Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3520
Views
0
Helpful
5
Replies

ACS 5.2 does not check Active directory changes

Go to solution
cpfl_vzuben
Level 1
Level 1

‎10-14-2010 12:23 PM - edited ‎03-10-2019 05:29 PM

Hi all,

I am working with ACS 5.2 and using Radius authentication for vpn client.

The authentication method used is Active Directory in an Windows enviroment with multiple domains in the same forest.

My problem occurs when i change a user from one group to another in Active Directory. After that i receive the following message when try to connect:

15039 Selected Authorization Profile is DenyAccess

The message is because match the default policy.

Another user in the same AD group works fine.

All domain in the forest have trust relation each other.

I am using universal groups to include users from all domain belongs this forest.

Can anyone help me?

Regards

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jrabinow
Level 7
Level 7

‎10-14-2010 03:34 PM

is your authentication rule matching against a single AD group?

You can check which groups were retrieved for the user as follows:

- goto "Monitoring and Troublshooting"

- select Authentications - RADIUS - Today

- Find the entry that did not match and click on the details icon

- Expand "Authentication Details" section. Look under "Other Attributes" the groups retrieved from AD for the user will be listed there

View solution in original post

0 Helpful
5 Replies 5

Go to solution
jrabinow
Level 7
Level 7

‎10-14-2010 03:34 PM

is your authentication rule matching against a single AD group?

You can check which groups were retrieved for the user as follows:

- goto "Monitoring and Troublshooting"

- select Authentications - RADIUS - Today

- Find the entry that did not match and click on the details icon

- Expand "Authentication Details" section. Look under "Other Attributes" the groups retrieved from AD for the user will be listed there

0 Helpful

Go to solution
cpfl_vzuben
Level 1
Level 1
In response to jrabinow

‎10-15-2010 06:57 AM

Hi Jrabinow,

This is a problem.

I checked wich groups the user belongs and i didn't find the group that match the policy. But  it's a problem, because i checked in active directory wich group the user belongs and there are 2 groups that ACS does not find.

Properties from this user was changed in Active Directory some days ago and does not appear in ACS.

Is it possible ACS keep a cache about this attributes and does'nt check AD to uptade this settings?

I have another ACS vs 4.1 here and the same problem occurs.

Thanks,

Best Regards,

Evandro

0 Helpful

Go to solution
cpfl_vzuben
Level 1
Level 1
In response to cpfl_vzuben

‎10-19-2010 08:36 AM

Hi Jrabinow,

After you help me with same instructions, i could see the Global Catalog server was not updated in the ACS log. Then i change DNS Server address in the ACS Server.

After change the DNS Server, the ACS starts to check another Global Catalog Server in AD forest.

Until now the problem was resolved. I believe this problem was in AD not in ACS Server.

Best Regards,

Evandro

0 Helpful

Go to solution
mohankumarm
Level 1
Level 1
In response to cpfl_vzuben

‎09-03-2012 02:20 AM

Dear all,

Hope you can help me with a similar issue i am facing on migration from Cisco ACS 4.1.24 to Cisco 5.3.0.40

and testing Radius authentication for vpn client users.

The authentication method used is external Active Directory and for some users authenticating to the external AD via ACS, the following message is obtained:

"15039 Selected Authorization Profile is DenyAcces", which results in Auth failure.

Other users on the same AD group seem to work fine and there are no changes performed on the AD for any of the  concerned users.

Looking at the detail report for the user, confirms  that no attributes  are returned to the Radius(under the other  attributes field) from the  external server. The Radius also returns the  following messages:

"24412 User not  found in Active Directory"

"22056 Subject not found in the applicable  identity store(s)"

Within the ACS Identity sequence in the ID store, the  sequence is set to match on AD first and then Internal user.         The  Identity for the default network profile(for Radius users) is  configured to General sequence. The same user/s seem to work fine when  swithced to ACS4.

We are also looking at possible NTP sync issue with the ACS/AD or  any NTLM/Kerberos auth issues or any issues related to applying the  latest ACS patch to the box.Please let me know if there is any AD related configs to be modified.

Any help will be appreciated.

Thanks and Regards.

0 Helpful

Go to solution
Alex Pfeil
Level 7
Level 7
In response to mohankumarm

‎11-02-2016 11:38 AM

We had an issue where ACS was doing Active Directory authentication lookup to Global Catalog Server.  We were seeing user not found in Active Directory.  The issue was that the user had the same account login in two different domains.  The Windows administrator removed one of the accounts and authentication started working immediately after replication.

24412 User not found in Active Directory

Thanks,

Alex

0 Helpful
Customers Also Viewed These Support Documents