10-23-2007 10:44 AM - edited 03-10-2019 03:28 PM
I have a client that has implemented a CS ACS Solution Engine (appliance). They currently have VPN tunnels that terminate on an ASA and the ACS is providing authentication via an external AD database. I didn't do the install or configuration of the unit and I am new to ACS. There is a group in AD that was created to allow acccess to the VPN and this is working. I have created a second group in AD and a test user. The user account will not authenticate properly when establishing a VPN session. I have checked the ACS agent logs on the AD controller and it is showing that the user is authenticating properly, but it seems that the agent is not forwarding this information back to the ACS. Either that, or the ACS is ignoring it. On the ACS, the error generated is "External DB Account Restriction". I can't find anything specific about this. I verified that the AD account works and can login to a workstation. I verified the account properties for the test account. I think it's related to the group membership. I have a Group in ACS named exactly the same as the AD group and the test account is a member of that group. I'm not sure where to start any help would be appreciated.
Solved! Go to Solution.
10-24-2007 08:22 AM
You need to map that group from,
External User Databases > Database Group Mapping > Windows Datbase.... section
To a group on ACS, naming ACS group exactly same as Windows AD group does not establish any relationship between them.
I suppose your all other combination in Group mapping is mapped to either "
Please ensure that there is proper group mapping on ACS for the new group that you have created on AD.
So you are moving in right direction, issue seems to lie in Group Mapping
Regards,
Prem
10-24-2007 08:22 AM
You need to map that group from,
External User Databases > Database Group Mapping > Windows Datbase.... section
To a group on ACS, naming ACS group exactly same as Windows AD group does not establish any relationship between them.
I suppose your all other combination in Group mapping is mapped to either "
Please ensure that there is proper group mapping on ACS for the new group that you have created on AD.
So you are moving in right direction, issue seems to lie in Group Mapping
Regards,
Prem
10-24-2007 10:53 AM
do you have the setting to allow remote access checked for the user in AD?
10-25-2007 01:25 PM
Thanks everyone for the support. I found the problem.
In the group mapping configuration screen I didn't realize that there were 2 separate links. One for /default and another one right above it for a custom group that was setup originally. I know it sounds stupid, but I looked at that screen several times and I kept clicking on /default thinking that the two lines were one link or the same link. I guess I'm just not used to the interface.
Once I got in, I saw all of the ACS group -> AD group mappings (Ah Ha!!! That's what I was looking for all this time). I created the necessary group mapping and tested it and it worked.
I have other questions, but I will post them as new topics.
Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide