cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3641
Views
5
Helpful
13
Replies
jose cortes
Beginner

ACS 5.2 Sync with Windows 2008 AD but cannot see the Groups

Hi Pals,

Recently I've been working with the ACS 5.2 (Installed on VMWare). At the beginning I was using a Win Server 2003 Enterprise edition AD, and there was no problem with the AD and the CA Authority. Because some of my customers use Win Server 2008 I change the AD platform to Win Server 2008 Enterprise edition  (x64).

I don't really have a great experience with Win Server Platforms and, for what I've seen, the Win Server 2003 Services deployment is easier than the Win Server 2008 is.

So, when I used the Win server 2003 I could not only synchronize the ACS with the AD but also use some groups created on the AD to perform the Network Access Authentication. When I try to do the same with the Win Server 2008 AD the ACS and the Server get Synchronized but when I want to add the groups for the Authentication purposes there is no one, absolutely nothing... so I cannot do any test.

Also I looked for information about the compatibility between the ACS 5.2 and the Win Server 2008 platforms and at the end the platforms are compatibles.

Any Idea??

Thanks in Advance.

Jose M Cortes H

1 ACCEPTED SOLUTION

Accepted Solutions

Hi Jose,

Thank you for letting me know, glad that your issue is fixed now.

Feel free to ping us back in case you'd need any further assistance with ACS in the future.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

13 REPLIES 13
Federico Ziliotto
Cisco Employee

Hi Jose,

This should generally work.

From what I could read, you cannot list AD groups when trying to select them under an authentication/authorization rule.

What about when trying to list them under the AD configuration?

Users and Identity Stores > External Identify Stores > Active Directory > Directory Groups > select...

Unfortunately, without more details on a specific error message, it would be hard to tell where the root cause could lie.

We could collect some initial logs from ACS 5.2, in order to start isolating the issue:

1. Log in to the ACS command line and enable the following debugs:

admin# acs-config

Escape character is CNTL/D.

Username:

Password:

acsadmin(config-acs)# debug-adclient enable

acsadmin(config-acs)# debug-log mgmt level debug

acsadmin(config-acs)# debug-log runtime level debug

2. Recreate the issue a couple of times by trying to list the AD groups in the authentication rule and even by trying to list them under

Users and Identity Stores > External Identify Stores > Active Directory > Directory Groups > select...

3. Take note of the time stamp when you recreate the issue and then collect the ACS support bundle from the Monitoring & Report Viewer, under

Troubleshooting > ACS Support Bundle

Please be sure of collecting the support bundle while checking the following options:

Include full configuration database = Unchecked

Include debug logs = All

Include local logs = All

Include core files = All

Include monitoring and reporting logs (all categories checked) = Include files from the last 1 day

Also, please communicate the time stamp when the issue is observed, so that we can track it faster in the logs.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Hi Federico,

Thanks for take care about my question, but I already solved it. Maybe I did not explain myself well. The problem was that I could not see the Group List on the ACS (Users and Identity Stores > External Identify Stores > Active Directory > Directory Groups) when I used that path to find the groups created on the Win Server AD the list was empty.

I did some test on the ACS config synchronizing it with a Win Server 2003 and it worked perfect, so the problem should be on the Win server 2008 configuration, and actually it was. On the Win Server 2008 AD role, there is an option named Microsoft Identity Management for UNIX (in Win Server 2003 seems to be enable by default on the AD installation) and "voila" problem solved, the AD database is publicized on the ACS.

Anyways, thanks for the debugging tips i did not know about that.

Regards

Jose.

Hi Jose,

Thank you for letting me know, glad that your issue is fixed now.

Feel free to ping us back in case you'd need any further assistance with ACS in the future.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

I have the problem again. The components used are:

A. Cisco ACS 5.2 Virtualized on VMWare and with the Demo License (valid for 90 days).

B. Windows Server 2008 Enterprise Edtion  (x64)

     This server runs: DNS, AD, CA.

     NTP service (Meinberg NTP software) this machine is used by the devices as NTP server to sync.

I did the next:

1. I Created 12 users and Assigned to 3 groups on Win AD (Employees, Engineers, Outsourcing)

2. I registered the ACS 5.2 IP on the DNS.

3. Under "Users and Identity Stores > External Identify Stores > Active Directory > General" I've test the domain connection using a Username and Password with privileges and the "test connection" was successful. Then I Saved Changes and the Joined Domain was correct and the Connectivity Status appeared as CONNECTED.

