topic ACS 5.3 join to domain issue in Network Access Control

ACS 5.3 join to domain issue

Christos Stefaneskou — Mon, 11 Mar 2019 03:27:06 GMT

Hello,

I facing a strange problem with ACS 5.3.0.40.9.

I'm trying to join the ACS to domain without success.The test connection works properly "Connection test to <domain> succeeded" but when i'm trying to save the config i get the error "wrong domain".

These machine was previous in a lab environment and the connection to AD was working fine.Now i'm trying to install it in production environment.

Maybe ACS has cashed information about AD,i cleared "ad-agent-clear-cache" but I'm not able to clear the AD config through CLI,

ACS5(config-acs)# ad-agent-reset-configuration

Performing reset of AD agent configuration , AD agent will be restarted. continue (y/n)?

Unable to restart AD agent. Define AD configuration or check current AD configuration settings

Any thoughts?

Chris.

ACS 5.3 join to domain issue

Jatin Katyal — Wed, 22 May 2013 00:03:15 GMT

What is the AD setup? Can you please describe how is the AD setup?

What is your domain name? Are you able to execute nslookup for the same from ACS CLI?

Do you see all services running : show application status acs

Please provide me the following debugs from acs-config.

(a)acsadmin(config-acs)# debug-adclient enable

(b) acsadmin(config-acs)# debug-log runtime-idstores level debug

Jatin Katyal

- Do rate helpful posts -

ACS 5.3 join to domain issue

Christos Stefaneskou — Wed, 22 May 2013 07:34:07 GMT

Problem solved,i created a new AD user for ACS with administrator rights.

This is strange because it isn't necessary to be administrator.

Thanks for your response.

ACS 5.3 join to domain issue

Jatin Katyal — Wed, 22 May 2013 08:33:01 GMT

Glad to know. However we don't need admin rights.

From the user guide:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/users_id_stores.html#wp1171071

Predefined user in AD. AD account required for domain access in ACS should have either of the following:

•Add workstations to domain user right in corresponding domain.

•Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ACS machine's account is precreated (created before joining ACS machine to the domain).

We recommend that you disable the lockout policy for the ACS account and configure the AD infrastructure to send alerts to the admin if a wrong password is used for that account. This is because if you enter a wrong password, ACS will not create or modify its machine account when it is necessary and therefore possibly deny all authentications.

Jatin Katyal

- Do rate helpful posts -