Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.3 - Active Directory - Limit/control which DCs can be used to auth

Hi all,

I have a Cisco ACS server deployed for TACACS and RADIUS authentication for end users.

Everything works well, it is joined to the domain, people can auth most of the time. However it appears that ACS is trying to auth against *ANY* DC within my domain.

dns.findsrv FindSrvFromDns runs, and pulls every DC for use. Not all of these are reachable, nor do all fo them have the same user structure.

Is there some way to specify or limit/control what DCs are queried?

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: ACS 5.3 - Active Directory - Limit/control which DCs can be

Hello,

Unfortunately at this point there is no way to control which DC's should be queried by the ACS. The ACS will retrieve all the available DC's on your AD Domain and contact any of them.

An enhancement request is already filed and developers are working on it to include the feature on future releases. Here is the information:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062

ACS should be able to query only desired DCs

Symptom:
Currently on 5.0 and 5.1, the ACS queries the  DNS with the domain, in order to get a list of all the DCs in the domain  and then tries to communicate with all of them.

If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.

A lot of customers are asking for a change on this behavior.
It  should be possible to define which DCs to contact and/or make ACS to  interpret  DNS Resource Records Registered by the Active Directory  Domain Controller to facilitate the location of domain controllers.  Active Directory uses service locator, or SRV, records. An SRV record is  a new type of DNS record described in RFC 2782, and is used to identify  services located on a Transmission Control Protocol/Internet Protocol  (TCP/IP) network.

Conditions:
Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.

Workaround:
Make sure ALL DCs are UP and reachable from the ACS.

Hope this clarifies it.

Regards.

5 REPLIES
Silver

Re: ACS 5.3 - Active Directory - Limit/control which DCs can be

Hello,

Unfortunately at this point there is no way to control which DC's should be queried by the ACS. The ACS will retrieve all the available DC's on your AD Domain and contact any of them.

An enhancement request is already filed and developers are working on it to include the feature on future releases. Here is the information:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062

ACS should be able to query only desired DCs

Symptom:
Currently on 5.0 and 5.1, the ACS queries the  DNS with the domain, in order to get a list of all the DCs in the domain  and then tries to communicate with all of them.

If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.

A lot of customers are asking for a change on this behavior.
It  should be possible to define which DCs to contact and/or make ACS to  interpret  DNS Resource Records Registered by the Active Directory  Domain Controller to facilitate the location of domain controllers.  Active Directory uses service locator, or SRV, records. An SRV record is  a new type of DNS record described in RFC 2782, and is used to identify  services located on a Transmission Control Protocol/Internet Protocol  (TCP/IP) network.

Conditions:
Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.

Workaround:
Make sure ALL DCs are UP and reachable from the ACS.

Hope this clarifies it.

Regards.

New Member

Re: ACS 5.3 - Active Directory - Limit/control which DCs can be

Thank you for your answer. It isn't what I wanted to hear but it is clear.

Odd thing is that it also seems to Follow *ANY* domain trusts, and query their DCs.

So say I have the following:

xyz.com has trusts with the following domains:

abc.com

dev.xyz.com

So ACS gets a list of DCs of xyz.com, AND a list of all DCs of all trusted Domains; and proceeds to query them all. This is wrong.

My DCs in my main Domain xyz.com respond correctly when queried:

dig any _ldap._tcp.corp.xyz.com @10.10.1.23 +short

0 100 389 site1dc01.corp.xyz.com.

0 100 389 site2dc01.corp.xyz.com.

0 100 389 site3dc02.corp.xyz.com.

0 100 389 site4dc01.corp.xyz.com.

0 100 389 site3dc01.corp.xyz.com.

0 100 389 site5dc01.corp.xyz.com.

This is the only list of DCs TACACS should use. It should not spider through Trusted Domains.

Silver

Re: ACS 5.3 - Active Directory - Limit/control which DCs can be

Hello,

I do not have a straight forward answer for TACACS+ requests querying Trusted Domains. Actually, for the ACS to contact Trusted or Child Domains to its local domain we need to use NETBIOS or UPN format for the username:


Note You  have to add a UPN suffix or NETBIOS prefix to the username when  authenticating to a domain that the ACS is not joined to, including the  child domains. 

The above note is included on the ACS documentation:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1053213

Regards.

New Member

ACS 5.3 - Active Directory - Limit/control which DCs can be used

There actually IS a way to control what DC's are used by ACS, but it has nothing ot do with ACS. Once the ACS machines are added to your domain, move the machines to an OU/container of your choice. Then use Active Directory Sites and Services to make the domain restrictions. We had to do this in our environment as we have over 150 DC's.

New Member

ACS 5.3 - Active Directory - Limit/control which DCs can be used

Hello, my name is Rishi and I have a quick question.

Can we have the same ACS appliance integrated with a diff OU in the AD (maybe with a diff IP address range) ?

If so, how?

Thanks,

Rishi

1764
Views
0
Helpful
5
Replies
CreatePlease login to create content