Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

cannot add active directory to my acs 5.0

Hello,

I am adding active directory to my acs5.0 and i got this error "clock skew error"

My ACS has the same time with the active directory and same timezone GMT+3.

thanks

  • AAA Identity and NAC
8 REPLIES

Re: cannot add active directory to my acs 5.0

Hi,

Since you are not able to get the Ad connection to work with the ACS 5.0 and getting "clock skew error".

ACS and AD must be time-synchronized to within 5 minutes. Time in ACS is set according to
the Network Time Protocol (NTP) server. Both AD and ACS should be synchronized by the same
NTP server. Using the command line interface on your appliance, you must configure the NTP
client to work with the same NTP server that the AD domain is synchronized with.

Here is the complete command reference guide.

CLI Reference Guide for the Cisco Secure Access Control System 5.0:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/command/re
ference/ACS_CLI_guide.html
Here are some commands highlighted for setting the time up. ntp server: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/command/re
ference/CLIappA.html#wp1013780
clock timezone: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/command/re
ference/CLIappA.html#wp1013028
You can run the following commands to verify the time. show clock:To display the day, month, date, time, time zone, and year of the system software clock show ntp :To show the status of the Network Time Protocol (NTP) associations show timezone: To display the time zone as set on the systemYou can refer to the link below to setup the AD connection. Microsoft Active Directory: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/user/guide
/users_id_stores.html#wp1053213


thanks,
Vinay
Thanks & Regards
New Member

Re: cannot add active directory to my acs 5.0

Hello,

Still clock skew problem. same time. acs timezone is UTC and windows server 2008 is UTC + 3 both have the same ntp server configure, of course same time.

What might be the additional workaround for this?

thank you and best regards

Re: cannot add active directory to my acs 5.0


It seems to be turns out that due to DST. Check the ACS timezone is it EST (show timezones display EST5EDT) and AD timezone is Eastern? So is the
timezones matches?

See below: http://www.travelmath.com/time-zone/EST5EDT#
Thanks & Regards
New Member

Re: cannot add active directory to my acs 5.0

Hello,

I will try this timezone this coming thursday, Maybe timezone problem.

thanks

New Member

Re: cannot add active directory to my acs 5.0

Hi Vinashar

My options in my active directory is using UTC, so I use UTC + 3 timezone. How can i adjust my ACS to UTC+3 timezone of my active directory. I tried GMT+3 in my ACS and UTC+3 in my active directory and still clock skew error..

thanks

Re: cannot add active directory to my acs 5.0

New Member

Re: cannot add active directory to my acs 5.0

hi vinashar,

just  try again if i can add the active directory and still clock skew problem. The timezone of my Active directory is UTC+3 and my ACS is  GMT+3. Of course, I have the same time.

New Member

Re: cannot add active directory to my acs 5.0

Guys, I had the exact same issue. In order to solve it, I removed the NTP configuration from my ACS (my AD is not using NTP) and adjusted it manually until I get the difference between them of 3 seconds. I configured the same timezone on both sides, but I cannot guarantee that it's required.

Let me know if that works for you.

1794
Views
0
Helpful
8
Replies