We have just configured Cisco ACS solution engine 4.1 and using a Windows Domain Controller 2003 as a remote agent.we are using tacacs as protocol.
The users which are created in ACS itself are able to login to various network devices. but domain (active directory) users are unable to login. we get access denial message. same time we get External DB is not operational message in ACS.
Active directory server where agent running, in CSWINAgentlog we get the follwoing error " NDLIB..FOUND 0 TRUSTED DOMAIN"
Could you please help us to isolate the problem.
a)The reason it goes directly to enable mode is because we have priv 15 defined for that user.
If you don't user to log directly to enable mode then lower the priv lvl for that user.
b) There must be some misconfiguration. It should also not work via SSH but since we have exec authorization configured it bypassed enable password.
On acs in user setup -->Enable Tacacs+ options----> Choose any one --->Use Cisco PAP pwd, or Use windows pass or use separate pwd.
That should fix it.
Please mark it resolved so other can benefit for it.
Do rate helpful posts
Make sure remote agent service is running using local admin account , since RA is running on DC.
Also check how many processor do we have on that RA system and what is the operating system with SP we have on RA system?
Make sure the software ver of acs and remote agent is same. And also account running remote agent should have special domain admin rights, like act as part of operating system and login as service.