05-20-2010 02:34 AM - edited 03-10-2019 05:09 PM
I'm running a cluster of ACS 5.1 doing 802.1x authentication against AD.
We currently have four AD domains with trust relationships going around. After sorting out some DNS related issues it is all working as it should, except for one of them where machine authentications fail.
Digging around I realize that it has been setup with disjoint namespaces. The AD is ad.example.com, but all the computer accounts have been registered as client.example.com. This means that machine authentications gets sent as host/laptop.client.example.com as an example, causing the ACS to try and find the active directory of client.example.com instead of ad.example.com which is where the machine accounts actually are.
Trying to be clever I configured the DNS zone for client.example.com to point the relevant kerberos and LDAP SRV records in the direction of one of the domain controllers, only to be told by the ACS:
adclient[2349]: INFO <fd:23 MS-RPC user authentication> base.bind.healing Lost connection to CLIENT.EXAMPLE.COM. Running in disconnected mode: Connected to wrong domain. Expected CLIENT.EXAMPLE.COM, connected to AD.EXAMPLE.COM
Is there anything I can do except request to have all the clients changed to use ad.example.com? This would ofcourse be a major operation.
06-08-2010 03:16 AM
Replying to myself here.
Reading the release notes I find bug CSCtb00427 under known issues, which describes exactly my problem.
As a workaround it suggests "Perform authentication with the host's NETBIOS name (for example, domainB\myhost$)." which I can see that it would help. Currently looking for a way to make the clients do this without much success, mostly on WinXP SP3 with the native 802.1x supplicant here.
Trying to look up the bug in ciscos bug toolkit to check the "fixed in" information, it tells me that the bug contains proprietary information and hence is not public. Not very helpful seeing as the bug is documented in a release note.
Anybody have any suggestions?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide