Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ACS 5.2 and Active Directory integration

Hi !

A customer uses Active Directory where some group names contain special characters (ç ~ '^). The Cisco ACS 5.2 is presenting the warnings: "

Not all Active Directory user groups are retrieved successfully. One or more of thegroup's canonical name was not retrieved "(Category

CSCOacs_Identity_Stores_Diagnostics; code 24457).


Question: What are the results of these warnings to the customer's network? Slow? Loss of access?


Thank you,

Leonardo.

3 REPLIES

Cisco ACS 5.2 and Active Directory integration

Hello. Could you please post the screenshot of the warnings ?

I'm guessing there will be no problems because those groups are not retrieved and then you could not use them in the ACS rules.

On the other hand do you have username with special characters ? I have an issue when using PEAP EAP-MSCHAPv2 and non-english characters.

Just to Share: ACS 5.x and

Just to Share:

 

ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example:

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113571-acs5-ad-int-config-00.html

Hi,That's high probably

Hi,

That's high probably because of ACS handles ascii characters only.

in older versions (4.x) there was a known problem:

'''snip'''

Problem: ACS Error Message - Not all user Active Directory groups are retrieved successfully...

Why is the Not all user Active Directory groups are retrieved successfully. One or more of the group's canonical name was not retrieved error message seen on ACS?

Solution

This issue occurs because unicode characters are used in the group name on AD. Since ACS sees AD groups as ASCII text, the unicode characters are not translated correctly. As a result, the group membership is not retrieved. Remove the unicode character from the AD configuration in order to resolve this issue.

'''snip'''

 

in ACS 5.3 vesion I can see some of those issues are resolved as per the release notes:

CSCtn26604    ACS 5 did not support UNICODE characters in certificates. This problem is resolved now.

 

CSCto72918   ACS 5.2 did not support Unicode characters in AAA client shared secret. This problem is resolved now.

 

However, I did't find anything talking about none-ascii usernames. But maybe that's applied.


is it possible for you to make a test with version 5.3 or higher and check if it works?

 

Regards,

 

Amjad

Rating useful replies is more useful than saying "Thank you"
1252
Views
0
Helpful
3
Replies