I have a client that has implemented a CS ACS Solution Engine (appliance). They currently have VPN tunnels that terminate on an ASA and the ACS is providing authentication via an external AD database. I didn't do the install or configuration of the unit and I am new to ACS. There is a group in AD that was created to allow acccess to the VPN and this is working. I have created a second group in AD and a test user. The user account will not authenticate properly when establishing a VPN session. I have checked the ACS agent logs on the AD controller and it is showing that the user is authenticating properly, but it seems that the agent is not forwarding this information back to the ACS. Either that, or the ACS is ignoring it. On the ACS, the error generated is "External DB Account Restriction". I can't find anything specific about this. I verified that the AD account works and can login to a workstation. I verified the account properties for the test account. I think it's related to the group membership. I have a Group in ACS named exactly the same as the AD group and the test account is a member of that group. I'm not sure where to start any help would be appreciated.
Re: CS ACS Solution Engine with AD external database
Thanks everyone for the support. I found the problem.
In the group mapping configuration screen I didn't realize that there were 2 separate links. One for /default and another one right above it for a custom group that was setup originally. I know it sounds stupid, but I looked at that screen several times and I kept clicking on /default thinking that the two lines were one link or the same link. I guess I'm just not used to the interface.
Once I got in, I saw all of the ACS group -> AD group mappings (Ah Ha!!! That's what I was looking for all this time). I created the necessary group mapping and tested it and it worked.
I have other questions, but I will post them as new topics.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...