ACS 5.2 does not check Active directory changes

Answered Question
Oct 14th, 2010
User Badges:

Hi all,


I am working with ACS 5.2 and using Radius authentication for vpn client.


The authentication method used is Active Directory in an Windows enviroment with multiple domains in the same forest.


My problem occurs when i change a user from one group to another in Active Directory. After that i receive the following message when try to connect:


15039 Selected Authorization Profile is DenyAccess


The message is because match the default policy.


Another user in the same AD group works fine.


All domain in the forest have trust relation each other.


I am using universal groups to include users from all domain belongs this forest.


Can anyone help me?


Regards

Correct Answer by jrabinow about 6 years 10 months ago

is your authentication rule matching against a single AD group?


You can check which groups were retrieved for the user as follows:

- goto "Monitoring and Troublshooting"

- select Authentications - RADIUS - Today

- Find the entry that did not match and click on the details icon

- Expand "Authentication Details" section. Look under "Other Attributes" the groups retrieved from AD for the user will be listed there

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
jrabinow Thu, 10/14/2010 - 15:34
User Badges:
  • Cisco Employee,

is your authentication rule matching against a single AD group?


You can check which groups were retrieved for the user as follows:

- goto "Monitoring and Troublshooting"

- select Authentications - RADIUS - Today

- Find the entry that did not match and click on the details icon

- Expand "Authentication Details" section. Look under "Other Attributes" the groups retrieved from AD for the user will be listed there

cpfl_vzuben Fri, 10/15/2010 - 06:57
User Badges:

Hi Jrabinow,


This is a problem.


I checked wich groups the user belongs and i didn't find the group that match the policy. But  it's a problem, because i checked in active directory wich group the user belongs and there are 2 groups that ACS does not find.


Properties from this user was changed in Active Directory some days ago and does not appear in ACS.


Is it possible ACS keep a cache about this attributes and does'nt check AD to uptade this settings?


I have another ACS vs 4.1 here and the same problem occurs.


Thanks,


Best Regards,

Evandro

cpfl_vzuben Tue, 10/19/2010 - 08:36
User Badges:

Hi Jrabinow,


After you help me with same instructions, i could see the Global Catalog server was not updated in the ACS log. Then i change DNS Server address in the ACS Server.


After change the DNS Server, the ACS starts to check another Global Catalog Server in AD forest.


Until now the problem was resolved. I believe this problem was in AD not in ACS Server.


Best Regards,

Evandro

mohankumarm Mon, 09/03/2012 - 02:20
User Badges:

Dear all,


Hope you can help me with a similar issue i am facing on migration from Cisco ACS 4.1.24 to Cisco 5.3.0.40

and testing Radius authentication for vpn client users.


The authentication method used is external Active Directory and for some users authenticating to the external AD via ACS, the following message is obtained:

"15039 Selected Authorization Profile is DenyAcces", which results in Auth failure.

Other users on the same AD group seem to work fine and there are no changes performed on the AD for any of the  concerned users.


Looking at the detail report for the user, confirms  that no attributes  are returned to the Radius(under the other  attributes field) from the  external server. The Radius also returns the  following messages:

"24412 User not  found in Active Directory"

"22056 Subject not found in the applicable  identity store(s)"


Within the ACS Identity sequence in the ID store, the  sequence is set to match on AD first and then Internal user.         The  Identity for the default network profile(for Radius users) is  configured to General sequence. The same user/s seem to work fine when  swithced to ACS4.

We are also looking at possible NTP sync issue with the ACS/AD or  any NTLM/Kerberos auth issues or any issues related to applying the  latest ACS patch to the box.Please let me know if there is any AD related configs to be modified.


Any help will be appreciated.


Thanks and Regards.

Alex Pfeil Wed, 11/02/2016 - 11:38
User Badges:

We had an issue where ACS was doing Active Directory authentication lookup to Global Catalog Server.  We were seeing user not found in Active Directory.  The issue was that the user had the same account login in two different domains.  The Windows administrator removed one of the accounts and authentication started working immediately after replication.


24412 User not found in Active Directory


Thanks,


Alex

Actions

This Discussion