https://community.cisco.com/t5/network-access-control/external-ad-authentication-fails/m-p/1270620#M348124 <P>Hi,</P><P></P><P>I have set up an Active Directory database as an external resource via Generic LDAP option (I didnt set up via windows database option as my infrastructure does not allow me this). </P><P>I am trying to authenticate with no luck. The report database contains the following error message:</P><P>Message type: Authentication failed</P><P>Authentication Failure Code: External DB reports about an error condition.</P><P></P><P>My configuration steps are as follows: </P><P>Process all user names</P><P>Qualified by suffix (local.com)</P><P>Strip domain before submitting username to LDAP server</P><P>User Directory Subtree=dc=local,dc=com</P><P>Group Directory Subtree=dc=local,dc=com</P><P>User Object Type=SamAccountName</P><P>User Object Class=person</P><P>Group Object Type=cn</P><P>The rest is default settings.</P><P>Certificate DB path: empty</P><P></P><P>I also created an unknown user policy and added my external database in the list of databases and moved it up. </P><P></P><P>What am I doing wrong? Any help is appreciated. </P><P></P><P>Thanks,</P><P>Firuza</P> Sun, 10 Mar 2019 23:46:49 GMT KarimovaFiruza 2019-03-10T23:46:49Z https://community.cisco.com/t5/network-access-control/external-ad-authentication-fails/m-p/1270620#M348124 <P>Hi,</P><P></P><P>I have set up an Active Directory database as an external resource via Generic LDAP option (I didnt set up via windows database option as my infrastructure does not allow me this). </P><P>I am trying to authenticate with no luck. The report database contains the following error message:</P><P>Message type: Authentication failed</P><P>Authentication Failure Code: External DB reports about an error condition.</P><P></P><P>My configuration steps are as follows: </P><P>Process all user names</P><P>Qualified by suffix (local.com)</P><P>Strip domain before submitting username to LDAP server</P><P>User Directory Subtree=dc=local,dc=com</P><P>Group Directory Subtree=dc=local,dc=com</P><P>User Object Type=SamAccountName</P><P>User Object Class=person</P><P>Group Object Type=cn</P><P>The rest is default settings.</P><P>Certificate DB path: empty</P><P></P><P>I also created an unknown user policy and added my external database in the list of databases and moved it up. </P><P></P><P>What am I doing wrong? Any help is appreciated. </P><P></P><P>Thanks,</P><P>Firuza</P> Sun, 10 Mar 2019 23:46:49 GMT https://community.cisco.com/t5/network-access-control/external-ad-authentication-fails/m-p/1270620#M348124 KarimovaFiruza 2019-03-10T23:46:49Z https://community.cisco.com/t5/network-access-control/external-ad-authentication-fails/m-p/1270621#M348204 <HTML><HEAD></HEAD><BODY><P>As far as I know ACS does not have the sub tree query mode in which if a user is not found on the same level that was defined acs will look further levels deep, so you might want to put the user DN pointing exactly where the users are, also your user object type is not defined correctly, if it indeed is the value you are defining, then the correct syntax is sAMAccountName. I would advise to download the following trial "softerra ldap browser" and browse to your AD LDAP infrastructure, and check the right values that you are using, it might be that you are using the defaults which would mean that you would need to use in most of the cases cn user object type and so on.</P><P></P><P>hth</P><P>Ivan</P></BODY></HTML> Wed, 02 Dec 2009 21:33:24 GMT https://community.cisco.com/t5/network-access-control/external-ad-authentication-fails/m-p/1270621#M348204 Ivan Martinon 2009-12-02T21:33:24Z