Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
466
Views
5
Helpful
3
Replies

CS ACS Solution Engine with AD external database

Go to solution
lcipriani
Level 1
Level 1

‎10-23-2007 10:44 AM - edited ‎03-10-2019 03:28 PM

I have a client that has implemented a CS ACS Solution Engine (appliance). They currently have VPN tunnels that terminate on an ASA and the ACS is providing authentication via an external AD database. I didn't do the install or configuration of the unit and I am new to ACS. There is a group in AD that was created to allow acccess to the VPN and this is working. I have created a second group in AD and a test user. The user account will not authenticate properly when establishing a VPN session. I have checked the ACS agent logs on the AD controller and it is showing that the user is authenticating properly, but it seems that the agent is not forwarding this information back to the ACS. Either that, or the ACS is ignoring it. On the ACS, the error generated is "External DB Account Restriction". I can't find anything specific about this. I verified that the AD account works and can login to a workstation. I verified the account properties for the test account. I think it's related to the group membership. I have a Group in ACS named exactly the same as the AD group and the test account is a member of that group. I'm not sure where to start any help would be appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Premdeep Banga
Level 7
Level 7

‎10-24-2007 08:22 AM

You need to map that group from,

External User Databases > Database Group Mapping > Windows Datbase.... section

To a group on ACS, naming ACS group exactly same as Windows AD group does not establish any relationship between them.

I suppose your all other combination in Group mapping is mapped to either "" group, OR to a group that is disabled.

Please ensure that there is proper group mapping on ACS for the new group that you have created on AD.

So you are moving in right direction, issue seems to lie in Group Mapping

Regards,

Prem

View solution in original post

3 Replies 3

Go to solution
Premdeep Banga
Level 7
Level 7

‎10-24-2007 08:22 AM

You need to map that group from,

External User Databases > Database Group Mapping > Windows Datbase.... section

To a group on ACS, naming ACS group exactly same as Windows AD group does not establish any relationship between them.

I suppose your all other combination in Group mapping is mapped to either "" group, OR to a group that is disabled.

Please ensure that there is proper group mapping on ACS for the new group that you have created on AD.

So you are moving in right direction, issue seems to lie in Group Mapping

Regards,

Prem

Go to solution
dchinea
Cisco Employee
Cisco Employee

‎10-24-2007 10:53 AM

do you have the setting to allow remote access checked for the user in AD?

0 Helpful

Go to solution
lcipriani
Level 1
Level 1

‎10-25-2007 01:25 PM

Thanks everyone for the support. I found the problem.

In the group mapping configuration screen I didn't realize that there were 2 separate links. One for /default and another one right above it for a custom group that was setup originally. I know it sounds stupid, but I looked at that screen several times and I kept clicking on /default thinking that the two lines were one link or the same link. I guess I'm just not used to the interface.

Once I got in, I saw all of the ACS group -> AD group mappings (Ah Ha!!! That's what I was looking for all this time). I created the necessary group mapping and tested it and it worked.

I have other questions, but I will post them as new topics.

Thanks again.

0 Helpful
Customers Also Viewed These Support Documents