cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2107
Views
0
Helpful
3
Replies

Cisco ACS 5.2 and Active Directory integration

ltobal
Level 1
Level 1

Hi !

A customer uses Active Directory where some group names contain special characters (ç ~ '^). The Cisco ACS 5.2 is presenting the warnings: "

Not all Active Directory user groups are retrieved successfully. One or more of thegroup's canonical name was not retrieved "(Category

CSCOacs_Identity_Stores_Diagnostics; code 24457).


Question: What are the results of these warnings to the customer's network? Slow? Loss of access?


Thank you,

Leonardo.

3 Replies 3

Eduardo Aliaga
Level 4
Level 4

Hello. Could you please post the screenshot of the warnings ?

I'm guessing there will be no problems because those groups are not retrieved and then you could not use them in the ACS rules.

On the other hand do you have username with special characters ? I have an issue when using PEAP EAP-MSCHAPv2 and non-english characters.

Naveen Kumar
Level 4
Level 4

Just to Share:

 

ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example:

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113571-acs5-ad-int-config-00.html

Amjad Abdullah
VIP Alumni
VIP Alumni

Hi,

That's high probably because of ACS handles ascii characters only.

in older versions (4.x) there was a known problem:

'''snip'''

Problem: ACS Error Message - Not all user Active Directory groups are retrieved successfully...

Why is the Not all user Active Directory groups are retrieved successfully. One or more of the group's canonical name was not retrieved error message seen on ACS?

Solution

This issue occurs because unicode characters are used in the group name on AD. Since ACS sees AD groups as ASCII text, the unicode characters are not translated correctly. As a result, the group membership is not retrieved. Remove the unicode character from the AD configuration in order to resolve this issue.

'''snip'''

 

in ACS 5.3 vesion I can see some of those issues are resolved as per the release notes:

CSCtn26604    ACS 5 did not support UNICODE characters in certificates. This problem is resolved now.

 

CSCto72918   ACS 5.2 did not support Unicode characters in AAA client shared secret. This problem is resolved now.

 

However, I did't find anything talking about none-ascii usernames. But maybe that's applied.


is it possible for you to make a test with version 5.3 or higher and check if it works?

 

Regards,

 

Amjad

Rating useful replies is more useful than saying "Thank you"
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: