Solved: ACS 5.3 and AD domain trust - Page 2

kamarale · ‎07-26-2012

Hello ,I´m having this problem:

I have 2 AD domains y 2 different forrests (i.e domain1.com and domain2.com) and they were configured to trust each other (two-way trust).

In the AD enviroment it works great.

The problem is that in ACS wich is intergrated with domain1.com y can´t see the groups of the other domain domain2.com.

If I look for them under Directory Groups they don´t appear and if i put them manually in Group Name (with sintax domain2.com/Users/GroupX) and then I add it with Add^ button I am able to add them and to use them in policies but they don´t work (I get errors and nothing is authenticated).

I´m using ACS 5.3.0.40.5 version and Windows 2003 server enterprise edition.

I´ve read this post

https://supportforums.cisco.com/thread/2064843

but I couldn´t make it work.

If someone knows how I can get this working I will really appreciate it.

Thanks in advance.

Regards.

mohankumarm · ‎09-03-2012

AAA Protocol > RADIUS Authentication Detail

ACS

session ID

:

Date : September 3, 2012

Generated on September 3, 2012 2:30:12 PM EST

Authentication Summary

Logged At: September 3,2012 10:09:41.676 AM

RADIUS Status:

Authentication failed:15039 Selected

Authorization Profile is DenyAccess

NAS Failure:

Username: sipcarra

MAC/IP Address: y.y.y.y

Network Device: DRPIX:z.z.z.z

Access Service: All Radius users

Identity Store:

Authorization Profiles: DenyAccess

CTS Security Group:

Authentication Method: PAP_ASCII

Actions

Troubleshoot Authentication

View Diagnostic Messages

Audit Network Device Configuration

View Network Device Configuration

View ACS Configuration Changes

Authentication Result

RadiusPacketType=AccessReject

AuthenticationResult=UnknownUser

Session Events

Sep 3,12 10:09:41.676 AM Radius authentication failed for USER: xxxxx MAC: y.y.y.y

AUTHTYPE: Radius authentication failed

Authentication Details

Logged At: September 3,2012 10:09:41.676 AM

ACS Time: September 3,2012 10:09:41.663 AM

ACS Instance: xxxxx01

Authentication Method: PAP_ASCII

EAP Authentication

Method :

EAP Tunnel Method :

User

ACS Username: sipcarra

RADIUS Username : sipcarra

Calling Station ID: x.x.x.x

Framed IP Address:

Host Lookup:

Network Device

Network Device: DRPIX

Network Device

Groups:

Migrated_NDGs:All Migrated_NDGs:Loc1 / DRC all

Device Type:All Device Types

Location:All Locations

NAS IP Address: a.a.a.a

NAS Identifier:

NAS Port: 7360512

NAS Port ID:

NAS Port Type: Virtual

Access Policy

Access Service: All Radius users

Identity Store:

Authorization Profiles: DenyAccess

Exception

Authorization Profiles:

Active Directory

Domain:

simnetad.simplot.com.au

Identity Group: All Groups:External

Access Service

Selection Matched Rule

:

Radius Network Access

Identity Policy Matched

Rule:

Default

Selected Identity Stores

:

Internal Users, AD1

Query Identity Stores:

Selected Query Identity

Stores:

Group Mapping Policy

Matched Rule:

Default

Authorization Policy

Matched Rule:

Default

Authorization

Exception Policy

Matched Rule:

CTS

CTS Security Group:

Other

ACS Session ID: ____

Audit Session ID:

Tunnel Details: Tunnel-Client-Endpoint=(tag=0) x.x.x.x

H323 Attributes:

SSG Attributes:

Cisco-AVPairs: ip:source-ip=x.x.x.x

Other Attributes:

ACSVersion=acs-5.3.0.40-B.839

ConfigVersionId=164

Device Port=1025

RadiusPacketType=AccessRequest

Protocol=Radius

Service-Type=Framed

Framed-Protocol=PPP

Called-Station-ID=z.z.z.z

Device IP Address=z.z.z.z

Steps

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

Evaluating Service Selection Policy

15004 Matched rule

15012 Selected Access Service - All Radius users

Evaluating Identity Policy

15006 Matched Default Rule

15013 Selected Identity Store -

24210 Looking up User in Internal Users IDStore - Test

24216 The user is not found in the internal users identity store.

24430 Authenticating user against Active Directory

24412 User not found in Active Directory

22016 Identity sequence completed iterating the IDStores

22056 Subject not found in the applicable identity store(s).

22058 The advanced option that is configured for an unknown user is used.

22060 The 'Continue' advanced option is configured in case of a failed authentication request.

Evaluating Group Mapping Policy

15006 Matched Default Rule

Evaluating Exception Authorization Policy

15042 No rule was matched

Evaluating Authorization Policy

15006 Matched Default Rule

15016 Selected Authorization Profile - DenyAccess

15039 Selected Authorization Profile is DenyAccess

11003 Returned RADIUS Access-Reject

Tarik Admani · ‎09-04-2012

Hi,

Please follow the steps in order to troubleshoot this.

ssh into the ACS and issue the command "acs-config"

wait 45 seconds

Then run debug-adclient enable (this enables debug level logging for AD related communication

Reproduce your issue and note the time stamp in the logs

In the monitoring and reporting section there is an option for "ACS Support Bundle" download that with only the debug-logs option enabled.

After downloading the logs you should be able to open them with winrar, and look in the logs directory then in the debug logs directory. Please open the ACSADAgent.log file that contains the timeframe when this occured, if there is a lot of traffic running it could be in the other incremental logs. You can open this log with wordpad (or notepad++)

Take a look at the events that occured at the timestamp noted before and see what response you are receiving from AD.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani · ‎09-05-2012

I just published a doc that will help you with the debugging:

https://supportforums.cisco.com/docs/DOC-26787

Please rate it if you find it helpful.

thanks,

Tarik Admani
*Please rate helpful posts*

mohankumarm · ‎09-05-2012

Hey Tarik,

Thanks very much indeed and we have updated the ACS to the latest patch 5-3-0-40-6 and currently testing all the VPN users now and at the moment we dont see any failures now and we are waiting for previous failed VPN users to connect now and will update accordingly.

In the meantime, we tried to enter "acs-config" by ssh to the VM on which ACS is running and this prompts for a Username/Password and when we enter the GUI credentials(for acsadmin superadmin user), it hangs and sometimes comes up with "Connecting" message and does nothing. The ssh was from Putty terminal software and do you think using Secure CRT is a better option. We also lost access to the web gui and had to restart the VM to bring it back up.

Thanks and Regards,

Mohan

mohankumarm · ‎09-11-2012

Hello,

Just checking if there is any update to the "acs-config" issue.

Also, I have a scenario where several iphones/ipads have to be authenticated via Cisco ACS 5.3 and WLC. Currently, all the idevices are using PEAP with username/passwords and this is required to be moved to an EAP-TLS based configuration, so that there is no need to enter username/password credentials on the idevice and the clients will rely on only on certificate based authentication.

In the current ACS setup, the Identity store sequence configuration is password based and this general sequence is mapped to the access service profiles for Default Network Access (external AD) for all users. If we create a new IDentity store and select the "Certificate based" option, then a new access service policy has to be defined to map all the idevices to this ID sequence, which means creation of additional access service policies. Currently there are two service policies one for device access and one for network access and i am not sure if by creating new policy how the idevice traffic will hit this policy. Please advise how do we go about implementing this feature for idevices with no username/password credentials but should use only certificate based authentication.

Thanks very much for your help.

Tarik Admani · ‎09-11-2012

Mohan,

Sorry that I missed your message on the 5th. I do not know why the services will stop when running the acs-config command, I have never experienced the issues that you are facing. If this is on a virtual machine can you validate the settings just to make sure there isnt anything misconfigured on the virtual machine?

Also as far as certificate based authentication, you should be able to use one certificate authentication profile and then fall back on password based sequence. You should not have to create another service policy, just map this identity sequence store over to the Identity configuration for the radius (network access) service policy.

I have attached a configuration that should work for what you are requesting. I hope this helps!