4. The I go to "Users and Identity Stores > External Identify Stores > Active Directory > Directory Groups" and when I click on Select the pop-up window show this information:

     Search Base DN DC=sona,DC=lab (which is Correct), but does not show any group from the AD database.

I've looked for these kinds of issues on the web, but the information about application using ACS 5.X and Win Server 2008 is almost inexistent.

Thank you for pinging back on this one Jose.

At this stage I'd guess that the fastest way to isolate the issue would be through some logs on ACS:

1. Log in to the ACS command line and enable the following debugs:

admin# acs-config

Escape character is CNTL/D.

Username:

Password:

acsadmin(config-acs)# debug-adclient enable

acsadmin(config-acs)# debug-log mgmt level debug

acsadmin(config-acs)# debug-log runtime level debug

2. Recreate the issue a couple of times by trying to list the AD groups in the authentication rule and even by trying to list them under

Users and Identity Stores > External Identify Stores > Active Directory > Directory Groups > select...

3. Take note of the time stamp when you recreate the issue and then collect the ACS support bundle from the Monitoring & Report Viewer, under

Troubleshooting > ACS Support Bundle

Please be sure of collecting the support bundle while checking the following options:

Encrypt Support Bundle = Unchecked

Include full configuration database = Unchecked

Include debug logs = All

Include local logs = All

Include core files = All

Include monitoring and reporting logs (all categories checked) = Include files from the last 1 day

Also, please communicate the time stamp when the issue is observed, so that we can track it faster in the logs.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Jose, how are you going with this, any progress?  I'm in the middle of troubleshooting ACS 5.2 (v5.2.0.26.3) with Win 2008 R2 AD, and I'm getting a lot of strange results - groups missing, status "disconnected" etc.

Soon I will post the full details of the problem but I'd be interested to hear if you ever resolved the issues above.

Thanks

Rob

Hi Rob,

Actually I stop working on this issue with Win Server 2008, I started to working with Win Server 2003 again. I had no time to do the Debugs that Federico Request to validate the ACS behaviour.

Once Again, I only had problems with the Active Directory, the connection works the synchronization seems to work but when I look for the groups or the users the ACS does not show anything.

Could you please update this post in case you find a solution??

Thakns and Regards,

Jose.

Hi Fede,

We are having the very same issue as listed above (and the same configuration), unfortunately we may not be in a position to use a 2003 server in our Windows 2008 infrastructure due to recent policy changes.

Do you know whether this is a common issues with Windows 2008 R2?

First thing to check is your ACS hostnames.  Are they longer than 15 characters?  This is what caused all the trouble for us, after a rebuild to shorter 15 chars-or-less ACS hostnames, everything worked fine.

Of course, make sure that DNS is set up correctly and NTP is in sync too.

I'd also suggest NOT using 5.2.0.44.3, we;re running reliably on 5.2.0.44.2 and I wouldn't patch it beyond this unless really forced to.

Best of luck,

Rob

Hi Rob,

Yeah we ensured that NTP was in sync and DNS appeared to be setup correctly, ACS name was 14 characters....

However we are running version 5.2.0.26, I cant see any other version apart from this for the ACS appliance?

Hi Stephen,

Patch bundles, suggest you download patch bundle 2.  Also, sorry, I did mean 5.2.0.26.2 (not 5.2.0.44.2).

You need to d/l 5-2-0-26-2.tar.gpg and patch appropriately.

Did a computer account for the ACS turn up in AD when you joined the domain?

Do you have nested groups or groups with odd characters in AD?  ACS hates nested groups (e.g. global groups inside global groups or whatever) and I also saw it have a tantrum when we tried to enumerate a group with a hash in the name.

Can you ping the domain name (e.g. ping myactivedirectorydomain.org) from the cli?

Nslookup all the DC's?

Further to that, from the cli run a "tech dumptcp" and have a look at what is really going on.

Good luck,

Cheers

Rob

Hi Rob,

Got it working in the end, it was related to the patch, however applying the patch did not seem to fix it. I changed the NETBIOS name of the AD server and I think this may have upset ACS.  Reinstalled the ACS server and works like a treat.

Really appreciate all your help in this matter.

Cheers

Steve

lakmalcool88
Beginner

I have exactly same problem with windows 2008 r2 AD and I generated ACS Support Bundle. But I couldn't figure out the problem. I did most of the above things and still stuck with that.

Need your help guys....

Content for Community-Ad