ACS 4.2 and EAP-TLS with AD and prefix problem

Answered Question
Nov 30th, 2009

Hi there

we have the following situation:

- 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain A

- 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain B

First of all, is it a problem to have an ACS SE and an ACS working together for one domain, I don't think so? When we had only one domain and both ACS SE were responsible for domain A, it worked.

Now after the changes, machine authentication with EAP-TLS doesn't work anymore. In the logs it always says that the "External DB user is unknown" for a (machine) username like host/abc.domain.ch

This is the normal output of the Remote Agent, it finds the host but then nothing happens:

CSWinAgent 11/30/2009 16:32:13 A 0140 3672 0x0 Client connecting from x.x.x.x:2443
CSWinAgent 11/30/2009 16:32:14 A 0507 3512 0x0 RPC: NT_DSAuthoriseUser received
CSWinAgent 11/30/2009 16:32:14 A 0474 3512 0x0 NTLIB:       Creating Domain cache
CSWinAgent 11/30/2009 16:32:14 A 0549 3512 0x0 NTLIB: Loading Domain Cache
CSWinAgent 11/30/2009 16:32:14 A 0646 3512 0x0 NTLIB: No Trusted Domains Found
CSWinAgent 11/30/2009 16:32:14 A 0735 3512 0x0 NTLIB: Domain cache loaded
CSWinAgent 11/30/2009 16:32:14 A 2355 3512 0x0 NTLIB: User 'host/abc.domain.ch' was found [DOMAIN]
CSWinAgent 11/30/2009 16:32:14 A 0584 3512 0x0 RPC: NT_DSAuthoriseUser reply sent

So I made a test from an ASA to see if the host/ is a problem (before any changes were made it wasn't a problem):

test aaa authentication RADIUS host 10.3.1.9 username host/abc.domain.ch (the ASA transforms the host/ input to the correct Windows schema with the $):

CSWinAgent 11/30/2009 15:39:23 A 0140 3672 0x0 Client connecting from x.x.x.x:1509
CSWinAgent 11/30/2009 15:39:23 A 0390 3728 0x0 RPC: NT_MSCHAPAuthenticateUser received
CSWinAgent 11/30/2009 15:39:23 A 0474 3728 0x0 NTLIB:       Creating Domain cache
CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
CSWinAgent 11/30/2009 15:39:23 A 0646 3728 0x0 NTLIB: No Trusted Domains Found
CSWinAgent 11/30/2009 15:39:23 A 0735 3728 0x0 NTLIB: Domain cache loaded
CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
CSWinAgent 11/30/2009 15:39:23 A 0373 3728 0x0 NTLIB: Reattempting authentication at domain DOMAIN
CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
CSWinAgent 11/30/2009 15:39:23 A 0456 3728 0x0 RPC: NT_MSCHAPAuthenticateUser reply sent

It's clear that the test was not successful because of the wrong "machine password" but it's a different output as before. I saw that in ACS 4.1 you could change the prefix of /host to nothing, but in 4.2 this is not possible anymore.

Could this be the problem or does someone see any other problem?

Best Regards

Dominic

I have this problem too.
0 votes
Correct Answer by Richard.Jeff about 6 years 6 months ago

Hi,

I am experiencing the same issue with my acs. I have all the failed attempts for the default group. For the default group the config done is no access. Is that thereason behind this ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (2 ratings)
Loading.
cochambe Thu, 12/03/2009 - 10:00

Dominic,

Can you double check you have 'Use Outer Identity' checked under 'System Configuration / Global Authentication Setup / Allow EAP-TLS"

If you don't then the ACS uses the incorrect details from the digital certificate and it can then authenticate against the wrong credentials within the cert.

Regards,

Col

Dominic Stalder Fri, 12/04/2009 - 03:06

Hi Colin

thanks for your answer, we had the this setting correct. I was able to solve the problem yesterday, we had some faults in the AD mapping.

I didn't know that when I select more AD groups for one ACS group in one step, that the user / host has to be in every of these AD groups (AND conjunction).

Now I only added one AD group for my ACS group and it works. The error message "AD user restriction" was not very helpful for finding this fault ;-)

Regards

Dominic

Correct Answer
Richard.Jeff Thu, 06/10/2010 - 05:08

Hi,

I am experiencing the same issue with my acs. I have all the failed attempts for the default group. For the default group the config done is no access. Is that thereason behind this ?

Dominic Stalder Thu, 06/10/2010 - 06:44

Hi Jeff

as I mentioned before, the problem was that the group mappings are AND conjunctions and so the user always was put into the default group, and you're right, I set the default group to "No Access" (what is right in fact).

Regards

Dominic

Actions

This Discussion