Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
501
Views
0
Helpful
5
Replies

ACS SE 4.1, Remote Agent

kbyrd
Level 2
Level 2

‎02-01-2007 09:22 PM - edited ‎03-10-2019 02:57 PM

I'm having issues authenticating (MS-PEAP) a user in a MS Domain/Active Directory on W2K or W2003. I have installed the latest remote agent and the ACS sees the agent. I can define a local user to the ACS and authenticate with no problems. However, I have configured the unknown user properly and the group mappings. I see in the failed attempts log I am sending DOMAIN\UserID properly, however it is failing with an "Internal Error". In the documentation, (I am not an MS expert), I am confused about two items. First, for the Computer Account named CISCO, all users must be able to logon using that account. All users have the attribute to allow them to logon to any computer. That should cover the CISCO computer account, right?

Secondly, I do not follow this documentation instruction:

"To the user account that you create, grant Read all properties permission for all Active Directory folders containing users that ACS must be able to authenticate. To grant permission for Active Directory folders, access Active Directory from the Microsoft Management Console and the security properties for the folders that contain users whom ACS will authenticate."

What folder is that which I should grant these permissions? Thanks for any hints and suggestions.

Labels:
0 Helpful
5 Replies 5

Vivek Santuka
Cisco Employee
Cisco Employee

‎02-02-2007 07:10 AM

Hi,

I would suggest checking the following :-

1. You are using same version of ACS and Remote Agent.

2. Remote Agent's service is set to "Log on As" a Domain User if not a Domain Admin.

3. The Domain User/Admin account used for the service should have "Log on as a Service" and "Act as a part of operating system" privileges.

If authentication still fails we need to check CsWinAgent logs in Remote Agent's directory and see the error received from AD.

Regards,

Vivek

0 Helpful

kbyrd
Level 2
Level 2
In response to Vivek Santuka

‎02-03-2007 06:10 PM

Thanks for your reply, Vivek.

1) I downloaded and installed Remote-Agent-ACSse-win-v4.1.1.23-K9.zip.

2) I made the User "ACUser" a member of Administrators and Domain Admins and it this domain account the starts the CSAgent.exe.

3) Yes, I have that set up in local security policy. The domain security policy is not defined.

When I looked at CSAlog.log, I see this message:

[2004-05-24 19:12:04.953] [PID=528] [Csamanager]: Agent version=V4.0-1 build 543, os='Windows 2000', os version=5.0.4.2195

Does this point to the Agent running on the domain controller? If so, that doesn't seem to match the remote agent I downloaded and extracted. Any thoughts?

0 Helpful

kbyrd
Level 2
Level 2
In response to kbyrd

‎02-07-2007 03:00 PM

Just to close the loop: I opened a TAC case and based on the output from the logs, the engineer asked me to change the CS Agent service running on the domain controller to Logon with a Local System Account and to Allow service to interact with the desktop. Once I made the change, everything started to work. Either the documentation is very wrong or there is a bug in either the ACS code or the CS Agent code.

0 Helpful

Guillaume BARBEROT
Level 1
Level 1
In response to kbyrd

‎03-27-2007 07:59 AM

Please can you give us your TAC Case number to check ?

I also have the same trouble.

Thanks.

0 Helpful

kbyrd
Level 2
Level 2
In response to Guillaume BARBEROT

‎03-27-2007 08:18 AM

Actually, the issue is not resolved. The TAC case is 605287551.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents