Cisco ACS 5.2 and Active Directory integration

Unanswered Question
Apr 25th, 2012

Hi !

A customer uses Active Directory where some group names contain special characters (ç ~ '^). The Cisco ACS 5.2 is presenting the warnings: "

Not all Active Directory user groups are retrieved successfully. One or more of thegroup's canonical name was not retrieved "(Category

CSCOacs_Identity_Stores_Diagnostics; code 24457).


Question: What are the results of these warnings to the customer's network? Slow? Loss of access?


Thank you,

Leonardo.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Eduardo Aliaga Sat, 05/12/2012 - 20:55

Hello. Could you please post the screenshot of the warnings ?

I'm guessing there will be no problems because those groups are not retrieved and then you could not use them in the ACS rules.

On the other hand do you have username with special characters ? I have an issue when using PEAP EAP-MSCHAPv2 and non-english characters.

nkumarsr Wed, 03/19/2014 - 20:13

Just to Share:

 

ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example:

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113571-acs5-ad-int-config-00.html

Amjad Abdullah Wed, 03/19/2014 - 23:02

Hi,

That's high probably because of ACS handles ascii characters only.

in older versions (4.x) there was a known problem:

'''snip'''

Problem: ACS Error Message - Not all user Active Directory groups are retrieved successfully...

Why is the Not all user Active Directory groups are retrieved successfully. One or more of the group's canonical name was not retrieved error message seen on ACS?

Solution

This issue occurs because unicode characters are used in the group name on AD. Since ACS sees AD groups as ASCII text, the unicode characters are not translated correctly. As a result, the group membership is not retrieved. Remove the unicode character from the AD configuration in order to resolve this issue.

'''snip'''

 

in ACS 5.3 vesion I can see some of those issues are resolved as per the release notes:

CSCtn26604    ACS 5 did not support UNICODE characters in certificates. This problem is resolved now.

 

CSCto72918   ACS 5.2 did not support Unicode characters in AAA client shared secret. This problem is resolved now.

 

However, I did't find anything talking about none-ascii usernames. But maybe that's applied.


is it possible for you to make a test with version 5.3 or higher and check if it works?

 

Regards,

 

Amjad

Actions

Login or Register to take actions

This Discussion

Posted April 25, 2012 at 6:54 AM
Stats:
Replies:3 Avg. Rating:
Views:907 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard