08-03-2009 04:11 PM - edited 03-10-2019 04:37 PM
Hi, I have a ACS SE 4.2, and I try to integrate the ACS SE, with an Active Directory, and Access Point's Cisco, with PEAP MSCHAP V2 in Windows 2003 32 bits, and ACs Remote Agent, but my ACS SE give me logs
It say me: Internal Error, in the logs of fail authentication
My users in the Active Directory can't authenticate in the Database.
Could you tell me, why happened this?,
Maybe i have a trouble in the configuration of my ACS SE,
Coukd you tell me what's the trouble in this case
Thanks
08-04-2009 12:05 AM
Ivan,
That seems to be a permission issue. Make sure that service running remote agent has domain admin rights. Also remote agent and appliance should be on same code.
Please refer to this link,
Regards,
~JG
Do rate helpful posts
08-04-2009 07:06 AM
I agree and disagree with some of what Cisco says, so I'll tell you what works for us:
- Make sure ACS SE and Remote Agent are at the same version and patch level
- Make sure that the ACS SE and Remote Agent can talk over the ports you selected (or defaulted to) at install
- Our Remote Agent is running on the local service account of a computer running Windows Server 2003 that is joined to our domain (we actually have two of these)
- Our ACS SE boxes authenticate using the Cisco-recommended AD domain computer account called "CISCO" (External Databases, Windows Authentication Config)
- Our External Database -> Database Group Mappings -> Windows Database -> /DEFAULT is left at the "All other combinations" setting
- Unknown User Policy is set to check the Windows Database
- If you go into Network Configuration, does your Remote Agent show up with available services (should show a Clipboard and Windows Logo icon in the "Services Available" column)?
- If you select your defined Remote Agent in Network Configuration, does the "Windows Authentication" status show "Yes" in the "Used by this ACS" column?
By the way - ACS SE will report a failed auth to your authentication clients if the Remote Agent service is not running (ie - stops running), therefore your clients will NOT switch over to a backup RADIUS server automatically (if you have a secondary RADIUS server defined). For this reason, I have two different computers (in two different buildings, etc.) running Remote Agent, and I monitor the Remote Agent service on both systems.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide