topic Re: Cisco ACS 5.2 Active Directory Trust Relationship in Network Access Control

Cisco ACS 5.2 Active Directory Trust Relationship

Mikayil Qasimov — Mon, 11 Mar 2019 03:38:41 GMT

Hello Dears,

I have Cisco ACS 5.2 server and 2 DC with two different domain name. Cisco ACS is connected to DC1(xxx.xdomain.com), and working well. Between these DC(ydomain.com) have two-way Trust Relationship.

How I can authenticate DC2 users in Cisco ACS? Please help

Cisco ACS 5.2 Active Directory Trust Relationship

Jatin Katyal — Fri, 12 Jul 2013 17:28:38 GMT

You have to add a UPN suffix or NETBIOS prefix to the username when authenticating to a domain that the ACS is not joined to, including the child domains.

ACS does not support user authentication in AD when a user name is supplied with an alternative UPN suffix configured in OU level. The authentication works fine if the UPN suffix is configured in domain level.

http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1053213

~BR
Jatin Katyal

**Do rate helpful posts**

Re: Cisco ACS 5.2 Active Directory Trust Relationship

Mikayil Qasimov — Sat, 13 Jul 2013 10:53:11 GMT

Dear Jatin,

Thanks for quick reply. Can you explain it in detail?
For example: ACS is connect to xxx.domain.com and in directory we can add the groups like xxx.domain.com/groups/IT . How I should add another group which is located in other Domain?
About UPN suffix, in which domain I should add suffix and how?
Thanks beforehand

Sent from Cisco Technical Support iPad App

Re: Cisco ACS 5.2 Active Directory Trust Relationship

Mikayil Qasimov — Mon, 15 Jul 2013 07:06:43 GMT

Nobody knows hot to fix it? Everywhere everybody says that add UPN suffix or it's about UPN. But nobody can show some example.

Re: Cisco ACS 5.2 Active Directory Trust Relationship

Jatin Katyal — Mon, 15 Jul 2013 13:27:14 GMT

If ACS is connected to DC1(xxx.xdomain.com) and you are also able to select groups from trsuted domain i.e. DC2 (ydomain.com) from the ACS by going to Users and Identity Stores > External Identity Stores > Active Directory > Directory Groups.

It should work fine for users who are in DC2 (ydomain.com) if they are connecting/authenticating with the UPN format user@ydomain.com or

Netbios user\ydomain.com.

If you have a condition created under access-policies and seleceted an AD group from the DC2 (ydomain.com) domain and it's not matching that authorization rule then it might not be coming in other attributes.

In order to achieve the best results with ACS and AD, you should have ACS 5.3 patch 4 or above.

There are few defects where ACS fails to fetch user information from the trusted domain and that has been fixed in ACS 5.3 patch 3.

~BR
Jatin Katyal

**Do rate helpful posts**

Re: Cisco ACS 5.2 Active Directory Trust Relationship

Mikayil Qasimov — Tue, 16 Jul 2013 06:06:10 GMT

Thanks again Jatin.

I tried authentication with UPN and Netbios but unseccessfully. I'm using 5.2 ACS if I will upgrade it to 5.3 with patch 4 or above, is't will work normally with trusted domain?

Re:Cisco ACS 5.2 Active Directory Trust Relationship

Jatin Katyal — Tue, 16 Jul 2013 11:34:17 GMT

We've not seen the adagent logs yet so can't say what exactly the problem is. In most of the cases, I have seen issue with 2 way external trust. Also, upgrading to acs 5.3 latest patch would be worth.

Sent from Cisco Technical Support Android App

Re:Cisco ACS 5.2 Active Directory Trust Relationship

Jatin Katyal — Tue, 16 Jul 2013 13:56:15 GMT

What is the domain functional level across the domains?

~BR
Jatin Katyal

**Do rate helpful posts**

Re:Cisco ACS 5.2 Active Directory Trust Relationship

Jatin Katyal — Tue, 16 Jul 2013 14:07:25 GMT

It is possible there is some ports blocked to the trusted domains. A packet capture would be very helpful to see what was being blocked to trusted domains.

Is your active directory configured with trusted domain as an alternate UPN under Active directory Domains and Trust. We could give a try if all ports are open and we are running atleast win2003 functional level.

~BR
Jatin Katyal

**Do rate helpful posts**

Cisco ACS 5.2 Active Directory Trust Relationship

Jatin Katyal — Wed, 17 Jul 2013 02:27:18 GMT

Hi Mikayil Qasimov

Did you get a chance to check the above suggested pointers?

~BR
Jatin Katyal

**Do rate helpful posts**

Cisco ACS 5.2 Active Directory Trust Relationship

Tarik Admani — Wed, 17 Jul 2013 05:45:38 GMT

Hi,

Are you domains in the same forest or are they in separate forests? See this guide for kerberos authentication in a multi-forest scenario. You may need further research in your trust type since two-way trusts may not allow kerberos (that is what ACS uses to authenticate against the domains).

http://technet.microsoft.com/en-us/library/cc772808%28v=ws.10%29.aspx

http://setspn.blogspot.com/2009/09/ad-external-trusts-and-kerberos.html

thanks,

Tarik Admani
*Please rate helpful posts*

Re: Cisco ACS 5.2 Active Directory Trust Relationship

Mikayil Qasimov — Wed, 17 Jul 2013 06:03:11 GMT

Hi Jatin,

First of all, I installed acs 5.3 with package 5.3.0.40.

2 AD are Windows server 2008. Between them before it was forest trusted but didn't work after I changed it to external trust the same result, now it's External Trust. I check trust for me it works,in AD2 I gave administrator privilage for user which is located in AD1, after this I can connect with RDP to AD2 with that user. Added UPN under active directories. I can send images to your email if you will send me your email address with private messages.

Re: Cisco ACS 5.2 Active Directory Trust Relationship

Mikayil Qasimov — Thu, 18 Jul 2013 09:26:25 GMT

Hi again Dears,

I installed ACS 5.3 with patch 4.7. Now I can authenticate users whch is located in Domain B. But only Netbios domainb\user, I can't authenticate with UPN suffix user@domainb.com. Trust is a forest and two-way authentication. Do you know what is the reason?

Cisco ACS 5.2 Active Directory Trust Relationship

Tarik Admani — Fri, 19 Jul 2013 06:12:49 GMT

Mikayil,

Were you able to find my post useful, I dont think the trust type you have supports kerberos authentication.

See if this article is of any use -

http://technet.microsoft.com/en-us/library/cc784334%28v=ws.10%29.aspx

Thanks

Tarik Admani
*Please rate helpful posts*