topic Re: External db account restriction in Cisco ACS v3.3 in Network Access Control

External db account restriction in Cisco ACS v3.3

zhinminbuay — Mon, 11 Mar 2019 00:46:30 GMT

I'm trying to setup a wireless network using cisco 1240AG access points (for AAA clients) and Cisco ACS 3.3 for the AAA server and Active Directory for authentication. Wireless laptops are able to communicate with the access points and the ACS but I keep getting an authentication error in the ACS server saying "Authentication Failed" and the reason its giving is "External DB account restriction". Any idea what this error is? I think ACS isn't able to communicate with AD or something. Please advice. Thank you.

Re: External db account restriction in Cisco ACS v3.3

Jatin Katyal — Mon, 31 Jan 2011 08:34:36 GMT

Meaning of the error message

External DB account restriction : The Windows User Account is restricted : The windows administrator must reset this option.

ACS troubleshooting guide
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1.3/troubleshooting/guide/ecodes.html

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

When you try to authenticate via ACS and see failed authentication on the ACS,could you please take a look on the group you are dropped in.

This can occur either due to permission issues or if your user is being mapped to DISABLED or NO-ACCESS group on the ACS.

Once you have the group which the failed user belongs to, go to that group and click on edit group. It shouldn't ne disabled or noaccess group (Group 0 is what we called noaccess group).

If you're getting mapped to correct map then this is surely windows permission issue. You have to ensure that ACS software running on windows machine should have domain admin rights.

There are some permissions those need to be granted on the windows machine it is installed.You may check from below listed link

1.Acs is installed on the member server or DC and permissions are configured as per the following doc:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/install/inst02.htm#wp981552

If you're running ACS on member server do make sure that you have completed post installation task for local security policy.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/installation/guide/windows/install.html#wp981858

HTH

Rgds,

Jatin

Do rate helpful posts~

Re: External db account restriction in Cisco ACS v3.3

zhinminbuay — Mon, 31 Jan 2011 09:25:12 GMT

I logged into the ACS v3.3 and selected the "Group setup" the disabled box is uncheck under the Group disabled. Do I need to manually add the user to enable the authentication ?Sorry for any inconvenience as I am still new to ACS. Please advice. Thank you.

Re: External db account restriction in Cisco ACS v3.3

andamani — Mon, 31 Jan 2011 09:46:10 GMT

Hi Jimmy,

Please check the user properties on the Active directory. Maybe the dial-in properties are defined as denied. please change them to "allow access".

Let us know how it goes.

Regards,

Anisha

Re: External db account restriction in Cisco ACS v3.3

Jatin Katyal — Mon, 31 Jan 2011 09:48:06 GMT

No worries, keep us posted until you get the resolution.

Well, if the users resides on the ACS internal database and not in the AD-active directory then you have to placed users manually in their resoective groups. However, if this setup includes active directory then group mapping would do.

Group-mapping

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/qg.html#wp940515

Rgds,

Jatin

Do rate helpful posts~

Re: External db account restriction in Cisco ACS v3.3

zhinminbuay — Mon, 31 Jan 2011 09:49:17 GMT

Previously, all the users are able to authenticate. But unable to authenticate anymore and no configuration changes on the AP, ACS and AD. AD and ACS are in domain A while users laptops are in domain B.

Re: External db account restriction in Cisco ACS v3.3

zhinminbuay — Mon, 31 Jan 2011 09:54:55 GMT

The authentication is done by the Windows Database configured in the Unknown user policy. By right if the user account is not in the ACS, it will automatically authenticate via external windows database.

Re: External db account restriction in Cisco ACS v3.3

zhinminbuay — Mon, 31 Jan 2011 10:14:23 GMT

Hi all,

Check the dial-in under the user account but is for the VPN remote access dial in. But seem no settings can be change.

Date	Time	Message-Type	User-Name	Group-Name	Caller-ID	Authen-Failure-Code	Author-Failure-Code	Author-Data	NAS-Port	NAS-IP-Address
01/31/2011	18:09:38	Authen failed	tester02	..	0012.f08a.36d4	External DB user invalid or bad password	..	..	663	172.24.11.10
01/31/2011	18:09:04	Authen failed	Tester02	..	0012.f08a.36d4	External DB user invalid or bad password	..	..	662	172.24.11.10

The tester02 username is created inside the AD for testing purpose. No account being created inside the ACS. Please advice. Thank you.

Re: External db account restriction in Cisco ACS v3.3

Jatin Katyal — Mon, 31 Jan 2011 10:27:46 GMT

This is more of permission issue. looks like you are using ACS windows.

here are the steps to create package.cab file :

Below is the procedure to get the package.cab file from the ACS server.. Set detailed
logging mode(system config ==>service control ===>Services Log File
Configuration-full). This will ensure that all the proper service startup information is
included in the package.cab file.

- Log onto the ACS server itself as the local administrator.
- Browse to the UTILS directory in the ACS program directory.(C:\program files\ciscosecure
acs v3.x\utils)
- Run the program there called CSSupport.
- Select "Set Log Levels Only" and click Next.
- Select "Set Diagnostic Log Verbosity to Maximum."
- Click Next, then click Finish.

At this point, we need to duplicate the issue. Once that's done, we need to gather the verbose logs created. To do so, follow the instructions below AFTER the problem has been recreated and recorded:

- Log onto the ACS server itself as the local administrator.
- Browse to the UTILS directory in the ACS program directory.
- Run the program there called CSSupport.
- Select "Run Wizard" and click Next.
- Only do these steps if we need more than today's logs:
- Put a check in both "Previous Logs" checkbox.
- Select the number of days to go back.
- Click Next four times. Select the radius/tacacs capture option as applicable
- When the Finish button appears, click it.

The package.cab will be found in the UTILS\Support directory under the ACS program directory. This file contains all of the log information from ACS

HTH

Rgds,

Jatin

~Do rate helpful posts~