cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
547
Views
0
Helpful
2
Replies

ACS XAuth from trusted domain

miklos.andrasi
Level 1
Level 1

Hi all!

I have an ACS 3.3(2)b2 what authenticates users from external ADs. All the authentication is succeful from its own domain and from several trusted domain.

Now I'd like to add a new domain to the system, but when I try to authenticate from this domain it fails. In the "Failed Attempts" report the error message is the following: "External DB account restriction"

My setting:

Ext. User DBs --> DB Configuration --> Windows DB --> Configure --> I put it to the "Domain List" column in the "Configure Domain List" section.

The "... Grant Dialin Permission ..." checkbox is empty.

I have a valid group mapping also.

I found a bug in this version:

"Authentication succeeded only when The EAP-TLS client authenticate to the DC which connected directly to the ACS, but when the user is in the Trusted DC (only in the trusted DC) which connected to the first DC, the authentication didn't succeed and the Fail Attempts message was: "External DB account Restriction."

Same message occurred whether enabling the domain stripping in Windows external database settings or not. "

I could accept this bug if there wasn't many well working domains in the system.

Has anyone got any idea for this problem?

What I forgot to set?

By(e),

Miki

2 Replies 2

ssoberlik
Level 4
Level 4

Check if you have a mapped to disabled group. Do not map multiple windows group to ACS group.

i.e.

WG1,WG2,WG3,* -----> ACS-GP1

Instead do it like,

WG1----> ACS-GP1

WG2----> ACS-GP1

Hi ssoberlik!

Thank you for your answer. I have only one mapping in the new domain, so I use one-to-on mapping. Although I use the ACS group in an other mapping in an other domain, but I think this is permitted.

In the AD security logs I see the authentication request what is successful, but int the ACS this failes.

Miki

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: