topic ACS 5.3 and AD domain trust in Network Access Control

ACS 5.3 and AD domain trust

kamarale — Mon, 11 Mar 2019 02:20:37 GMT

Hello ,I´m having this problem:

I have 2 AD domains y 2 different forrests (i.e domain1.com and domain2.com) and they were configured to trust each other (two-way trust).

In the AD enviroment it works great.

The problem is that in ACS wich is intergrated with domain1.com y can´t see the groups of the other domain domain2.com.

If I look for them under Directory Groups they don´t appear and if i put them manually in Group Name (with sintax domain2.com/Users/GroupX) and then I add it with Add^ button I am able to add them and to use them in policies but they don´t work (I get errors and nothing is authenticated).

I´m using ACS 5.3.0.40.5 version and Windows 2003 server enterprise edition.

I´ve read this post

https://supportforums.cisco.com/thread/2064843

but I couldn´t make it work.

If someone knows how I can get this working I will really appreciate it.

Thanks in advance.

Regards.

ACS 5.3 and AD domain trust

Tarik Admani — Fri, 27 Jul 2012 05:49:15 GMT

Please use this guide for reference when configuring trusts between the forests. It seems that authenticaiton works fine when using transitive trusts but SID filtering may be in the picture since you can query for groups. Please do some research regarding the effects of disabling sid filtering, but for the most part this seems to be what you are facing.

http://technet.microsoft.com/en-us/library/cc755427%28v=ws.10%29.aspx

Thanks,

Tarik Admani
*Please rate helpful posts*

ACS 5.3 and AD domain trust

kamarale — Mon, 30 Jul 2012 16:06:57 GMT

Hello,thanks for the reply.

I had configured a forest trust type,and that did not work. So I changed the trust type to external trust and it started to work perfectly.

Is there a limitation with the ACS that does not support forest trust??

Thanks.

ACS 5.3 and AD domain trust

Tarik Admani — Mon, 30 Jul 2012 16:09:37 GMT

Yes the reason is that the ACS uses kerberos instead of NTLM for authentication. With the forest trusts only NTLM is supported, with an external trust you can use kerberos.

Thanks,

Tarik Admani
*Please rate helpful posts*

ACS 5.3 and AD domain trust

kamarale — Mon, 30 Jul 2012 16:13:28 GMT

Thanks for the quick replay.

Where does Cisco say that? Do you have some link?

Regards.

ACS 5.3 and AD domain trust

Tarik Admani — Mon, 30 Jul 2012 16:41:49 GMT

No problem you are welcome,

I havent seen this mentioned in the Cisco documentation, its something I have come across while working on trusts types and what the ACS uses for authentication.

Tarik Admani
*Please rate helpful posts*

ACS 5.3 and AD domain trust

kamarale — Mon, 30 Jul 2012 17:56:27 GMT

One more question, the two domains are going to have different hours(they are on separate countries).

How do I do with this? Should I point the two domain controllers to the same NTP and in each DC set the correct time zone?

Thanks.

ACS 5.3 and AD domain trust

Tarik Admani — Mon, 30 Jul 2012 18:36:50 GMT

As long as you point to a trusted ntp source which gives you the accurate GMT source, then the ACS and the domain controllers will use their timezone setting to offset this value locally. Kerberos should use the GMT value as its basis for its operability

For more information - http://social.technet.microsoft.com/Forums/ta/winserverNIS/thread/5231d52d-cf78-4685-b1a2-c39dcb767427

Thanks,

Tarik Admani
*Please rate helpful posts*

ACS 5.3 and AD domain trust

Tarik Admani — Tue, 31 Jul 2012 03:58:21 GMT

Let me know if there is anything else I can help you and how everything is going.

Thanks,

Tarik Admani
*Please rate helpful posts*

ACS 5.3 and AD domain trust

kamarale — Tue, 31 Jul 2012 12:56:09 GMT

Thank you very much for your support.

ACS 5.3 and AD domain trust

mohankumarm — Mon, 03 Sep 2012 09:19:14 GMT

Dear all,

Hope you can help me with an issue i am facing on migration from Cisco ACS 4.1.24 to Cisco 5.3.0.40

and testing Radius authentication for vpn client users.

The authentication method used is external Active Directory and for some users authenticating to the external AD via ACS, the following message is obtained:

"15039 Selected Authorization Profile is DenyAcces", which results in Auth failure.

Other users on the same AD group seem to work fine and there are no changes performed on the AD for any of the concerned users.

