Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Authenticate users in other Windows domain

Hi

I'm trying to authenticate users in another Windows domain. The correct Remote Agent version is installed on domain controller. Enterprise Admin "runs" the service.

I discovered that group nesting is not working in version 3.3.3. Is that correct ?

I also created a Universal and Domain local group. In that group i put some users from the other, trusted domain.

Authentication will not work: Error on ACS: External DB account restriction.

I also tried to make a group mapping directly in the trusted domain. When I click on "Add Group Mapping", this is the error: "Failed to enumerate windows groups..

How can I solve these problems ?

Thanks

Remco

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Authenticate users in other Windows domain

Hi Remco

Looking at the release notes, under Known Problems in Cisco Secure ACS for Windows Server 3.3

CSCei01730

EAP-TLS authentication to the trusted DC doesnt succeeded

Authentication succeeded only when The EAP-TLS client authenticate to the DC which connected directly to the ACS, but when the user is in the Trusted DC (only in the trusted DC) which connected to the first DC, the authentication didn't succeed and the Fail Attempts message was: "External DB account Restriction."

Same message occurred whether enabling the domain stripping in Windows external database settings or not.

CSCee13658

Failed attempts report statement is not clear enough

When user validation fails for any reason (external server down, wrong SSL certificate, or key mismatch with NAS), the csv failed attempts report states that the authentication failure code is 'external db account restriction' or 'CS password invalid'.

Workaround: This problem is cosmetic. No workaround.

Regards MJ

2 REPLIES
New Member

Re: Authenticate users in other Windows domain

Hi Remco

Looking at the release notes, under Known Problems in Cisco Secure ACS for Windows Server 3.3

CSCei01730

EAP-TLS authentication to the trusted DC doesnt succeeded

Authentication succeeded only when The EAP-TLS client authenticate to the DC which connected directly to the ACS, but when the user is in the Trusted DC (only in the trusted DC) which connected to the first DC, the authentication didn't succeed and the Fail Attempts message was: "External DB account Restriction."

Same message occurred whether enabling the domain stripping in Windows external database settings or not.

CSCee13658

Failed attempts report statement is not clear enough

When user validation fails for any reason (external server down, wrong SSL certificate, or key mismatch with NAS), the csv failed attempts report states that the authentication failure code is 'external db account restriction' or 'CS password invalid'.

Workaround: This problem is cosmetic. No workaround.

Regards MJ

New Member

Re: Authenticate users in other Windows domain

Tomorrow I'm going to upgrade the ACS appliance to version 3.3.4. I hope that a lot of issues will be solved !

165
Views
0
Helpful
2
Replies
CreatePlease to create content