"24427 Access to Active Directory failed" error in ACS 5.1

Unanswered Question
Jan 3rd, 2011

Hello,

I'm working on implementing a RADIUS authentication for wireless access with the following :

- PCs running Windows 7, protocol used is PEAP (without validating the server certificate to make it simple at first),

- AP 1252  configured to use a RADIUS server to authenticate (it's working good with an ACS server 4.2),

- ACS Server 5.1.0.44.5 running as VM connected to an AD domain and working good with VPN connections,

- AD domain running on Windows 2003 Server.

My ACS VM is working good since a couple of months for VPN (RADIUS) and administration (TACACS) remote access, both using Active Directory. Now, I'd like to use it to authenticate people connecting to a 1252 Cisco access point but I'm getting this error "24427 Access to Active Directory failed". I switched from PEAP to LEAP but this is the same.

All I can get running the expert troubleshoot

Investigating failure code: 24427 Access to Active Directory failed
Checking if Active Directory is configured
Active Directory is configured
Attempting connection to Active Directory
Connection to Active Directory was successful.
Troubleshooting completed.

Click on Show Results Summary to view results.

I followed this guide, at least for the ACS certificate section :

http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml

Anyone has an idea where the problem may come from?

Thanks in advance,

Vincent

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
fziliott Wed, 01/05/2011 - 01:54

Hi Vincent,

Does the AD user have dialin permissions enabled by any chance?
This is to confirm whether we may be hitting a known limitation.

To further investigate this we could collect some initial logs from ACS 5.1, in order to start isolating the issue:

1. Log in to the ACS command line and enable the following debugs:

admin# acs-config
Escape character is CNTL/D.

Username:
Password:

acsadmin(config-acs)# debug-adclient enable
acsadmin(config-acs)# debug-log mgmt level debug
acsadmin(config-acs)# debug-log runtime level debug

2. Recreate the issue a couple of times.

3. Take note of the time stamp when you recreate the issue and then collect the ACS support bundle from the Monitoring & Report Viewer, under

Troubleshooting > ACS Support Bundle

Please be sure of collecting the support bundle while checking the following options:

Include full configuration database = Unchecked
Include debug logs = All
Include local logs = All
Include core files = All
Include monitoring and reporting logs (all categories checked) = Include files from the last 1 day

Also, please communicate the time stamp when the issue is observed, so that we can track it faster in the logs.

Regards,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

vfortrat@axians.com Wed, 01/05/2011 - 08:36

Hi Fede,

Thanks for your reply.

I used the administrator account to join the AD, I checked and it has dial-in permissions.

I have downloaded the ACS support bundle, I tried to extract it but all I can get is a .gpg file...how can I check the log files?

Since the max size for uploaded content is 50MB, I joined the entire file which sizes 18MB.

FYI, I recreated the issue at 5:04PM.

Best regards,

Vincent

fziliott Wed, 01/05/2011 - 10:17

Thank you Vincent,

It looks like the support bundle was generated with encryption enabled.

Would it be possible to please re-generate it with the following options?

Encrypt Support Bundle = Unchecked <<< IMPORTANT

Include full configuration database = Unchecked

Include debug logs = All

Include local logs = All

Include core files = All

Include monitoring and reporting logs (all categories checked) = Include files from the last 1 day

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

vfortrat@axians.com Thu, 01/06/2011 - 01:01

Federico,

I don't see any option to enable or not the encryption. It seems that this features is only supported by ACS 5.2 and I'm using 5.1.

Best regards,

Vincent

fziliott Thu, 01/06/2011 - 01:24

That's right Vincent, sorry if I didn't include all the details in my previous message.

I already tried yesterday also to decrypt the bundle with one of our ACS 5.1, but it failed, so that's why I thought of asking anyway.

Maybe you could test to decrypt the support bundle from your side directly:

1. Load the support bundle to an FTP location.

2. Create an FTP repository on ACS to point to this FTP location.

3. SSH to ACS and enter the "acs-config" mode:

admin# acs-config

Escape character is CNTL/D.

