the group mappings. I see in the failed attempts log I am sending DOMAIN\UserID properly, however it is failing with an "Internal Error". In the documentation, (I am not an MS expert), I am confused about two items. First, for the Computer Account named CISCO, all users must be able to logon using that account. All users have the attribute to allow them to logon to any computer. That should cover the CISCO computer account, right?

Secondly, I do not follow this documentation instruction:

"To the user account that you create, grant Read all properties permission for all Active Directory folders containing users that ACS must be able to authenticate. To grant permission for Active Directory folders, access Active Directory from the Microsoft Management Console and the security properties for the folders that contain users whom ACS will authenticate."

What folder is that which I should grant these permissions? Thanks for any hints and suggestions.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Vivek Santuka Fri, 02/02/2007 - 07:10

Hi,

I would suggest checking the following :-

1. You are using same version of ACS and Remote Agent.

2. Remote Agent's service is set to "Log on As" a Domain User if not a Domain Admin.

3. The Domain User/Admin account used for the service should have "Log on as a Service" and "Act as a part of operating system" privileges.

If authentication still fails we need to check CsWinAgent logs in Remote Agent's directory and see the error received from AD.

Regards,

Vivek

kbyrd Sat, 02/03/2007 - 18:10

Thanks for your reply, Vivek.

1) I downloaded and installed Remote-Agent-ACSse-win-v4.1.1.23-K9.zip.

2) I made the User "ACUser" a member of Administrators and Domain Admins and it this domain account the starts the CSAgent.exe.

3) Yes, I have that set up in local security policy. The domain security policy is not defined.

When I looked at CSAlog.log, I see this message:

[2004-05-24 19:12:04.953] [PID=528] [Csamanager]: Agent version=V4.0-1 build 543, os='Windows 2000', os version=5.0.4.2195

Does this point to the Agent running on the domain controller? If so, that doesn't seem to match the remote agent I downloaded and extracted. Any thoughts?

kbyrd Wed, 02/07/2007 - 15:00

Just to close the loop: I opened a TAC case and based on the output from the logs, the engineer asked me to change the CS Agent service running on the domain controller to Logon with a Local System Account and to Allow service to interact with the desktop. Once I made the change, everything started to work. Either the documentation is very wrong or there is a bug in either the ACS code or the CS Agent code.

kbyrd Tue, 03/27/2007 - 08:18

Actually, the issue is not resolved. The TAC case is 605287551.

Actions

This Discussion