topic Hi; in Network Access Control

ACS 5.8.0.32 not matching Active Directory Authorization Rules for TACACS after upgrade from 5.6

fuhrersk8 — Mon, 11 Mar 2019 06:28:55 GMT

Hi Guys;

We had a primary/secondary ACS 5.6 deployment working beautifully with all of our switches authenticating (TACACS) with our Active Directory accounts.

We decided to upgrade to version 5.8.0.32. Both virtual machines upgraded successfully (at least that was the message form each vm after upgarded).

But, after the upgrade, bot ACS were disconnected form the AD. We rejoined both of them successfully, but now, after the upgrade, all of the authorization rules referencing AD (active directory accounts) are being ignored and it goes directly to the default deny rule.

The local accounts existing on the ACS authenticate successfully. It is the Rules referencing AD accounts.

All diagnostic tests pass successfully., ecen in the ACS logs, the users from AD gets authenticated, but in the authorization rules the ACS ignores the existing AD rules and uses the Default deny Rule.

Any ideas?

Thanks in advanced Guys!

Hi,

radmedur — Fri, 12 Feb 2016 10:08:29 GMT

Hi,

Can you please confirm whether Binary certificate comparison is enabled in Certificate Authentication Profile object?

I mean the whether following check box is enabled?

"Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory"

This configuration is available in GUI "Users and Identity Stores > Certificate Authentication Profile"

If yes, can you please disable and try.

If not, Can you please share the list of steps shown in the report in failed case.

Thanks

Radhakrishna

Hi and thanks for your reply;

fuhrersk8 — Fri, 12 Feb 2016 14:16:39 GMT

Hi and thanks for your reply;

It was disabled. I proceeded to enabled it, but same result. The rules related to AD1 authentication are ignored and authorization is denied by ACS.

Below the steps of a failed authentication attempt of my AD Account on a Cisco switch:

StepData=19=c191341 : StepData=20=na.am.lilly.com : StepData=21=corp.lilly.com : StepData=23=C191341@na.am.lilly.com : StepData=26=C191341@na.am.lilly.com : IdentityAccessRestricted=false

Thanks again.

Regards,

Hello;

fuhrersk8 — Fri, 12 Feb 2016 14:51:18 GMT

Hello;

Not even the ACS admin authorization rule is working. It was working on previous version 5.6.

That is, we were able to access the ACS as SuperAdmin with our AD accounts.

Thanks again.

Regards,

Did you access ACS 5.8 via

Jatin Katyal — Fri, 12 Feb 2016 18:54:25 GMT

Did you access ACS 5.8 via Chrome as a browser? The Reason I am asking because no version of ACS supports Chrome browser - ACS browser Support and we have a very severe defect on this where it corrupts all the authz rules and no matter how authorization works for an user, it always take you to default policy that is set to deny in majority of the cases. In order to fix the issue do this:

Use supported browser and check whether all policies and its rules and conditions are displayed correctly and resubmit all of them. Restart ACS services to get the latest changes into effect.

~ Jatin

Hello and thanks for the

fuhrersk8 — Fri, 12 Feb 2016 19:00:57 GMT

Hello and thanks for the information.

I am using Mozilla Firefox 43.0.4.

What does resubmiting the policies refers to?

Thanks again.

so basically it messed up all

Jatin Katyal — Fri, 12 Feb 2016 19:07:39 GMT

so basically it messed up all the operators that we use to create conditions with external AD groups. I would like you to review all the authz rules and ensure the and/or operators are still intact. Once done - save changes again. Restart the ACS services from the ACS CLI and test again.

~ Jatin

Hi;

fuhrersk8 — Fri, 12 Feb 2016 19:11:16 GMT

Hi;

Basically, I deleted and recreated the AD rules, but still no authorization is being allowed but the default deny rule.

Even the Authorization rule for administering the ACS is being bypassed into the default rule.

Thanks again.

Hi,

radmedur — Mon, 15 Feb 2016 07:58:08 GMT

Hi,

We need more details on the issue. For example as i mentioned "Steps" in the Authentication/Authorization reports. The step details you have shared are not useful here.

For specific authorization failure, please click on "Details" icon which will open new window. In the new page, please go to end and there are steps mentioned. please take the screenshot and attach here.

Thanks

Radhakrishna

Hi;

fuhrersk8 — Tue, 16 Feb 2016 13:43:45 GMT

Hi;

Attached more information.

Thanks for your support.

Regards,

Hi fuhresk8,

Priya Gurumoorthy — Wed, 17 Feb 2016 06:39:38 GMT

Hi fuhresk8,

Could you please configure "AD1:memberOf" instead of "AD1:ExternalGroups" to check whether the authorization is working fine.

We suspect that this is the permission issue to fetch the "TokenGroups" attribute.

Please let us know the results after configuring "AD1:memberOf" attribute.

Thanks,

Priya.

Hi Priya and thanks for your

fuhrersk8 — Wed, 17 Feb 2016 18:48:37 GMT

Hi Priya and thanks for your support;

Did as you mentioned, but same result.

Thanks again.

Regards,

Hi,

H-J B — Thu, 21 Apr 2016 08:15:17 GMT

Hi,

I've the same problem. On 5.7 there was no problem, see screendump. You see the external groups

On the 5.8, same config & access policies, there is no AD group matching.

As you see, there are (the same) directory groups, with Group SID. I've checked the SIDs and are correct.

Anybody a hint?

Hi,

radmedur — Thu, 21 Apr 2016 09:17:54 GMT

Hi,

Can any one of you please raise SR, so that DE team can analyze logs and confirm the issue.

please attach the support bundle here.

Thanks

Radhakrishna

Hi;

fuhrersk8 — Thu, 21 Apr 2016 13:24:07 GMT

Hi;

Below solution as explained by Cisco TAC:

"As you can see the Ability to read tokenGroups attributes was added. From the logs we can see the following error:

Error code: 60173 (symbol: LW_ERROR_TOKEN_GROUPS_INSUFFICIENT_PERMISSIONS)

Therefore we need to request the Active Directory administrator to update the permissions for the ACS computer account in Active Directory.

The command to update the permissions is “dsacls [distinguished name of domain] /I:T /G "User or Group":rp;tokenGroups” ""

Attached are the meaning of the AD commands.

Hope this helps.

Regards,

Hi,

H-J B — Fri, 22 Apr 2016 13:13:51 GMT

Hi,

We have set the permissions on the AD but no changes. But thx for the response
Our smartnet is not active jet, so I can't create a SR at this moment.

I've reinstall the 5.7 and wait for the smartnet 😞

Hi;

fuhrersk8 — Fri, 22 Apr 2016 14:17:43 GMT

Hi;

In my case, the AD administrator actually didn't execute the command as stated by Cisco TAC; what they did instead was to add the ACS object in an AD Object group with Pre-Windows 2000 type of access and then the ACS was able to read the tokenGroupos as required.

Regards,

SR638838907

H-J B — Fri, 22 Apr 2016 18:36:10 GMT

SR638838907

Thanks we will work on this.

radmedur — Sat, 23 Apr 2016 16:20:36 GMT

Thanks we will work on this.

Hi all,

H-J B — Tue, 26 Apr 2016 08:47:42 GMT

Hi all,

thx for the response.

It is a bug. CSCuy12884