User create attributes have the potential to overwrite system created ones changing the data type from boolean to string, causing authentication attempts to AD to fail. With the error messages below. Authentication failed : 11051 RADIUS packet contains invalid state attribute RADIUS Request dropped : 12315 PEAP inner method finished with failure
A user created attribute can overwrite a system created attribute, if a system created attribute exists with the same name. The user created attribute 'IdentityAccessRestricted' overwrote the system created one changing the data type from Boolean to string, causing authentication attempts to AD to fail.
IdentityAccessRestricted is a system created attribute that is created when an ISE node joins AD. If a duplicate attribute is created under Administration>External Identity Sources>Active Directory>Attributes, It will overwrite the data type changing the value from boolean to string.
Workaround: 1. Leave AD 2. Delete the AD connection 3. Rejoin AD
Restore from a backup.
24444 Active Directory operation has failed because of an unspecified error in the ACS :
Symptom: We are seeing some authentications fail with either of the following errors: 24429 Could not establish connection with Active Directory 24444 Active Directory operation has failed because of an unspecified error in the ACS
The failures are totally random.
24444 errors usually occurred for users that typed the wrong password or for usernames that did not exist in AD
Conditions: ACS 5.3 patch 6
ACS is incorrectly interpreting the response it receives from AD. Rather than reading the response as a failure of the authentication attempt, the ACS is reading the response as a failure of the AD process/failure of connectivity to AD
The problem is these 2 messages just started popping up when we changed from AD Win2008R2 DC's to Win2012R2 DC's. This appears to be preventing all wireless connections from our wireless clients on all AP's across our network. On the plus side it is not affecting our VPN connectivity that uses the same ACS server for authentication. That being said:
1. I'm going to try disjoining ACS from AD and then rejoining it to see if it fixes the problem.
2. However, I'm thinking that version 5.2 of ACS has some sort of compatibility issue with Windows Server 2012 R2 and I will have to upgrade to a newer version.
Can anyone confirm #2? If so, what version do I need to upgrade ACS to in order to get around this issue if this is the root cause?
I'm thinking I'm likely going to have to open a TAC case in the morning if no can confirm these theories.
Disjoining and rejoining ACS from AD unfortunately did nothing to fix the problem.
I then decided to upgrade to version 5.4. This upgrade was incredibly slow and after it completed I still was unable to authenticate to the wireless network.
I took one last chance and upgraded to the latest 22.214.171.124 ACS Software. Miraculously this fixed the problem and the authentication errors went away and clients are now able to connect to and authenticate to the wireless network without issue.
Thanks for the response. I ended up upgrading to the latest 5.5 version which fixed the problem and everything is working great. I just wish I would have had your message earlier as I upgraded in the hopes (but not knowing for sure the new version would fix my issue.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...