Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
628
Views
0
Helpful
1
Replies

ACS 3.3 Windows group mapping problem

lanwancig
Level 1
Level 1

‎08-31-2007 02:16 AM - edited ‎03-10-2019 03:21 PM

Hi,

I?m running Cisco Secure ACS v.3.3 at Win 2000 server(sp4). ACS server is member of AD domain X. Additional there are two AD forests, so: domains X and Y are in the same forest, but domain Z is member of the second one. Trust relationships between all domains are established (AD Domain Controllers are w2k3 srv). I need to add Windows AD group mapping and that's no problem in domains X & Y. But when I'm trying to map some groups from Z domain, the "Failed to enumerate Windows groups. If you are using Active Directory consult the installation guide for information." error appears. In ACS documentation I have found information "ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user. You cannot use group membership in domains that the authenticated domain trusts that is for ACS group mapping. This restriction is not removed by adding a remote group to a group that is local to the domain providing the authentication." As I understand it's impossible to add mapping from the second forest? Am I right? If problem is solved in newer versions of ACS (4.0, 4.1)? Are there any fixes that can help?

Thanks,

Peter

Labels:
0 Helpful
1 Reply 1

Jagdeep Gambhir
Level 10
Level 10

‎08-31-2007 06:56 AM

You need to set up proxy.

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx

Look for "Cross-Forest Authentication" in above link. And you get the Idea of what I mean. Though in above link its depicted with IAS server, but same is possible with ACS, as both can act as Radius server.

There is a known bug, CSCsi04187

PEAP MS-CHAP machine authentication will fail with machine not found if host/ format is sent from client. This only happens if the machine is autenticating to a domain forest that the ACS is not a member of.

Conditions:

The Machine authenticating to ACS is in a different domain forest then the ACS and the supplicant is using host/ as the machine name format. You also have to be using PEAP MS-CHAPv2.

Workaround:

If the supplicant has the option you can send the macine name in hos/ format.

Many supplicants do not have this option.

It is to be fixed for ACS 4.2 release.

Regards,

~JG

0 Helpful
Customers Also Viewed These Support Documents