Username:

Password:

acsadmin(config-acs)#

4. Then please decrypt the bundle with the following command:

decrypt-support-bundle acs-support-bundle-01-05-2011-17-05.tar.gz

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

fziliott Thu, 01/06/2011 - 02:03

Hi Vincent,

As a further option apart from trying to decrypt the support bundle on your side, could you maybe try to collect it one more time? (being sure to include the logs from the last failure)

If the previous one was corrupted, then the failure in decrypting it could be expected.

Regards,

Fede

vfortrat@axians.com Thu, 01/06/2011 - 03:23

I'm stuck at step 4, I am not able to decrypt the support bundle :

acs/ACSAdmin(config-acs)# decrypt-support-bundle pc_vincent_ftp acs_acs_support.tar.gpg
Decrypting Support Bundle...
Repository: pc_vincent_ftp
Support Bundle: acs_acs_support.tar.gpg
Unable to import file 'acs_acs_support.tar.gpg' from remote repository 'pc_vincent_ftp'

Looking at my FTP server log file, ACS doesn't even try to access the repository which is working (I used it to load the patch file for ACS).

I tried using FTP but it doesn't work either. Did you manage to get this command working?

Regards,

Vincent

fziliott Thu, 01/06/2011 - 03:42

Hi Vincent,

That's exactly the very same error message I am getting.

Could you maybe test by recreating the issue today and re-download the support bundle with the logs just from today?

Then, without trying to uncompress the bundle with other tools, just attach it here (or even try to decrypt it yourself with the procedure I posted before)

I am suspecting that something got corrupted in the previous support bundle.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

fziliott Thu, 01/06/2011 - 03:47

Hi Vincent,

That's exactly the very same error message I am getting.

Could you maybe test by recreating the issue today and re-download the

support bundle with the logs just from today?

Then, without trying to uncompress the bundle with other tools, just

attach it here (or even try to decrypt it yourself with the procedure I

posted before)

I am suspecting that something got corrupted in the previous support bundle.

Regards,

Fede

--

If this helps you and/or answers your question please mark the question

as "answered" and/or rate it, so other users can easily find it.

vfortrat@axians.com Thu, 01/06/2011 - 06:45

Like you suggest, I re-downloaded the support bundle but I'm still not able to decrypt it.

Best regards,

Vincent

fziliott Thu, 01/06/2011 - 09:09

Hi Vincent,

The next best alternative I could think of is to collect the log files through "show" commands on the ACS command line:

show acs-logs filename ACSManagement.log

show acs-logs filename acsRuntime.log

show acs-logs filename ACSADAgent.log

You would need to please log the full output of these three commands right after having recreated the issue.

In case you'd like to filter even further for a specific month (so not to collect also the logs from December for example), you could also try the following syntax:

show acs-logs filename ACSManagement.log | i Jan

show acs-logs filename acsRuntime.log | i Jan

show acs-logs filename ACSADAgent.log | i Jan

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

vfortrat@axians.com Fri, 01/07/2011 - 01:45

Hi Federico,

I did try to run the commands but the log files are pretty big ! and almost impossible to copy/paste in a text file. Any idea to download the full files from ACS ?

Regards,

Vincent

fziliott Fri, 01/07/2011 - 03:08

Hi Vincent,

I know it's a bit of a pain :-(

You could maybe try to simply keep scrolling and logging the text output in the meantime (so no copy+paste needed).
In Putty for example, this can be done by right-clicking on the window's bar and selecting

change settings... > logging > all session output > (browse to where you'd like to save the file) > apply

Unfortunately, the only logs we can transfer through the "copy" command are those for ADE, which are not useful for our issue.
The debugging logs we are looking for are stored internally and cannot be retrieved via FTP for example with the standard commands. There is a patch that we could install to access the underlying Linux OS, but for us to publish this you would need to go through the official channel of a TAC case:
http://tools.cisco.com/ServiceRequestTool/create/launch.do

Regards,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

vfortrat@axians.com Tue, 01/11/2011 - 01:39

Hi Federico,

I'm currently out of office for a couple of days. I'll let you know as soon as I have some more information to investigate our problem, probably on friday.

