topic ACS 5.2 does not check Active directory changes in Network Access Control

ACS 5.2 does not check Active directory changes

cpfl_vzuben — Mon, 11 Mar 2019 00:29:48 GMT

Hi all,

I am working with ACS 5.2 and using Radius authentication for vpn client.

The authentication method used is Active Directory in an Windows enviroment with multiple domains in the same forest.

My problem occurs when i change a user from one group to another in Active Directory. After that i receive the following message when try to connect:

15039 Selected Authorization Profile is DenyAccess

The message is because match the default policy.

Another user in the same AD group works fine.

All domain in the forest have trust relation each other.

I am using universal groups to include users from all domain belongs this forest.

Can anyone help me?

Regards

Re: ACS 5.2 does not check Active directory changes

jrabinow — Thu, 14 Oct 2010 22:34:54 GMT

is your authentication rule matching against a single AD group?

You can check which groups were retrieved for the user as follows:

- goto "Monitoring and Troublshooting"

- select Authentications - RADIUS - Today

- Find the entry that did not match and click on the details icon

- Expand "Authentication Details" section. Look under "Other Attributes" the groups retrieved from AD for the user will be listed there

Re: ACS 5.2 does not check Active directory changes

cpfl_vzuben — Fri, 15 Oct 2010 13:57:29 GMT

Hi Jrabinow,

This is a problem.

I checked wich groups the user belongs and i didn't find the group that match the policy. But it's a problem, because i checked in active directory wich group the user belongs and there are 2 groups that ACS does not find.

Properties from this user was changed in Active Directory some days ago and does not appear in ACS.

Is it possible ACS keep a cache about this attributes and does'nt check AD to uptade this settings?

I have another ACS vs 4.1 here and the same problem occurs.

Thanks,

Best Regards,

Evandro

Re: ACS 5.2 does not check Active directory changes

cpfl_vzuben — Tue, 19 Oct 2010 15:36:06 GMT

Hi Jrabinow,

After you help me with same instructions, i could see the Global Catalog server was not updated in the ACS log. Then i change DNS Server address in the ACS Server.

After change the DNS Server, the ACS starts to check another Global Catalog Server in AD forest.

Until now the problem was resolved. I believe this problem was in AD not in ACS Server.

Best Regards,

Evandro

ACS 5.2 does not check Active directory changes

mohankumarm — Mon, 03 Sep 2012 09:20:38 GMT

Dear all,

Hope you can help me with a similar issue i am facing on migration from Cisco ACS 4.1.24 to Cisco 5.3.0.40

and testing Radius authentication for vpn client users.

The authentication method used is external Active Directory and for some users authenticating to the external AD via ACS, the following message is obtained:

"15039 Selected Authorization Profile is DenyAcces", which results in Auth failure.

Other users on the same AD group seem to work fine and there are no changes performed on the AD for any of the concerned users.

Looking at the detail report for the user, confirms that no attributes are returned to the Radius(under the other attributes field) from the external server. The Radius also returns the following messages:

"24412 User not found in Active Directory"

"22056 Subject not found in the applicable identity store(s)"

Within the ACS Identity sequence in the ID store, the sequence is set to match on AD first and then Internal user. The Identity for the default network profile(for Radius users) is configured to General sequence. The same user/s seem to work fine when swithced to ACS4.

We are also looking at possible NTP sync issue with the ACS/AD or any NTLM/Kerberos auth issues or any issues related to applying the latest ACS patch to the box.Please let me know if there is any AD related configs to be modified.

Any help will be appreciated.

Thanks and Regards.

We had an issue where ACS was

Alex Pfeil — Wed, 02 Nov 2016 18:38:47 GMT

We had an issue where ACS was doing Active Directory authentication lookup to Global Catalog Server. We were seeing user not found in Active Directory. The issue was that the user had the same account login in two different domains. The Windows administrator removed one of the accounts and authentication started working immediately after replication.

24412 User not found in Active Directory

Thanks,

Alex