Internal Error ACS SE 4.2

Unanswered Question
Aug 3rd, 2009

Hi, I have a ACS SE 4.2, and I try to integrate the ACS SE, with an Active Directory, and Access Point's Cisco, with PEAP MSCHAP V2 in Windows 2003 32 bits, and ACs Remote Agent, but my ACS SE give me logs

It say me: Internal Error, in the logs of fail authentication

My users in the Active Directory can't authenticate in the Database.

Could you tell me, why happened this?,

Maybe i have a trouble in the configuration of my ACS SE,

Coukd you tell me what's the trouble in this case


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Robert.N.Barrett_2 Tue, 08/04/2009 - 07:06

I agree and disagree with some of what Cisco says, so I'll tell you what works for us:

- Make sure ACS SE and Remote Agent are at the same version and patch level

- Make sure that the ACS SE and Remote Agent can talk over the ports you selected (or defaulted to) at install

- Our Remote Agent is running on the local service account of a computer running Windows Server 2003 that is joined to our domain (we actually have two of these)

- Our ACS SE boxes authenticate using the Cisco-recommended AD domain computer account called "CISCO" (External Databases, Windows Authentication Config)

- Our External Database -> Database Group Mappings -> Windows Database -> /DEFAULT is left at the "All other combinations" setting

- Unknown User Policy is set to check the Windows Database

- If you go into Network Configuration, does your Remote Agent show up with available services (should show a Clipboard and Windows Logo icon in the "Services Available" column)?

- If you select your defined Remote Agent in Network Configuration, does the "Windows Authentication" status show "Yes" in the "Used by this ACS" column?

By the way - ACS SE will report a failed auth to your authentication clients if the Remote Agent service is not running (ie - stops running), therefore your clients will NOT switch over to a backup RADIUS server automatically (if you have a secondary RADIUS server defined). For this reason, I have two different computers (in two different buildings, etc.) running Remote Agent, and I monitor the Remote Agent service on both systems.


This Discussion