Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs.
Now my customer wants ACS migration by creating new Group in AD, I also update ACS config. For the user from the old group, authentication is ok. For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.
Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.
Can anyone advice to troubleshoot the issue?
Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first. How can we check or make sure it?
Those might not be an exact match but I have seen related issues where:
1) ACS Administrators just wait a couple of hours until the ACS starts getting the correct group memebership.
2) Configure two authorization policies. One includes the "old" group as the condition and the other contains the "new" group as the condition. As you as you see hitcounts on the "new" group rule you can delete the old group rule. At this point the ACS is querying the AD and properly retrieve the group information for the AD account. This will keep the authentication up and running.
ACS 5.2 Authentication Issue with Local & Global ADs
Thanks a lot for your kind response. One more question,
is there any way to configure AD domain with priorities? (same domain with different IPs)
My customer is at Singapore, they have 2 local ADs (same domain) syncing to Global ADs. Whenever there is a change in Local AD / in Global AD, it can impact to ACS. For ACS site, how can we know "ACS is querying to which AD"?
It's already alive at customer site, I will go down and update the status again.
Symptom: Currently on 5.0 and 5.1, the ACS queries the DNS with the domain, in order to get a list of all the DCs in the domain and then tries to communicate with all of them.If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.A lot of customers are asking for a change on this behavior. It should be possible to define which DCs to contact and/or make ACS to interpret DNS Resource Records Registered by the Active Directory Domain Controller to facilitate the location of domain controllers. Active Directory uses service locator, or SRV, records. An SRV record is a new type of DNS record described in RFC 2782, and is used to identify services located on a Transmission Control Protocol/Internet Protocol (TCP/IP) network.Conditions: Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.Workaround: Make sure ALL DCs are UP and reachable from the ACS.
At the moment, we cannot determine which Domain Controller on the AD the ACS will contact. The enhacement request will include a feature on which we can specify the appropriate the Domain Controllers the ACS should contact on a AD Domain.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :