topic Hi, According to the ACS 5.2 in Network Access Control

Active Directory operation has failed because of an unspecified error in the ACS (after migration to Server 2012 R2 Domain Controllers)

NPT_2 — Mon, 11 Mar 2019 04:51:17 GMT

Hello,

We are experiencing an inability to authenticate our wireless client devices via Cisco ACS connected to Active Directory. We are getting the following errors in ACS:

24444 Active Directory operation has failed because of an unspecified error in the ACS

and

11051 RADIUS packet contains invalid state attribute

This seems to have started after we migrated from Windows Server 2008 R2 Domain Controllers to Windows Server 2012 R2 Domain Controllers.

Is there some sort of compatibility issue that we might be running into?

We are running ACS Version:5.2.0.26.11

What do you think? Our VPN Connections using this same ACS device and Domain Controllers seem to work just fine, but no one can authenticate to our wireless network.

Under the active directory Identity store, Active Directory shows connected to the domain and a test result shows the connection test passed.

Jim

11051 RADIUS packet contains

mohanak — Fri, 04 Jul 2014 09:23:36 GMT

11051 RADIUS packet contains invalid state attribute :

System Created AD attributes should be protected

CSCuf26657

Description

Symptom:

User create attributes have the potential to overwrite system created ones changing the data type from boolean to string, causing authentication attempts to AD to fail. With the error messages below.
Authentication failed : 11051 RADIUS packet contains invalid state attribute
RADIUS Request dropped : 12315 PEAP inner method finished with failure

Conditions:

A user created attribute can overwrite a system created attribute, if a system created attribute exists with the same name. The user created attribute 'IdentityAccessRestricted' overwrote the system created one changing the data type from Boolean to string, causing authentication attempts to AD to fail.

IdentityAccessRestricted is a system created attribute that is created when an ISE node joins AD. If a duplicate attribute is created under Administration>External Identity Sources>Active Directory>Attributes, It will overwrite the data type changing the value from boolean to string.

Workaround:
1. Leave AD
2. Delete the AD connection
3. Rejoin AD

or

Restore from a backup.

24444 Active Directory operation has failed because of an unspecified error in the ACS :

ACS 5.x random 24429 and 24444 AD failures

CSCuh59288

Description

Symptom:
We are seeing some authentications fail with either of the following errors:
24429 Could not establish connection with Active Directory
24444 Active Directory operation has failed because of an unspecified error in the ACS

The failures are totally random.

24444 errors usually occurred for users that typed the wrong password or for usernames that did not exist in AD

Conditions:
ACS 5.3 patch 6

ACS is incorrectly interpreting the response it receives from AD. Rather than reading the response as a failure of the authentication attempt, the ACS is reading the response as a failure of the AD process/failure of connectivity to AD

Workaround:
N/A

The problem is these 2

NPT_2 — Mon, 07 Jul 2014 02:59:22 GMT

The problem is these 2 messages just started popping up when we changed from AD Win2008R2 DC's to Win2012R2 DC's. This appears to be preventing all wireless connections from our wireless clients on all AP's across our network. On the plus side it is not affecting our VPN connectivity that uses the same ACS server for authentication. That being said:

1. I'm going to try disjoining ACS from AD and then rejoining it to see if it fixes the problem.

2. However, I'm thinking that version 5.2 of ACS has some sort of compatibility issue with Windows Server 2012 R2 and I will have to upgrade to a newer version.

Can anyone confirm #2? If so, what version do I need to upgrade ACS to in order to get around this issue if this is the root cause?

I'm thinking I'm likely going to have to open a TAC case in the morning if no can confirm these theories.

Jim

Disjoining and rejoining ACS

NPT_2 — Mon, 07 Jul 2014 22:06:26 GMT

Disjoining and rejoining ACS from AD unfortunately did nothing to fix the problem.

I then decided to upgrade to version 5.4. This upgrade was incredibly slow and after it completed I still was unable to authenticate to the wireless network.

I took one last chance and upgraded to the latest 5.5.0.46 ACS Software. Miraculously this fixed the problem and the authentication errors went away and clients are now able to connect to and authenticate to the wireless network without issue.

Jim

Hi, According to the ACS 5.2

kushsriva — Thu, 10 Jul 2014 10:32:05 GMT

Hi,

According to the ACS 5.2 user guide, ACS 5.2 does not support windows 2012R2 servers. Here are the list of supported OS:

ACS supports these AD domains:

•Windows Server 2003

•Windows Server 2003 R2

•Windows Server 2008

•Windows Server 2008 R2

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/acsuserguide/users_id_stores.html#wp1248491

However ACS 5.5 with the latest patch does support the windows 2012R2 :

ACS supports these AD domains:

Windows Server 2003
Windows Server 2003 R2
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2 is supported after installing ACS 5.5 patch 1.
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/users_id_stores.html#pgfId-1321235

So you would need to upgrade the ACS to the latest version of ACS 5.5 in order for the AD integration to work.

To check the supported upgrade path, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/release/notes/acs_55_rn.html#pgfId-284251

Regards,

Kush

Thanks for the response. I

NPT_2 — Thu, 10 Jul 2014 16:05:12 GMT

Thanks for the response. I ended up upgrading to the latest 5.5 version which fixed the problem and everything is working great. I just wish I would have had your message earlier as I upgraded in the hopes (but not knowing for sure the new version would fix my issue.

Jim