Best regards,

Vincent

fziliott Tue, 01/11/2011 - 02:04

Thank you Vincent, looking forward to hearing back from you.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

vfortrat@axians.com Tue, 02/22/2011 - 09:26

Hi Federico,

I hope you're doing great since our last conversation.

Since my last post, I upgraded my ACS to 5.2 version. I did exactly the same thing as previously with 5.1 release and I'm getting the exact same error...

But now, I'm able to generate a support bundle without encryption so you will be able to take a look at the log files.

I experienced my authentication failure around 17:15PM today.

Thans again for your help,

Best regards,

Vincent

vfortrat@axians.com Wed, 02/23/2011 - 08:11

Hi,

I'm not giving up so I did some additionnal tests today. I make it work by changing the protocol and/or the inner method used by the protocol. My conclusion is each time I use MS-CHAP (v1 or v2) as inner method it fails (LEAP, EAP-FAST or MS-PEAP) but each time I use EAP-GTC as inner method it works (EAP-FAST and CISCO-PEAP).

I checked my ACS configuration. In the "allowed protocols" section of my default network access policy, MS-CHAP inner method is allowed for PEAP and EAP-FAST.

Any idea what could cause the problem?

Thanks in advance,

Vincent

vfortrat@axians.com Wed, 01/04/2012 - 07:03

Hi,

My problem was gone for some time and since yesterday, I'm having trouble authenticating with any protocol using MSCHAP as inner method. I upgraded my ACS server to 5.3.0.40 (patch 1) but the problem is still there.

Any idea or investigation tip to help ?

Vincent

jonmarso_07 Wed, 01/04/2012 - 07:25

AD User must have permissions to add and remove users and machines in the field.


And make sure your password is working perfectly, you can test by logging on any machinein the field.

vfortrat@axians.com Wed, 01/04/2012 - 07:43

Hi Jonatas,

Thanks for your answer. My user is an administrator and has right to add and remove users and machines. My password is working perfectly good.

Vincent

kushsrivastava Sat, 01/07/2012 - 11:31

HI Vincent,

- Could you go to the AD configuration click on test connection and check if it shows connected?

- Please login to the ACS through SSH, do nslookup (you domain name) and check if it resolves?


Regards,

Kush

vfortrat@axians.com Mon, 01/09/2012 - 00:32

Hi,

Last week, I finally found out what was going on with my ACS, sometimes working, sometimes not working. It was actually not a problem on the ACS but on the Active Directory, particularly on my secondary domain controller. I don't know yet which feature or setting is wrong but each time he's assuming the role of domain controller (after a reboot of the primary for example), my ACS is failing to access the active directory.

I'll let you know if I have some more information about the problem.

Vincent

zacragoonath Fri, 07/20/2012 - 09:41

hey there, I ran into the same issue with 5.3 and it turned out being this bug. i came across your post looking for instructions on retrieving the logs. thanks mate.


link

Problem: Error "24495 Active Directory servers are not available"

Authentication starts failing with this error: 24495 Active Directory servers are not available. in the ACS 5.3 logs.

Solution

Check the ACSADAgent.log file through the CLI of the ACS 5.x for messages such as:Mar 11 00:06:06 xlpacs01 adclient[30401]: INFO base.bind.healing Lost connection to xxxxxxxx. Running in disconnected mode: unlatch. If you see the Running in disconnected mode: unlatch error message, this means the ACS 5.3 cannot maintain a stable connection with Active Directory. The workaround is to either switch to LDAP or downgrade the ACS to 5.2 version. Refer to Cisco bug ID CSCtx71254 (registered customers only) for more information.

jrabinow Sun, 07/22/2012 - 00:00

The CDETS you refer to has been resolved on ACS 5.3 and is included in patch 3 and onwards. If you are going to install a ptahc on 5.3 I recommend to take the latest patch which is patch 5. The workaround for the CDETS has been updated

zacragoonath Sun, 07/22/2012 - 07:02

The patch is cumulative, if so I would be able to go straight from say patch 2 to patch 5 right?

Actions

Login or Register to take actions

This Discussion

Posted January 3, 2011 at 11:26 AM
Stats:
Replies:27 Avg. Rating:
Views:3833 Votes:0
Shares:0

Related Content

Discussions Leaderboard