Tarik Admani
*Please rate helpful posts*

mohankumarm · ‎09-11-2012

Fantastic!! and thanks again and will try this and see how this goes and also check the VM settings for the "acs-configs" debug as this really hangs the ACS and required a restart to bring it back up and as it now going into production, may be will have to test this later..

Thanks again.

Mohan

Tarik Admani · ‎09-11-2012

Mohan,

That is interesting when you do get around to looking at this issue a little deeper please open another thread so it catches my attention and we can segement the conversation for future users.

Thanks,

Tarik Admani
*Please rate helpful posts*

mohankumarm · ‎09-12-2012

Hi Tarik,

we did that change and seem to hit the Access-reject from Radius and authentication worked ok . Then, we had to put in AD1 in the the additional identity stores accessed to retrieve attributes for authorization policy processing and it worked fine now! So just why is it going to retreive the attributes from the additional ID store for EAP-TLS ceritificates.

Thanks again.

Mohan

Tarik Admani · ‎09-12-2012

Mohan,

When you configure a certificate authentication profile, you are authenticating the client based on the certificate it presents, you do not check with Active Directory for the username, and there is not password that is transmitted. It is all based on the root CA that you configure in the C.A.P, this is very similar to SSL where the CA is the piece that validates the client. You can choose to perform binary comparison with AD in order to perform a binary check of the client certificate with the certificate that is published to this user account in AD, that will add additional security in verifying the user account.

The answer to your questions is below;

In addition, you can configure an optional list of databases from which additional attributes can be retrieved. These additional databases can be configured irrespective of whether you use password-based or certificate-based authentication.

If a certificate-based authentication is performed, the username is populated from a certificate attribute and this username is used to retrieve attributes from all the databases in the list. For more information on certificate attributes, see Configuring CA Certificates.

When a matching record is found for the user, the corresponding attributes are retrieved. ACS retrieves attributes even for users whose accounts are disabled or whose passwords are marked for change.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/users_id_stores.html#wp1124651

Tarik Admani
*Please rate helpful posts*

mohankumarm · ‎09-13-2012

Hi Tarik,

Great explanation again. but i thought that enabling Binary comparison with the Root CA installed on the ACS ( apart from the Identity certificate in the Local cert section) is going to break the cert authentication, so this was left unchecked. So, from what i understand, enabling Binary certificate and removing the AD1 from the additional attribute section will be a valid solution?

Thanks again.

Mohan

Tarik Admani · ‎09-13-2012

It will only break cert authentication if the certificate isnt published to the user account in active directory. Which in this case may be true since you are using certificates on your i-devices.

No enabling the binary comparison is an additional check to see if the user is not only providing the user cert that is signed by your CA, but it does a check to make sure the cert is identitical to the one that was issued and published to the AD user account.

Thanks,

Tarik Admani
*Please rate helpful posts*

mohankumarm · ‎09-13-2012

OK. Will enable the Binary check comparison and will leave the attrib settings unchanged.Once again, thanks a tonne for everything..will keep you posted on the testing activities then.

Best Regards,

Mohan

mohankumarm · ‎09-18-2012

Hi Tarik,

Just want to clarify the following:

1.Using ACS for kerberos authentication on idevices internal sites so that the users do not need to enter username/password

2. Configuring Incremental backs on ACS 5.3 as we seem to getting the Incremental backups not configured System Alarm message. I was reading through your other post on this, but which is the best way to go about it.

Thanks and Regards,

Mohan

Tarik Admani · ‎09-19-2012

Mohan,

You can not use kerberos authentication for Idevices since they do not join the Active Directory domain, you will have to use eap-tls and that is done through certificate authentication (based on the identity cert and if it signed but the root in the CAP profile).

Configuring incremental backups is a little touchy, if you have set it up more than once then you could be running into an issue where the backup process maybe overlapping. However, are you running scheduled backups of your ACS configuration? If so, are they at the same time as your incremental backups?

(basically incremental backups are for the monitoring database, and the scheduled backups are for the ACS configuration)

Thanks,

Tarik Admani
*Please rate helpful posts*