I'm running a cluster of ACS 5.1 doing 802.1x authentication against AD.
We currently have four AD domains with trust relationships going around. After sorting out some DNS related issues it is all working as it should, except for one of them where machine authentications fail.
Digging around I realize that it has been setup with disjoint namespaces. The AD is ad.example.com, but all the computer accounts have been registered as client.example.com. This means that machine authentications gets sent as host/laptop.client.example.com as an example, causing the ACS to try and find the active directory of client.example.com instead of ad.example.com which is where the machine accounts actually are.
Trying to be clever I configured the DNS zone for client.example.com to point the relevant kerberos and LDAP SRV records in the direction of one of the domain controllers, only to be told by the ACS:
adclient: INFO <fd:23 MS-RPC user authentication> base.bind.healing Lost connection to CLIENT.EXAMPLE.COM. Running in disconnected mode: Connected to wrong domain. Expected CLIENT.EXAMPLE.COM, connected to AD.EXAMPLE.COM
Is there anything I can do except request to have all the clients changed to use ad.example.com? This would ofcourse be a major operation.
Re: ACS 5.1, active directory and disjoint namespaces
Replying to myself here.
Reading the release notes I find bug CSCtb00427 under known issues, which describes exactly my problem.
As a workaround it suggests "Perform authentication with the host's NETBIOS name (for example, domainB\myhost$)." which I can see that it would help. Currently looking for a way to make the clients do this without much success, mostly on WinXP SP3 with the native 802.1x supplicant here.
Trying to look up the bug in ciscos bug toolkit to check the "fixed in" information, it tells me that the bug contains proprietary information and hence is not public. Not very helpful seeing as the bug is documented in a release note.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...