Cisco ACS 5.2 and Active Directory integration

Unanswered Question
Apr 25th, 2012
User Badges:

Hi !

A customer uses Active Directory where some group names contain special characters (ç ~ '^). The Cisco ACS 5.2 is presenting the warnings: "

Not all Active Directory user groups are retrieved successfully. One or more of thegroup's canonical name was not retrieved "(Category

CSCOacs_Identity_Stores_Diagnostics; code 24457).

Question: What are the results of these warnings to the customer's network? Slow? Loss of access?

Thank you,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Eduardo Aliaga Sat, 05/12/2012 - 20:55
User Badges:
  • Silver, 250 points or more

Hello. Could you please post the screenshot of the warnings ?

I'm guessing there will be no problems because those groups are not retrieved and then you could not use them in the ACS rules.

On the other hand do you have username with special characters ? I have an issue when using PEAP EAP-MSCHAPv2 and non-english characters.

Amjad Abdullah Wed, 03/19/2014 - 23:02
User Badges:
  • Red, 2250 points or more


That's high probably because of ACS handles ascii characters only.

in older versions (4.x) there was a known problem:


Problem: ACS Error Message - Not all user Active Directory groups are retrieved successfully...

Why is the Not all user Active Directory groups are retrieved successfully. One or more of the group's canonical name was not retrieved error message seen on ACS?


This issue occurs because unicode characters are used in the group name on AD. Since ACS sees AD groups as ASCII text, the unicode characters are not translated correctly. As a result, the group membership is not retrieved. Remove the unicode character from the AD configuration in order to resolve this issue.



in ACS 5.3 vesion I can see some of those issues are resolved as per the release notes:

CSCtn26604    ACS 5 did not support UNICODE characters in certificates. This problem is resolved now.


CSCto72918   ACS 5.2 did not support Unicode characters in AAA client shared secret. This problem is resolved now.


However, I did't find anything talking about none-ascii usernames. But maybe that's applied.

is it possible for you to make a test with version 5.3 or higher and check if it works?






This Discussion