I am having a problem getting ACS to authenticate against Active Directory Usernames. I am trying to use AD names to logon to both a 2600 Switch and an ASA 5505. I can logon with ACS Local names without a problem. I have followed the External Database setup guide but continue to recieve 'Internal Error' messages in the Failed Attempts failure code when trying to use AD usernames.
Thanks a lot for your time on this issue m8. I have already followed the steps you suggested however, it encouraged me to dive into stuff back and digg some. Here is what I have previously done
1)Create a user in AD. Give "Start as a service" and "Act like a part of the bla bla" rights in default domain controller policy
2)Installed Secure ACS in Domain controller. Choose that Windows Database thing.
3)I configured ASA as AAA client, also made the necessary config on ASA. Authentication with a user created in ACS databse is successfull.
4)I configured the 6 or 7 services that starts with "Cs.." in the name to start with the account which I have first created, just like as it is mentioned in Cisco Doc. Although Cisco mentioned that it is enough for that account to have read permissions ("Domain Users" group membership) and above specific permission, services did not start. Then I joined the user in "Administrators" group and all worked fine. Just incase, I added into "Domain Admins" group also.
5)Made sure that "Windows Database" exists under "Check the following external user databases" under "Selected Domains"
6)Under "Database Group Mappings", clicked on "New Configuration" and selected the domain
Problem: Remote agent cannot authenticate Windows users accounts. You receive this error message in remote agent log:
NTLIB: Windows authentication FAILED (error 6L)Cause: Insufficient privileges for the remote agent to perform authentication.
Resolution: Remote agent must given the right permissions (select local admin rights) in order to communicate with ACS. In most cases, you can install the remote agent in the member server instead of the domain controller in order to resolve this issue.
I specified a Domain Admin account for your services and you dont like this? Anyway after some trial-and-error, I got the tried-and-true.
I changed the service "Log On" to "Local system account" back instead Logging on with Domain Admin account. (Start>Run>services.msc the contiguous services that start with CS)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...