I'm trying to authenticate users in another Windows domain. The correct Remote Agent version is installed on domain controller. Enterprise Admin "runs" the service.
I discovered that group nesting is not working in version 3.3.3. Is that correct ?
I also created a Universal and Domain local group. In that group i put some users from the other, trusted domain.
Authentication will not work: Error on ACS: External DB account restriction.
I also tried to make a group mapping directly in the trusted domain. When I click on "Add Group Mapping", this is the error: "Failed to enumerate windows groups..
How can I solve these problems ?
Looking at the release notes, under Known Problems in Cisco Secure ACS for Windows Server 3.3
EAP-TLS authentication to the trusted DC doesnt succeeded
Authentication succeeded only when The EAP-TLS client authenticate to the DC which connected directly to the ACS, but when the user is in the Trusted DC (only in the trusted DC) which connected to the first DC, the authentication didn't succeed and the Fail Attempts message was: "External DB account Restriction."
Same message occurred whether enabling the domain stripping in Windows external database settings or not.
Failed attempts report statement is not clear enough
When user validation fails for any reason (external server down, wrong SSL certificate, or key mismatch with NAS), the csv failed attempts report states that the authentication failure code is 'external db account restriction' or 'CS password invalid'.
Workaround: This problem is cosmetic. No workaround.