Looking at the detail report for the user, confirms that no attributes are returned to the Radius(under the other attributes field) from the external server. The Radius also returns the following messages:

"24412 User not found in Active Directory"

"22056 Subject not found in the applicable identity store(s)"

Within the ACS Identity sequence in the ID store, the sequence is set to match on AD first and then Internal user. The Identity for the default network profile(for Radius users) is configured to General sequence. The same user/s seem to work fine when swithced to ACS4.

We are also looking at possible NTP sync issue with the ACS/AD or any NTLM/Kerberos auth issues or any issues related to applying the latest ACS patch to the box.

Any help will be appreciated.

Thanks and Regards.

ACS 5.3 and AD domain trust

Tarik Admani — Mon, 03 Sep 2012 09:33:06 GMT

Hi,

You will need to troubleshoot this a little deeper, I dont think that ntp is an issue because you would see errors in the AD configuration page if it shows disconnected.

However, please install the latest patch, there were some AD issues with the 5.3 code and have been resolved in the most recent patches. Please try again afterwards.

Also while you are in the AD settings page there is a tab for "Directory Attributes" please type in the user account that isnt found in the authentication report and see if you can pull any attributes in the page. If you get the error then try you user account and see if it pulls the attribute.

Then we can start to see what the problem is there.

Thanks,

Tarik Admani
*Please rate helpful posts*

ACS 5.3 and AD domain trust

mohankumarm — Mon, 03 Sep 2012 09:45:52 GMT

Thanks very much for the quick response. When i try to enter the failed user and select the attributes, it prompts me to select a number of them, which means the attributes are being returned for the failed user? some of the attribs are 1)CN 2) DN 3) member of...etc

Best Regards.

ACS 5.3 and AD domain trust

mohankumarm — Mon, 03 Sep 2012 10:02:50 GMT

Just to continue with my previous message, When i try an unknown user on the Directory attribute, it comes up "No data to Display" screen.

Thanks and Regards,

Mohan

ACS 5.3 and AD domain trust

Tarik Admani — Mon, 03 Sep 2012 18:27:09 GMT

Can you please copy and paste the output from the ACS report. Also please try installing the latest patch and see if that resolves your issue.

Thanks,

Tarik Admani
*Please rate helpful posts*

ACS 5.3 and AD domain trust

mohankumarm — Mon, 03 Sep 2012 22:54:15 GMT

AAA Protocol > RADIUS Authentication Detail

ACS

session ID

Date : September 3, 2012

Generated on September 3, 2012 2:30:12 PM EST

Authentication Summary

Logged At: September 3,2012 10:09:41.676 AM

RADIUS Status:

Authentication failed:15039 Selected

Authorization Profile is DenyAccess

NAS Failure:

Username: sipcarra

MAC/IP Address: y.y.y.y

Network Device: DRPIX:z.z.z.z

Access Service: All Radius users

Identity Store:

Authorization Profiles: DenyAccess

CTS Security Group:

Authentication Method: PAP_ASCII

Actions

Troubleshoot Authentication

View Diagnostic Messages

Audit Network Device Configuration

View Network Device Configuration

View ACS Configuration Changes

Authentication Result

RadiusPacketType=AccessReject

AuthenticationResult=UnknownUser

Session Events

Sep 3,12 10:09:41.676 AM Radius authentication failed for USER: xxxxx MAC: y.y.y.y

AUTHTYPE: Radius authentication failed

Authentication Details

Logged At: September 3,2012 10:09:41.676 AM

ACS Time: September 3,2012 10:09:41.663 AM

ACS Instance: xxxxx01

Authentication Method: PAP_ASCII

EAP Authentication

Method :

EAP Tunnel Method :

User

ACS Username: sipcarra

RADIUS Username : sipcarra

Calling Station ID: x.x.x.x

Framed IP Address:

Host Lookup:

Network Device

Network Device: DRPIX

Network Device

Groups:

Migrated_NDGs:All Migrated_NDGs:Loc1 / DRC all

Device Type:All Device Types

Location:All Locations

NAS IP Address: a.a.a.a

NAS Identifier:

NAS Port: 7360512

NAS Port ID:

NAS Port Type: Virtual

Access Policy

Access Service: All Radius users

Identity Store:

Authorization Profiles: DenyAccess

Exception

Authorization Profiles:

Active Directory

Domain:

simnetad.simplot.com.au

Identity Group: All Groups:External

Access Service

Selection Matched Rule

Radius Network Access

Identity Policy Matched

Rule:

Default

Selected Identity Stores

Internal Users, AD1

Query Identity Stores:

Selected Query Identity

Stores:

Group Mapping Policy

Matched Rule:

Default

Authorization Policy

Matched Rule:

Default

Authorization

Exception Policy

Matched Rule:

CTS

CTS Security Group:

Other

ACS Session ID: ____

Audit Session ID:

Tunnel Details: Tunnel-Client-Endpoint=(tag=0) x.x.x.x

H323 Attributes:

SSG Attributes:

Cisco-AVPairs: ip:source-ip=x.x.x.x

Other Attributes:

ACSVersion=acs-5.3.0.40-B.839

ConfigVersionId=164

Device Port=1025

RadiusPacketType=AccessRequest

Protocol=Radius

Service-Type=Framed

Framed-Protocol=PPP

Called-Station-ID=z.z.z.z

Device IP Address=z.z.z.z

Steps

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

Evaluating Service Selection Policy

15004 Matched rule

15012 Selected Access Service - All Radius users

Evaluating Identity Policy

15006 Matched Default Rule

15013 Selected Identity Store -

24210 Looking up User in Internal Users IDStore - Test

24216 The user is not found in the internal users identity store.

24430 Authenticating user against Active Directory

24412 User not found in Active Directory

22016 Identity sequence completed iterating the IDStores

22056 Subject not found in the applicable identity store(s).

22058 The advanced option that is configured for an unknown user is used.

22060 The 'Continue' advanced option is configured in case of a failed authentication request.

Evaluating Group Mapping Policy

15006 Matched Default Rule

Evaluating Exception Authorization Policy

15042 No rule was matched

Evaluating Authorization Policy

15006 Matched Default Rule

15016 Selected Authorization Profile - DenyAccess

15039 Selected Authorization Profile is DenyAccess

11003 Returned RADIUS Access-Reject

ACS 5.3 and AD domain trust

Tarik Admani — Wed, 05 Sep 2012 00:35:24 GMT

Hi,

Please follow the steps in order to troubleshoot this.

ssh into the ACS and issue the command "acs-config"

wait 45 seconds

Then run debug-adclient enable (this enables debug level logging for AD related communication

Reproduce your issue and note the time stamp in the logs

In the monitoring and reporting section there is an option for "ACS Support Bundle" download that with only the debug-logs option enabled.

After downloading the logs you should be able to open them with winrar, and look in the logs directory then in the debug logs directory. Please open the ACSADAgent.log file that contains the timeframe when this occured, if there is a lot of traffic running it could be in the other incremental logs. You can open this log with wordpad (or notepad++)

Take a look at the events that occured at the timestamp noted before and see what response you are receiving from AD.

Thanks,

Tarik Admani
*Please rate helpful posts*

ACS 5.3 and AD domain trust

Tarik Admani — Wed, 05 Sep 2012 08:05:35 GMT

I just published a doc that will help you with the debugging:

https://supportforums.cisco.com/docs/DOC-26787

Please rate it if you find it helpful.

thanks,

Tarik Admani
*Please rate helpful posts*

ACS 5.3 and AD domain trust

mohankumarm — Wed, 05 Sep 2012 08:24:48 GMT

Hey Tarik,

Thanks very much indeed and we have updated the ACS to the latest patch 5-3-0-40-6 and currently testing all the VPN users now and at the moment we dont see any failures now and we are waiting for previous failed VPN users to connect now and will update accordingly.

In the meantime, we tried to enter "acs-config" by ssh to the VM on which ACS is running and this prompts for a Username/Password and when we enter the GUI credentials(for acsadmin superadmin user), it hangs and sometimes comes up with "Connecting" message and does nothing. The ssh was from Putty terminal software and do you think using Secure CRT is a better option. We also lost access to the web gui and had to restart the VM to bring it back up.

Thanks and Regards,

Mohan

ACS 5.3 and AD domain trust

mohankumarm — Wed, 12 Sep 2012 04:45:57 GMT

Hello,

Just checking if there is any update to the "acs-config" issue.

Also, I have a scenario where several iphones/ipads have to be authenticated via Cisco ACS 5.3 and WLC. Currently, all the idevices are using PEAP with username/passwords and this is required to be moved to an EAP-TLS based configuration, so that there is no need to enter username/password credentials on the idevice and the clients will rely on only on certificate based authentication.

In the current ACS setup, the Identity store sequence configuration is password based and this general sequence is mapped to the access service profiles for Default Network Access (external AD) for all users. If we create a new IDentity store and select the "Certificate based" option, then a new access service policy has to be defined to map all the idevices to this ID sequence, which means creation of additional access service policies. Currently there are two service policies one for device access and one for network access and i am not sure if by creating new policy how the idevice traffic will hit this policy. Please advise how do we go about implementing this feature for idevices with no username/password credentials but should use only certificate based authentication.

Thanks very much for your help.