05-12-2008 12:00 AM - edited 03-10-2019 03:50 PM
Hi,
We have just configured Cisco ACS solution engine 4.1 and using a Windows Domain Controller 2003 as a remote agent.we are using tacacs as protocol.
The users which are created in ACS itself are able to login to various network devices. but domain (active directory) users are unable to login. we get access denial message. same time we get External DB is not operational message in ACS.
Active directory server where agent running, in CSWINAgentlog we get the follwoing error " NDLIB..FOUND 0 TRUSTED DOMAIN"
Could you please help us to isolate the problem.
Thanks&Regards
Solved! Go to Solution.
05-12-2008 05:47 AM
Make sure the software ver of acs and remote agent is same. And also account running remote agent should have special domain admin rights, like act as part of operating system and login as service.
Regards,
~JG
05-13-2008 05:08 AM
Make sure remote agent service is running using local admin account , since RA is running on DC.
Also check how many processor do we have on that RA system and what is the operating system with SP we have on RA system?
Regards,
~JG
05-13-2008 05:46 AM
a)The reason it goes directly to enable mode is because we have priv 15 defined for that user.
If you don't user to log directly to enable mode then lower the priv lvl for that user.
b) There must be some misconfiguration. It should also not work via SSH but since we have exec authorization configured it bypassed enable password.
On acs in user setup -->Enable Tacacs+ options----> Choose any one --->Use Cisco PAP pwd, or Use windows pass or use separate pwd.
That should fix it.
Please mark it resolved so other can benefit for it.
Regards,
~JG
Do rate helpful posts
05-12-2008 05:47 AM
Make sure the software ver of acs and remote agent is same. And also account running remote agent should have special domain admin rights, like act as part of operating system and login as service.
Regards,
~JG
05-13-2008 12:09 AM
Dear JG ..thanks for the great input.as per your response we had found out the software version which was running in Remote Agent was wrong. we have now installed the correct version corresponding to the ACS software version.but now we are still facing problem in active directory user login network devices.
Please find the error we are receiving the error we are getting in CSWINAgentlog in Active directory server.
CSWinAgent 05/13/2008 11:47:18 A 0386 3068 RPC: NT_MSCHAPAuthenticateUser received
CSWinAgent 05/13/2008 11:47:18 A 0063 3068 NTLIB: Attempting Windows authentication for user test
CSWinAgent 05/13/2008 11:47:18 A 0063 3068 NTLIB: Windows authentication FAILED (error 6L)
CSWinAgent 05/13/2008 11:47:18 A 0451 3068 RPC: NT_MSCHAPAuthenticateUser reply sent
Please note that we have only one Domain Controller where we have installed Remote Agent.there is no trusted or child domain.
05-13-2008 05:08 AM
Make sure remote agent service is running using local admin account , since RA is running on DC.
Also check how many processor do we have on that RA system and what is the operating system with SP we have on RA system?
Regards,
~JG
05-13-2008 05:31 AM
Dear JG,
Thanks again for your input. it is now resolved the issue.thanks again.
The following are the main steps we carried out to make it work.
1) Added ACS hostname in Active Directory server computer field.
2) Enable Netbios in ADS
3) Made remote agent service is running using local admin account
We have the following issue once we login with Active directoy users
a) ADS user when login through SSH after giving the username and password it directly goes to enable mode(not asking the enable password at all)
b) ADS user when login through console its not taking the enable password.do we need to modify the aaa configuration in router and ACS.
Thanks for your time.
05-13-2008 05:46 AM
a)The reason it goes directly to enable mode is because we have priv 15 defined for that user.
If you don't user to log directly to enable mode then lower the priv lvl for that user.
b) There must be some misconfiguration. It should also not work via SSH but since we have exec authorization configured it bypassed enable password.
On acs in user setup -->Enable Tacacs+ options----> Choose any one --->Use Cisco PAP pwd, or Use windows pass or use separate pwd.
That should fix it.
Please mark it resolved so other can benefit for it.
Regards,
~JG
Do rate helpful posts
05-13-2008 07:19 AM
Dear DJ,
Thanks for the great help.
Everything is fixed and working fine.
On acs in user setup -->Enable Tacacs+ options----> Choose any one --->Use Cisco PAP pwd, or Use windows pass or use separate pwd . here if put windows pass should it be changing the users each login or it would be permanent?
Thanks&Regards
05-13-2008 07:50 AM
Not sure if I understand you last issue. Are your talking about password expiry ?
Please rephrase it ..
Glad to know things are moving :-)
05-13-2008 09:16 PM
Dear DJ,
I was talking about the Dynamic users enable password.can we set dynamic users password permanently so that each time when they login we dont need to set password? How long dynamic users login details will be available in the users list in ACS?
We find there is no option in the group belongs to those users.
Thanks&Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide