topic Re: Cisco ACS 5.1 LDAP group search error in Network Access Control

Cisco ACS 5.1 LDAP group search error

mrpaulhurd — Mon, 11 Mar 2019 02:04:56 GMT

I have a problem where occasionally a user will attempt to login and the LDAP search will find the user but then fail when it does the group search. The error I get is below

22037 Authentication Passed

22023 Proceed to attribute retrieval

24032 Sending request to secondary LDAP server

24016 Looking up user in LDAP Server - testuser

24004 User search finished successfully

24027 Groups search ended with an error

24034 Secondary server failover. Switching to primary server

24031 Sending request to primary LDAP server

24016 Looking up user in LDAP Server - testuser

24004 User search finished successfully

24027 Groups search ended with an error

22059 The advanced option that is configured for process failure is used.

22062 The 'Drop' advanced option is configured in case of a failed authentication request.

Some users never get this error, others will get it once in a while and I have one user that gets it every time they try and login. Any ideas?

Re: Cisco ACS 5.1 LDAP group search error

larsen_2011 — Fri, 11 May 2012 17:23:39 GMT

I had the same Problem. I raised a case but the support was not good. I solved the problem by switching to AD as Identity store. A query to exactly the same groups here never gave an error. But if you need to use ldap, this is of course no solution.

If you make a tac case, i would like to learn the outcome!

Sent from Cisco Technical Support iPad App

Re: Cisco ACS 5.1 LDAP group search error

mrpaulhurd — Fri, 11 May 2012 19:03:20 GMT

I have opened a TAC case but haven't found a solution yet. The ACS only allows one AD Identity Source and we're already using it with another domain so I am limited to using LDAP for this one.

Cisco ACS 5.1 LDAP group search error

charlie-hall — Mon, 11 Jun 2012 16:42:55 GMT

I just starting to get these same errors when I changed the LDAP Authentication Server from a FQDN to a domain name, ie. 'mydomain.com', instead of 'host1.mydomain.com' . I am in the process of retiring a couple of domain servers and instead of just specifying one or two servers, I thought that by specifying the domain name, I could talk to any domain controller.

But the log shows:

24028 User's attributes are retrieved

24022 User authentication succeeded

24027 Groups search ended with an error

I can see if user authentication failed then getting "24027 Groups search ended with an error", but user authentication did not fail.

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

Evaluating Service Selection Policy

15004 Matched rule

15012 Selected Access Service - Default Network Access

Evaluating Identity Policy

15006 Matched Default Rule

15013 Selected Identity Store - MY-Servers

24031 Sending request to primary LDAP server

24015 Authenticating user against LDAP Server

24028 User's attributes are retrieved

24022 User authentication succeeded

24027 Groups search ended with an error

22059 The advanced option that is configured for process failure is used.

22062 The 'Drop' advanced option is configured in case of a failed authentication request.