Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS 5.2 Authentication Issue with Local & Global ADs

Hi I am facing authentication issue with ACS 5.2. Below is AAA flow (EAP-TLS),

- Wireless Users >> Cisco WLC >> ADs <-- everything OK

- Wireless Users >> Cisco WLC >> ACS 5.2 >> ADs <-- problem

Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs.

Now my customer wants ACS migration by creating new Group in AD, I also update ACS config.
For the user from the old group, authentication is ok.
For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.

Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.

Can anyone advice to troubleshoot the issue?

Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first.
How can we check or make sure it?

Thanks ahead,
Ye

3 REPLIES
Silver

ACS 5.2 Authentication Issue with Local & Global ADs

Hello,

You are experiencing a behavior related to the following caveats:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtd16392

Or:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtc12396

Those might not be an exact match but I have seen related issues where:

1) ACS Administrators just wait a couple of hours until the ACS starts getting the correct group memebership.

2) Configure two authorization policies. One includes the "old" group as the condition and the other contains the "new" group as the condition. As you as you see hitcounts on the "new" group rule you can delete the old group rule. At this point the ACS is querying the AD and properly retrieve the group information for the AD account. This will keep the authentication up and running.

Hope this helps.

Regards.

New Member

ACS 5.2 Authentication Issue with Local & Global ADs

Dear Sir,

Thanks a lot for your kind response. One more question,

is there any way to configure AD domain with priorities? (same domain with different IPs)

My customer is at Singapore, they have 2 local ADs (same domain) syncing to Global ADs. Whenever there is a change in Local AD / in Global AD, it can impact to ACS. For ACS site, how can we know "ACS is querying to which AD"?

It's already alive at customer site, I will go down and update the status again.

Thanks & Regards,

Ye

Silver

ACS 5.2 Authentication Issue with Local & Global ADs

Hello,

There is an enhacement request open already:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062

ACS should be able to query only desired DCs

Symptom:
Currently on 5.0 and 5.1, the ACS queries the  DNS with the domain, in order to get a list of all the DCs in the domain  and then tries to communicate with all of them.

If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.

A lot of customers are asking for a change on this behavior.
It  should be possible to define which DCs to contact and/or make ACS to  interpret  DNS Resource Records Registered by the Active Directory  Domain Controller to facilitate the location of domain controllers.  Active Directory uses service locator, or SRV, records. An SRV record is  a new type of DNS record described in RFC 2782, and is used to identify  services located on a Transmission Control Protocol/Internet Protocol  (TCP/IP) network.

Conditions:
Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.

Workaround:
Make sure ALL DCs are UP and reachable from the ACS.

At the moment, we cannot determine which Domain Controller on the AD the ACS will contact. The enhacement request will include a feature on which we can specify the appropriate the Domain Controllers the ACS should contact on a AD Domain.

Hope this clarifies it.

Regards.

439
Views
0
Helpful
3
Replies
CreatePlease to create content