Re: ACS 5.2 does not check Active directory changes
This is a problem.
I checked wich groups the user belongs and i didn't find the group that match the policy. But it's a problem, because i checked in active directory wich group the user belongs and there are 2 groups that ACS does not find.
Properties from this user was changed in Active Directory some days ago and does not appear in ACS.
Is it possible ACS keep a cache about this attributes and does'nt check AD to uptade this settings?
I have another ACS vs 4.1 here and the same problem occurs.
Hope you can help me with a similar issue i am facing on migration from Cisco ACS 4.1.24 to Cisco 126.96.36.199
and testing Radius authentication for vpn client users.
The authentication method used is external Active Directory and for some users authenticating to the external AD via ACS, the following message is obtained:
"15039 Selected Authorization Profile is DenyAcces", which results in Auth failure.
Other users on the same AD group seem to work fine and there are no changes performed on the AD for any of the concerned users.
Looking at the detail report for the user, confirms that no attributes are returned to the Radius(under the other attributes field) from the external server. The Radius also returns the following messages:
"24412 User not found in Active Directory"
"22056 Subject not found in the applicable identity store(s)"
Within the ACS Identity sequence in the ID store, the sequence is set to match on AD first and then Internal user. The Identity for the default network profile(for Radius users) is configured to General sequence. The same user/s seem to work fine when swithced to ACS4.
We are also looking at possible NTP sync issue with the ACS/AD or any NTLM/Kerberos auth issues or any issues related to applying the latest ACS patch to the box.Please let me know if there is any AD related configs to be modified.
We had an issue where ACS was doing Active Directory authentication lookup to Global Catalog Server. We were seeing user not found in Active Directory. The issue was that the user had the same account login in two different domains. The Windows administrator removed one of the accounts and authentication started working immediately after replication.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...