Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1957
Views
0
Helpful
1
Replies

ACS 5.1, active directory and disjoint namespaces

heriomortis
Level 1
Level 1

‎05-20-2010 02:34 AM - edited ‎03-10-2019 05:09 PM

I'm running a cluster of ACS 5.1 doing 802.1x authentication against AD.

We currently have four AD domains with trust relationships going around. After sorting out some DNS related issues it is all working as it should, except for one of them where machine authentications fail.

Digging around I realize that it has been setup with disjoint namespaces. The AD is ad.example.com, but all the computer accounts have been registered as client.example.com. This means that machine authentications gets sent as host/laptop.client.example.com as an example, causing the ACS to try and find the active directory of client.example.com instead of ad.example.com which is where the machine accounts actually are.

Trying to be clever I configured the DNS zone for client.example.com to point the relevant kerberos and LDAP SRV records in the direction of one of the domain controllers, only to be told by the ACS:

adclient[2349]: INFO  <fd:23 MS-RPC user authentication> base.bind.healing Lost connection to CLIENT.EXAMPLE.COM. Running in disconnected mode: Connected to wrong domain. Expected CLIENT.EXAMPLE.COM, connected to AD.EXAMPLE.COM

Is there anything I can do except request to have all the clients changed to use ad.example.com? This would ofcourse be a major operation.

Labels:
0 Helpful
1 Reply 1

heriomortis
Level 1
Level 1

‎06-08-2010 03:16 AM

Replying to myself here.

Reading the release notes I find bug CSCtb00427 under known issues, which describes exactly my problem.

As a workaround it suggests "Perform authentication with the host's NETBIOS name (for example, domainB\myhost$)." which I can see that it would help. Currently looking for a way to make the clients do this without much success, mostly on WinXP SP3 with the native 802.1x supplicant here.

Trying to look up the bug in ciscos bug toolkit to check the "fixed in" information, it tells me that the bug contains proprietary information and hence is not public. Not very helpful seeing as the bug is documented in a release note.

Anybody have any suggestions?

0 Helpful
Customers Also Viewed These Support Documents