ACS XAuth from trusted domain

Unanswered Question
May 10th, 2009

Hi all!

I have an ACS 3.3(2)b2 what authenticates users from external ADs. All the authentication is succeful from its own domain and from several trusted domain.

Now I'd like to add a new domain to the system, but when I try to authenticate from this domain it fails. In the "Failed Attempts" report the error message is the following: "External DB account restriction"

My setting:

Ext. User DBs --> DB Configuration --> Windows DB --> Configure --> I put it to the "Domain List" column in the "Configure Domain List" section.

The "... Grant Dialin Permission ..." checkbox is empty.

I have a valid group mapping also.

I found a bug in this version:

"Authentication succeeded only when The EAP-TLS client authenticate to the DC which connected directly to the ACS, but when the user is in the Trusted DC (only in the trusted DC) which connected to the first DC, the authentication didn't succeed and the Fail Attempts message was: "External DB account Restriction."

Same message occurred whether enabling the domain stripping in Windows external database settings or not. "

I could accept this bug if there wasn't many well working domains in the system.

Has anyone got any idea for this problem?

What I forgot to set?

By(e),

Miki

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ssoberlik Fri, 05/15/2009 - 04:09

Check if you have a mapped to disabled group. Do not map multiple windows group to ACS group.

i.e.

WG1,WG2,WG3,* -----> ACS-GP1

Instead do it like,

WG1----> ACS-GP1

WG2----> ACS-GP1

miklos.andrasi Fri, 05/15/2009 - 05:17

Hi ssoberlik!

Thank you for your answer. I have only one mapping in the new domain, so I use one-to-on mapping. Although I use the ACS group in an other mapping in an other domain, but I think this is permitted.

In the AD security logs I see the authentication request what is successful, but int the ACS this failes.

Miki

Actions

This Discussion