"24427 Access to Active Directory failed" error in ACS 5.1 - Page 2

Vincent Fortrat · ‎01-03-2011

Hello,

I'm working on implementing a RADIUS authentication for wireless access with the following :

- PCs running Windows 7, protocol used is PEAP (without validating the server certificate to make it simple at first),

- AP 1252 configured to use a RADIUS server to authenticate (it's working good with an ACS server 4.2),

- ACS Server 5.1.0.44.5 running as VM connected to an AD domain and working good with VPN connections,

- AD domain running on Windows 2003 Server.

My ACS VM is working good since a couple of months for VPN (RADIUS) and administration (TACACS) remote access, both using Active Directory. Now, I'd like to use it to authenticate people connecting to a 1252 Cisco access point but I'm getting this error "24427 Access to Active Directory failed". I switched from PEAP to LEAP but this is the same.

All I can get running the expert troubleshoot

Investigating failure code: 24427 Access to Active Directory failed

Checking if Active Directory is configured

Active Directory is configured

Attempting connection to Active Directory

Connection to Active Directory was successful.

Troubleshooting completed.

Click on Show Results Summary to view results.

I followed this guide, at least for the ACS certificate section :

http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml

Anyone has an idea where the problem may come from?

Thanks in advance,

Vincent

Federico Ziliotto · ‎01-11-2011

Thank you Vincent, looking forward to hearing back from you.

Regards,

Fede

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Vincent Fortrat · ‎02-22-2011

Hi Federico,

I hope you're doing great since our last conversation.

Since my last post, I upgraded my ACS to 5.2 version. I did exactly the same thing as previously with 5.1 release and I'm getting the exact same error...

But now, I'm able to generate a support bundle without encryption so you will be able to take a look at the log files.

I experienced my authentication failure around 17:15PM today.

Thans again for your help,

Best regards,

Vincent

Vincent Fortrat · ‎02-23-2011

Hi,

I'm not giving up so I did some additionnal tests today. I make it work by changing the protocol and/or the inner method used by the protocol. My conclusion is each time I use MS-CHAP (v1 or v2) as inner method it fails (LEAP, EAP-FAST or MS-PEAP) but each time I use EAP-GTC as inner method it works (EAP-FAST and CISCO-PEAP).

I checked my ACS configuration. In the "allowed protocols" section of my default network access policy, MS-CHAP inner method is allowed for PEAP and EAP-FAST.

Any idea what could cause the problem?

Thanks in advance,

Vincent

Vincent Fortrat · ‎01-04-2012

Hi,

My problem was gone for some time and since yesterday, I'm having trouble authenticating with any protocol using MSCHAP as inner method. I upgraded my ACS server to 5.3.0.40 (patch 1) but the problem is still there.

Any idea or investigation tip to help ?

Vincent

jonmarso_07 · ‎01-04-2012

AD User must have permissions to add and remove users and machines in the field.

And make sure your password is working perfectly, you can test by logging on any machinein the field.

Vincent Fortrat · ‎01-04-2012

Hi Jonatas,

Thanks for your answer. My user is an administrator and has right to add and remove users and machines. My password is working perfectly good.

Vincent

Kush Srivastava · ‎01-07-2012

HI Vincent,

- Could you go to the AD configuration click on test connection and check if it shows connected?

- Please login to the ACS through SSH, do nslookup (you domain name) and check if it resolves?

Regards,

Kush

Vincent Fortrat · ‎01-09-2012

Hi,

Last week, I finally found out what was going on with my ACS, sometimes working, sometimes not working. It was actually not a problem on the ACS but on the Active Directory, particularly on my secondary domain controller. I don't know yet which feature or setting is wrong but each time he's assuming the role of domain controller (after a reboot of the primary for example), my ACS is failing to access the active directory.

I'll let you know if I have some more information about the problem.

Vincent

zac ragoonath · ‎07-20-2012

hey there, I ran into the same issue with 5.3 and it turned out being this bug. i came across your post looking for instructions on retrieving the logs. thanks mate.

link

Problem: Error "24495 Active Directory servers are not available"

Authentication starts failing with this error: 24495 Active Directory servers are not available. in the ACS 5.3 logs.

Solution

Check the ACSADAgent.log file through the CLI of the ACS 5.x for messages such as:Mar 11 00:06:06 xlpacs01 adclient[30401]: INFO base.bind.healing Lost connection to xxxxxxxx. Running in disconnected mode: unlatch. If you see the Running in disconnected mode: unlatch error message, this means the ACS 5.3 cannot maintain a stable connection with Active Directory. The workaround is to either switch to LDAP or downgrade the ACS to 5.2 version. Refer to Cisco bug ID CSCtx71254 (registered customers only) for more information.

jrabinow · ‎07-22-2012

The CDETS you refer to has been resolved on ACS 5.3 and is included in patch 3 and onwards. If you are going to install a ptahc on 5.3 I recommend to take the latest patch which is patch 5. The workaround for the CDETS has been updated

zac ragoonath · ‎07-22-2012

The patch is cumulative, if so I would be able to go straight from say patch 2 to patch 5 right?

jrabinow · ‎07-22-2012

Yes. That is correct. Patch is cumulative

zac ragoonath · ‎07-22-2012

Much appreciated