Cisco ACS 5.0 and LDAP groups

Unanswered Question
Nov 8th, 2009

Hi all,

having a problem with my new ACS 5.0 installation.

I'm able to read the LDAP-directory and see all need groups.

But when I logon to a switch, my policy-rule, which references to a ldap-group, does not match, it always hits the default-rule.

If I change the default rule to "allow" I'm able to logon.

Any ideas why my rule does not match?

about the directory:

1 group with about 15 users

Settings:

Subject Objectclass: person

Subject Name Attribute: sAMAccountname

Group Objectclass: group

Group Map Attribute: memberOf

Group Objects Contain Reference to Subject

-> Subjects in Groups are Stored in Member Attribute As: distinguisched name

Subject Search-base point to where the users are stored

Object Search-base point to where the groups are stored

No Username Domain Stripping

regards Dirk

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
y_yosi Tue, 07/06/2010 - 22:14

Hi Dirk,

I am having the same issue,

have you solved it ?

Thanks

a.schoppmeier Mon, 07/19/2010 - 03:56

Hi together,

I have the same issue with ACS 5.1.0.44.3 and OpenLDAP.

My LDAP structure

users (ou=users,dc=cisco,dc=de)

objectClass: organisationalUnit

user:

uid:

userPassword

objectClass: account

groups (ou=groups,dc=cisco,dc=de)

objectClass: organisationalUnit

group

objectClass: groupOfNames

member: (z.B:  uid=user1,ou=users,dc=cisco,dc=de

ACS is beable to read the groups and user from LDAP:

Schema:

Subject ObjectClass = account

Subject Name Attribute = uid

Group ObjectClass= GroupOfNames

Group Map Attribute = Member

* Group Objects Contain Refererence To Subjects

   * Subjects in Groups Are Stored in Member Attributes As: username

Directory Structure:

- Subject Search Base: ou=users,dc=cisco,dc=de

- Group Search Base: ou=groups,dc=cisco,dc=de

TEST CONFIG:

Primary Servers  Connection test bind Succeeded

Number of Subjects: 6

Number of Groups: 3

But when I try to make a Group Mapping (Access Policies) the this rule will never match.

The User will not authenticated, also I don't see a request from ACS to LDAP to authenticate the USER.

ACS shows Failure Reason:  22056 Subject not found in the application identity stores(s)

Did anyone get this run ?

Ciao Andre

jrabinow Mon, 07/19/2010 - 04:02

Are you authenticating users against this LDAP database? If so you need to seelct this in the identity policy for the selected/matching user service.

For example, after default installation the identity policy for network access RADIUS requests can be found at:

Access Policies >Access Services >Default Network Access > Identity and is selected in the identity source
a.schoppmeier Mon, 07/19/2010 - 04:14

HI jrabinow

I did this settings, I use Default Device Admin for Tacacs, and my internal Users match successfull against this rule ;-)

Also I changed the order of operations - Users and Identity Stores - Indentity Store Sequence - LDAP first then Internal Users.

But I never get a Hit Count in the Group Mapping Rule, only the Default Rule match.

Ciao Andre

jrabinow Mon, 07/19/2010 - 05:45

Is this RADIUS or TACACS+?

Have you added new access services since installation or using the default ones?

What is selected as the result of identity policy in each of the access services?

On the failure record, can you click on the details icon and copy the detailed steps performed for the request

a.schoppmeier Mon, 07/19/2010 - 06:08

I use local Users with Tacacs and Radius

LDAP Users are only Tacacs.

I set the protocols for the Service Selection to the following:

- match protocol Radius - Default Network Access

- match protocol Tacacs - Default Device Admin

And the Tacacs HitCount increase when I try to authenticate a LDAP user, so this seems to be working.

No additional service was added.

I configured the nessary Shell-Profiles (Full-Access, Read-Only) and Command Sets (All-Commands), and tested them with the local users , works fine ;-)

Created a Identiy Rule in the Default Device Admin:

* LDAP-RULE -  NDG: All Device Types -> use Identity Store "LDAP-Server"

* Default Rule -> use Internal Users

Group Mapping:

LDAP-Group1 - use Identity Group: Full-Access (Shell Profile) - (Command-Set All Commands)

LDAP-Group2 - use Identity Group: Read-Only (Shell Profile) - (Only PrivLevel 1)

But still get only HitCounts for the Identity Default Rule, the LDAP-Rule never matches

The reselution step of the detailed failure is, Check whether the subject is present in any one of the chosen identity stores.

That will not help me .....

Thx for your help

Dirk Woellhaf Mon, 07/19/2010 - 06:21

Hi,

for me it seem that the ACS is only checking the internal user database.

have you configured a "Identity Store Sequence"?

If not, try to configure on under:

"Users and Identity Stores" -> "Identity Store Sequence" and specifiy the order in which the Directories should be scanned.

then map the "Identity Store Sequence" tp your access-policy

"access polivies" -> "Your Policy" -> "Identity" -> "Singel result selection" -> "Identity Source"

Works fine for me with Local-DB + ActiveDirectory as Identity Store.

regards

a.schoppmeier Tue, 07/20/2010 - 00:15

Hi Dirk, Hi jrabinow

thx for the hint ;-)

That was the problem ,  I defined the Identity Store Sequence, but within the Access Policies Indetity, I created two rules, one for all Devices Internal Users, and one for LDAP users, but if the User was not found in one of them the sequence moved to default.

Maybe also because of the Advanced Options, the where default, so no further Rule will be processed.

Now the only rule within Identity is all Devices - Identity Store "LDAP-vy-Internal" created within Identity Store Sequence.

And it works as designed !

Thx again, sometimes we are blind, to see little mistakes.

Ciao Andre

############# Monitor Output ############


AAA Protocol > TACACS+ Authentication Details
Date :
   
July 19, 2010 2010 18:48:54 PM UTC
Authentication Details
Status:
   
Failed
Failure Reason:
    22056 Subject not found in the applicable identity store(s).
Logged At:
   
Jul 19, 2010 18:48 PM
ACS Time:
   
Jul 19, 2010 18:48 PM
ACS Instance:
    LDAP-Server
Authentication Method:
   
PAP_ASCII
Authentication Type:
   
ASCII
Privilege Level:
   
1
User
Username:
    test3
Remote Address:
   
169.254.0.50
Network Device
Network Device:
    Cisco-7200-Tac
Network Device IP Address:
   
169.254.0.254
Network Device Groups:
   
Device Type:All Device Types:Cisco-7200-Tac, Location:All Locations
Access Policy
Access Service:
    Default Device Admin
Identity Store:
   

Selected Shell Profile:
   

Active Directory Domain:
   

Identity Group:
   

Access Service Selection Matched Rule :
   
Rule-2
Identity Policy Matched Rule:
   
Default
Selected Identity Stores:
   
Internal Users
Query Identity Stores:
   

Selected Query Identity Stores:
   

Group Mapping Policy Matched Rule:
   

Authorization Policy Matched Rule:
   

Authorization Exception Policy Matched Rule:
   

Other
ACS Session ID:
   
LDAP-Server/68386637/134
Service:
   
Login
AV Pairs:
   

Response Time:
   
9
Other Attributes:
   
ACSVersion=acs-5.1.0.44-B.2347
ConfigVersionId=74
Device Port=21204
Protocol=Tacacs
Type=Authentication
Action=Login
Action=Login
   
Authentication Result
AuthenticationResult=UnknownUser
Type=Authentication
Authen-Reply-Status=Fail
Steps
Received TACACS+ Authentication START Request
Evaluating Service Selection Policy
Matched rule
Selected Access Service - Default Device Admin
Returned TACACS+ Authentication Reply
Received TACACS+ Authentication CONTINUE Request
Using previously selected Access Service
Evaluating Identity Policy
Matched Default Rule
Selected Identity Store -
Current Identity Store does not support the authentication method; Skipping it.
TACACS+ will use the password prompt from global TACACS+ configuration.
Returned TACACS+ Authentication Reply
Received TACACS+ Authentication CONTINUE Request
Using previously selected Access Service
Identity Policy was evaluated before; Identity Sequence continuing
Looking up User in Internal Users IDStore - test3  ######## But this is a LDAP User ########
The user is not found in the internal users identity store.
Subject not found in the applicable identity store(s).
The advanced option that is configured for an unknown user is used.
The 'Reject' advanced option is configured in case of a failed authentication request.
Returned TACACS+ Authentication Reply
Additional Details
Diagnostics ACS Configuration Changes

############# Monitor Output ############

kschleppenbach Wed, 09/08/2010 - 16:05

Dirk, I think this solves what I am trying to do but I fail to follow a few of the steps. I am trying to have an Access Policy with both an Identity Group pointing to an Internal Identity Store and an External Group pointing to LDAP. The orignal Policy points only to LDAP and works fine. When I added an Internal Group it wouldn't authenticate and it broke LDAP for that Policy. I will use a resolution that works with one Policy line or two. Not sure which way you guys ended up. Under Identity Store Sequence, I have just the default sequence Identity Search Order. Under the first Retrieval Search List I have my LDAP followed by Internal Users. There is an Additional Retrieval Search List that only lists LDAP. And under Access Policies, Access Services, Default Device Admin, Identity, I have Single result selection selected with Identity Source = Identity Search Order. Advanced Options are Reject Reject Drop. Is that what stops the process after LDAP fails to authenticate? Thanks, Kevin

Dirk Woellhaf Wed, 09/08/2010 - 19:21

I will be out of office from 06.09.2010 until 20.09.2010

I will respond to your mail after my return to the office.

Landesbank Baden-Wuerttemberg

Anstalt des oeffentlichen Rechts

Hauptsitze: Stuttgart, Karlsruhe, Mannheim, Mainz

HRA 12704

Amtsgericht Stuttgart

jrabinow Mon, 07/19/2010 - 06:29

Please also provide the details information.

To get this do the following:

- go to "

Monitoring & Reports > Reports > Catalog > AAA Protocol > TACACS Authentication

You will get the pass fail information summary together with the reason. Click on icon (magnifying glass) for details. You will get a page for the full processing of the request. It will tell you which stores were accessed etc, which rules matched

Can you copy this information

Actions

Login or Register to take actions

This Discussion

Posted November 8, 2009 at 9:52 AM
Stats:
Replies:14 Avg. Rating:5
Views:3458 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard