Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS 5.3 and AD domain trust

Hello ,I´m having this problem:

I have 2 AD domains y 2 different forrests (i.e domain1.com and domain2.com) and they were configured to trust each other (two-way trust).

In the AD enviroment it works great.

The problem is that in ACS wich is intergrated with domain1.com y can´t see the groups of the other domain domain2.com.

If I look for them under Directory Groups they don´t appear and if i put them manually in Group Name (with sintax domain2.com/Users/GroupX) and then I add it with Add^ button I am able to add them and to use them in policies but they don´t work (I get errors and nothing is authenticated).

I´m using ACS 5.3.0.40.5 version and Windows 2003 server enterprise edition.

I´ve read this post

https://supportforums.cisco.com/thread/2064843

but I couldn´t make it work.

If someone knows how I can get this working I will really appreciate it.

Thanks in advance.

Regards.

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions

ACS 5.3 and AD domain trust

Let me know if there is anything else I can help you and how everything is going.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
34 REPLIES

ACS 5.3 and AD domain trust

Please use this guide for reference when configuring trusts between the forests. It seems that authenticaiton works fine when using transitive trusts but SID filtering may be in the picture since you can query for groups. Please do some research regarding the effects of disabling sid filtering, but for the most part this seems to be what you are facing.

http://technet.microsoft.com/en-us/library/cc755427%28v=ws.10%29.aspx

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ACS 5.3 and AD domain trust

Hello,thanks for the reply.

I had configured a forest trust type,and that did not work. So I  changed the trust type to external trust and it started to work  perfectly.

Is there a limitation with the ACS that does not support forest trust??

Thanks.

ACS 5.3 and AD domain trust

Yes the reason is that the ACS uses kerberos instead of NTLM for authentication. With the forest trusts only NTLM is supported, with an external trust you can use kerberos.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ACS 5.3 and AD domain trust

Thanks for the quick replay.

Where does Cisco say that? Do you have some link?

Regards.

ACS 5.3 and AD domain trust

No problem you are welcome,

I havent seen this mentioned in the Cisco documentation, its something I have come across while working on trusts types and what the ACS uses for authentication.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ACS 5.3 and AD domain trust

One more question, the two domains are going to have different hours(they are on separate countries).

How do I do with this? Should I point the two domain controllers to the same NTP and in each DC set the correct time zone?

Thanks.

ACS 5.3 and AD domain trust

As long as you point to a trusted ntp source which gives you the accurate GMT source, then the ACS and the domain controllers will use their timezone setting to offset this value locally. Kerberos should use the GMT value as its basis for its operability

For more information - http://social.technet.microsoft.com/Forums/ta/winserverNIS/thread/5231d52d-cf78-4685-b1a2-c39dcb767427

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*

ACS 5.3 and AD domain trust

Let me know if there is anything else I can help you and how everything is going.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ACS 5.3 and AD domain trust

Thank you very much for your support.

New Member

ACS 5.3 and AD domain trust

Dear all,

Hope you can help me with an issue i am facing on migration from Cisco ACS 4.1.24 to Cisco 5.3.0.40

and testing Radius authentication for vpn client users.

The authentication method used is external Active Directory and for some users authenticating to the external AD via ACS, the following message is obtained:

"15039 Selected Authorization Profile is DenyAcces", which results in Auth failure.

Other users on the same AD group seem to work fine and there are no changes performed on the AD for any of the  concerned users.

Looking at the detail report for the user, confirms that no attributes  are returned to the Radius(under the other attributes field) from the  external server. The Radius also returns the following messages:

"24412 User not  found in Active Directory"

"22056 Subject not found in the applicable  identity store(s)"

Within the ACS Identity sequence in the ID store, the sequence is set to match on AD first and then Internal user.         The Identity for the default network profile(for Radius users) is configured to General sequence. The same user/s seem to work fine when swithced to ACS4.

We are also looking at possible NTP sync issue with the ACS/AD or any NTLM/Kerberos auth issues or any issues related to applying the latest ACS patch to the box.

Any help will be appreciated.

Thanks and Regards.

ACS 5.3 and AD domain trust

Hi,

You will need to troubleshoot this a little deeper, I dont think that ntp is an issue because you would see errors in the AD configuration page if it shows disconnected.

However, please install the latest patch, there were some AD issues with the 5.3 code and have been resolved in the most recent patches. Please try again afterwards.

Also while you are in the AD settings page there is a tab for "Directory Attributes" please type in the user account that isnt found in the authentication report and see if you can pull any attributes in the page. If you get the error then try you user account and see if it pulls the attribute.

Then we can start to see what the problem is there.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ACS 5.3 and AD domain trust

Thanks very much for the quick response. When i try to enter the failed user and select the attributes, it prompts me to select a number of them, which means the attributes are being returned for the failed user? some of the attribs are 1)CN 2) DN 3) member of...etc

Best Regards.

New Member

ACS 5.3 and AD domain trust

Just to continue with my previous message, When i try an unknown user on the Directory attribute, it comes up           "No data to Display" screen.

Thanks and Regards,

Mohan

ACS 5.3 and AD domain trust

Can you please copy and paste the output from the ACS report. Also please try installing the latest patch and see if that resolves your issue.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ACS 5.3 and AD domain trust

AAA Protocol > RADIUS Authentication Detail

ACS

session ID

:

Date : September 3, 2012

Generated on September 3, 2012 2:30:12 PM EST

Authentication Summary

Logged At: September 3,2012 10:09:41.676 AM

RADIUS Status:

Authentication failed:15039 Selected

Authorization Profile is DenyAccess

NAS Failure:

Username: sipcarra

MAC/IP Address: y.y.y.y

Network Device: DRPIX:z.z.z.z

Access Service: All Radius users

Identity Store:

Authorization Profiles: DenyAccess

CTS Security Group:

Authentication Method: PAP_ASCII

Actions

Troubleshoot Authentication

View Diagnostic Messages

Audit Network Device Configuration

View Network Device Configuration

View ACS Configuration Changes

Authentication Result

RadiusPacketType=AccessReject

AuthenticationResult=UnknownUser

Session Events

Sep 3,12 10:09:41.676 AM Radius authentication failed for USER: xxxxx MAC: y.y.y.y

AUTHTYPE: Radius authentication failed

Authentication Details

Logged At: September 3,2012 10:09:41.676 AM

ACS Time: September 3,2012 10:09:41.663 AM

ACS Instance: xxxxx01

Authentication Method: PAP_ASCII

EAP Authentication

Method :

EAP Tunnel Method :

User

ACS Username: sipcarra

RADIUS Username : sipcarra

Calling Station ID: x.x.x.x

Framed IP Address:

Host Lookup:

Network Device

Network Device: DRPIX

Network Device

Groups:

Migrated_NDGs:All Migrated_NDGs:Loc1 / DRC all

Device Type:All Device Types

Location:All Locations

NAS IP Address: a.a.a.a

NAS Identifier:

NAS Port: 7360512

NAS Port ID:

NAS Port Type: Virtual

Access Policy

Access Service: All Radius users

Identity Store:

Authorization Profiles: DenyAccess

Exception

Authorization Profiles:

Active Directory

Domain:

simnetad.simplot.com.au

Identity Group: All Groups:External

Access Service

Selection Matched Rule

:

Radius Network Access

Identity Policy Matched

Rule:

Default

Selected Identity Stores

:

Internal Users, AD1

Query Identity Stores:

Selected Query Identity

Stores:

Group Mapping Policy

Matched Rule:

Default

Authorization Policy

Matched Rule:

Default

Authorization

Exception Policy

Matched Rule:

CTS

CTS Security Group:

Other

ACS Session ID: ____

Audit Session ID:

Tunnel Details: Tunnel-Client-Endpoint=(tag=0) x.x.x.x

H323 Attributes:

SSG Attributes:

Cisco-AVPairs: ip:source-ip=x.x.x.x

Other Attributes:

