ACS 4.1 (trail) Problem with AD Autentication

Unanswered Question
Nov 16th, 2007

I am having a problem getting ACS to authenticate against Active Directory Usernames. I am trying to use AD names to logon to both a 2600 Switch and an ASA 5505. I can logon with ACS Local names without a problem. I have followed the External Database setup guide but continue to recieve 'Internal Error' messages in the Failed Attempts failure code when trying to use AD usernames.

What could be the configuration problem?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Fri, 11/16/2007 - 05:41

Make sure that the account running remote agent or acs service should have special priv , like act as a part of OS and login as service.

Do u have acs appliance or windows ?

Regards,

~JG

mervynpoli Fri, 11/16/2007 - 05:58

Running Trial version on windows in a lab environment. Each of the services is running as domain user with domain admin rights.

Services have been restarted several times.

the Auth.log file does show that it is trying to authenicate against my domain name but still get the internal error result.

at Tue, 11/20/2007 - 10:45

hi,

please can you post your acs ad configuration ?

regards

alex

mervynpoli Tue, 11/20/2007 - 14:19

What configuration details do you mean?

Under Windows User Databases Configuration section I have the correct Domain name listed in the Domain List Column.

I also have tried mapping external groups from the same domain to local groups on ACS.

Please let me know what additional details you require.

Thanks,

Merv

cisco24x7 Sat, 03/29/2008 - 06:44

1- go to External User Databases,

2- Click on Unknown User Policy,

3- Select the Windows databases,

4- submit

5- Click on Unknown User Group Mappings,

6- Select this domain in your settings,

7- In External User Database Configuration,

click on Windows Database,

8- Select your Windows AD from Available Domains,

9- Submit,

10- Under "Network Configuration", add your

Cisco devices to the list that will use

the ACS. Make sure the key is correct on

both the cisco devices and ACS,

11- Restart your ACS Service,

Here is my example output:

BGP_Trigger#test aaa group tacacs+ lcs1 123456 port 49 new-code

Trying to authenticate with Servergroup tacacs+

Sending password

User successfully authenticated

BGP_Trigger#

lcs1 is the Active Directory account.

If I go into User Setup in ACS, I will see

this:

LCS\lcs1 Enabled Dynamic mapping [Currently: Active_Directory (2 users)].

this account is created because of Windows

AD and ACS integration.

That being said, ACS setup is so confusing

and convoluted that it is not even funny.

What took me about 10 minutes to setup with

Cisco Freeware TACACS on Linux takes about 2

hours to setup with Cisco ACS. It is a

PITA

Good luck

CCIE Security

husycisco Sat, 03/29/2008 - 13:28

Hi David

Thanks a lot for your time on this issue m8. I have already followed the steps you suggested however, it encouraged me to dive into stuff back and digg some. Here is what I have previously done

1)Create a user in AD. Give "Start as a service" and "Act like a part of the bla bla" rights in default domain controller policy

2)Installed Secure ACS in Domain controller. Choose that Windows Database thing.

3)I configured ASA as AAA client, also made the necessary config on ASA. Authentication with a user created in ACS databse is successfull.

4)I configured the 6 or 7 services that starts with "Cs.." in the name to start with the account which I have first created, just like as it is mentioned in Cisco Doc. Although Cisco mentioned that it is enough for that account to have read permissions ("Domain Users" group membership) and above specific permission, services did not start. Then I joined the user in "Administrators" group and all worked fine. Just incase, I added into "Domain Admins" group also.

5)Made sure that "Windows Database" exists under "Check the following external user databases" under "Selected Domains"

6)Under "Database Group Mappings", clicked on "New Configuration" and selected the domain

7)Restarted the services

Now time to test.

Husy# test aaa-server authentication CSACS host x.x.x.x username xxxx password xxxx

INFO: Attempting Authentication test to IP address (timeout: 12 seconds)

ERROR: Authentication Rejected: Unspecified

Am I suprised? Hell no :) Went on digging. I got the following log in AUTH.log file located in "C:\Program Files\CiscoSecure ACS v4.2\CSAuth\Logs"

External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 6L)

After some research, the error brought me to the following Cisco Doc

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808c1824.shtml

It mentions the following.

Problem: Remote agent cannot authenticate Windows users accounts. You receive this error message in remote agent log:

NTLIB: Windows authentication FAILED (error 6L)Cause: Insufficient privileges for the remote agent to perform authentication.

Resolution: Remote agent must given the right permissions (select local admin rights) in order to communicate with ACS. In most cases, you can install the remote agent in the member server instead of the domain controller in order to resolve this issue.

I specified a Domain Admin account for your services and you dont like this? Anyway after some trial-and-error, I got the tried-and-true.

I changed the service "Log On" to "Local system account" back instead Logging on with Domain Admin account. (Start>Run>services.msc the contiguous services that start with CS)

Time to test...

Husy# test aaa-server authentication CSACS host x.x.x.x username xxxx password xxxx

INFO: Attempting Authentication test to IP address (timeout: 12 seconds)

ERROR: Authentication Rejected: Unspecified

This time I have the following in AUTH.log

"External DB [NTAuthenDLL.dll]: User does not have dialin permission (needed)"

In AD Users and Computers, in Dial-in tab of user properties, "Allow access via policy" is checked. This should have worked that way, anyway I set "Grant Access", then...

Husy# test aaa-server authentication CSACS host x.x.x.x username xxxx password xxxx

INFO: Attempting Authentication test to IP address (timeout: 12 seconds)

INFO: Authentication Successful

At last... :)

But now, another wierd issue raised. And here is the discussion I started. Any comments appreciated.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc00f96

Regards

Actions

This Discussion