ACSVersion=acs-5.3.0.40-B.839

ConfigVersionId=164

Device Port=1025

RadiusPacketType=AccessRequest

Protocol=Radius

Service-Type=Framed

Framed-Protocol=PPP

Called-Station-ID=z.z.z.z

Device IP Address=z.z.z.z

Steps

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

Evaluating Service Selection Policy

15004 Matched rule

15012 Selected Access Service - All Radius users

Evaluating Identity Policy

15006 Matched Default Rule

15013 Selected Identity Store -

24210 Looking up User in Internal Users IDStore - Test

24216 The user is not found in the internal users identity store.

24430 Authenticating user against Active Directory

24412 User not found in Active Directory

22016 Identity sequence completed iterating the IDStores

22056 Subject not found in the applicable identity store(s).

22058 The advanced option that is configured for an unknown user is used.

22060 The 'Continue' advanced option is configured in case of a failed authentication request.

Evaluating Group Mapping Policy

15006 Matched Default Rule

Evaluating Exception Authorization Policy

15042 No rule was matched

Evaluating Authorization Policy

15006 Matched Default Rule

15016 Selected Authorization Profile - DenyAccess

15039 Selected Authorization Profile is DenyAccess

11003 Returned RADIUS Access-Reject

ACS 5.3 and AD domain trust

Hi,

Please follow the steps in order to troubleshoot this.

ssh into the ACS and issue the command "acs-config"

wait 45 seconds

Then run debug-adclient enable (this enables debug level logging for AD related communication

Reproduce your issue and note the time stamp in the logs

In the monitoring and reporting section there is an option for "ACS Support Bundle" download that with only the debug-logs option enabled.

After downloading the logs you should be able to open them with winrar, and look in the logs directory then in the debug logs directory. Please open the ACSADAgent.log file that contains the timeframe when this occured, if there is a lot of traffic running it could be in the other incremental logs. You can open this log with wordpad (or notepad++)

Take a look at the events that occured at the timestamp noted before and see what response you are receiving from AD.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*

ACS 5.3 and AD domain trust

I just published a doc that will help you with the debugging:

https://supportforums.cisco.com/docs/DOC-26787

Please rate it if you find it helpful.

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ACS 5.3 and AD domain trust

Hey Tarik,

Thanks very much indeed and we have updated the ACS to the latest patch 5-3-0-40-6 and currently testing all the VPN users now and at the moment we dont see any failures now and we are waiting for previous failed VPN users to connect now and will update accordingly.

In the meantime, we tried to enter "acs-config" by ssh to the VM on which ACS is running and this prompts for a Username/Password and when we enter the GUI credentials(for acsadmin superadmin user), it hangs and sometimes comes up with "Connecting" message and does nothing. The ssh was from Putty terminal software and do you think using Secure CRT is a better option. We also lost access to the web gui and had to restart the VM to bring it back up.

Thanks and Regards,

Mohan

New Member

ACS 5.3 and AD domain trust

Hello,

Just checking if there is any update to the "acs-config" issue.

Also, I have a scenario where several iphones/ipads have to  be authenticated via Cisco ACS 5.3 and WLC. Currently, all the idevices  are using PEAP with username/passwords and this is required to be moved  to an EAP-TLS based configuration, so that there is no need to enter  username/password credentials on the idevice and the clients will rely  on only on certificate based authentication.

In the current ACS setup,  the Identity store sequence  configuration is password based and this general sequence is mapped to  the access service profiles for Default Network Access (external AD) for  all users. If we create a new IDentity store and select the  "Certificate based" option, then a new access service policy has to be  defined to map all the idevices to this ID sequence, which means  creation of additional access service policies. Currently there are two  service policies one for device access and one for network access and i  am not sure if by creating new policy how the idevice traffic will hit  this policy. Please advise how do we go about implementing this feature  for idevices with no  username/password credentials but should use only  certificate based authentication.

Thanks very much for your help.

Re: ACS 5.3 and AD domain trust

Mohan,

Sorry that I missed your message on the 5th. I do not know why the services will stop when running the acs-config command, I have never experienced the issues that you are facing. If this is on a virtual machine can you validate the settings just to make sure there isnt anything misconfigured on the virtual machine?

Also as far as certificate based authentication, you should be able to use one certificate authentication profile and then fall back on password based sequence. You should not have to create another service policy, just map this identity sequence store over to the Identity configuration for the radius (network access) service policy.

I have attached a configuration that should work for what you are requesting. I hope this helps!

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ACS 5.3 and AD domain trust

Fantastic!! and thanks again and will try this and see how this goes and also check the VM settings for the "acs-configs" debug as this really hangs the ACS and required a restart to bring it back up and as it now going into production, may be will have to test this later..

Thanks again.

Mohan

ACS 5.3 and AD domain trust

Mohan,

That is interesting when you do get around to looking at this issue a little deeper please open another thread so it catches my attention and we can segement the conversation for future users.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: ACS 5.3 and AD domain trust

Hi Tarik,

we did that change and seem to hit the Access-reject from Radius and authentication worked ok . Then, we had to put in AD1 in the the additional  identity stores accessed to retrieve attributes for authorization policy  processing and it worked fine now! So just why is it going to retreive the attributes from the additional ID store for EAP-TLS ceritificates.

Thanks again.

Mohan

ACS 5.3 and AD domain trust

Mohan,

When you configure a certificate authentication profile, you are authenticating the client based on the certificate it presents, you do not check with Active Directory for the username, and there is not password that is transmitted. It is all based on the root CA that you configure in the C.A.P, this is very similar to SSL where the CA is the piece that validates the client. You can choose to perform binary comparison with AD in order to perform a binary check of the client certificate with the certificate that is published to this user account in AD, that will add additional security in verifying the user account.

The answer to your questions is below;

In addition, you can configure an optional list of databases from which  additional attributes can be retrieved. These additional databases can  be configured irrespective of whether you use password-based or  certificate-based authentication.

If a certificate-based authentication is performed, the username is  populated from a certificate attribute and this username is used to  retrieve attributes from all the databases in the list. For more  information on certificate attributes, see Configuring CA Certificates.

When a matching record is found for the user, the corresponding  attributes are retrieved. ACS retrieves attributes even for users whose  accounts are disabled or whose passwords are marked for change.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/users_id_stores.html#wp1124651

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ACS 5.3 and AD domain trust

Hi Tarik,

Great explanation again. but i thought that enabling Binary comparison with the Root CA installed on the ACS ( apart from the Identity certificate in the Local cert section) is going to break the cert authentication, so this was left unchecked. So, from what i understand, enabling Binary certificate and removing the AD1 from the additional attribute section will be a valid solution?

Thanks again.

Mohan

ACS 5.3 and AD domain trust

It will only break cert authentication if the certificate isnt published to the user account in active directory. Which in this case may be true since you are using certificates on your i-devices.

No enabling the binary comparison is an additional check to see if the user is not only providing the user cert that is signed by your CA, but it does a check to make sure the cert is identitical to the one that was issued and published to the AD user account.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ACS 5.3 and AD domain trust

OK. Will enable the Binary check comparison and will leave the attrib settings unchanged.Once again, thanks a tonne for everything..will keep you posted on the testing activities then.

Best Regards,

Mohan

New Member

ACS 5.3 and AD domain trust

Hi Tarik,

Just want to clarify the following:

1.Using ACS for kerberos authentication on idevices internal sites so that the users do not need to enter username/password

2. Configuring Incremental backs on ACS 5.3 as we seem to getting the Incremental backups not configured System Alarm message. I was reading through your other post on this, but which is the best way to go about it.

Thanks and Regards,

Mohan

ACS 5.3 and AD domain trust

Mohan,

You can not use kerberos authentication for Idevices since they do not join the Active Directory domain, you will have to use eap-tls and that is done through certificate authentication (based on the identity cert and if it signed but the root in the CAP profile).

Configuring incremental backups is a little touchy, if you have set it up more than once then you could be running into an issue where the backup process maybe overlapping. However, are you running scheduled backups of your ACS configuration? If so, are they at the same time as your incremental backups?

(basically incremental backups are for the monitoring database, and the scheduled backups are for the ACS configuration)

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
7548
Views
74
Helpful
34
Replies