01-03-2011 09:09 PM - edited 03-10-2019 05:41 PM
Hi Pals,
Recently I've been working with the ACS 5.2 (Installed on VMWare). At the beginning I was using a Win Server 2003 Enterprise edition AD, and there was no problem with the AD and the CA Authority. Because some of my customers use Win Server 2008 I change the AD platform to Win Server 2008 Enterprise edition (x64).
I don't really have a great experience with Win Server Platforms and, for what I've seen, the Win Server 2003 Services deployment is easier than the Win Server 2008 is.
So, when I used the Win server 2003 I could not only synchronize the ACS with the AD but also use some groups created on the AD to perform the Network Access Authentication. When I try to do the same with the Win Server 2008 AD the ACS and the Server get Synchronized but when I want to add the groups for the Authentication purposes there is no one, absolutely nothing... so I cannot do any test.
Also I looked for information about the compatibility between the ACS 5.2 and the Win Server 2008 platforms and at the end the platforms are compatibles.
Any Idea??
Thanks in Advance.
Jose M Cortes H
Solved! Go to Solution.
01-05-2011 09:01 AM
Hi Jose,
Thank you for letting me know, glad that your issue is fixed now.
Feel free to ping us back in case you'd need any further assistance with ACS in the future.
Regards,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
01-05-2011 01:38 AM
Hi Jose,
This should generally work.
From what I could read, you cannot list AD groups when trying to select them under an authentication/authorization rule.
What about when trying to list them under the AD configuration?
Users and Identity Stores > External Identify Stores > Active Directory > Directory Groups > select...
Unfortunately, without more details on a specific error message, it would be hard to tell where the root cause could lie.
We could collect some initial logs from ACS 5.2, in order to start isolating the issue:
1. Log in to the ACS command line and enable the following debugs:
admin# acs-config
Escape character is CNTL/D.
Username:acsadmin(config-acs)# debug-adclient enable
acsadmin(config-acs)# debug-log mgmt level debug
acsadmin(config-acs)# debug-log runtime level debug
2. Recreate the issue a couple of times by trying to list the AD groups in the authentication rule and even by trying to list them under
Users and Identity Stores > External Identify Stores > Active Directory > Directory Groups > select...
3. Take note of the time stamp when you recreate the issue and then collect the ACS support bundle from the Monitoring & Report Viewer, under
Troubleshooting > ACS Support Bundle
Please be sure of collecting the support bundle while checking the following options:
Include full configuration database = Unchecked
Include debug logs = All
Include local logs = All
Include core files = All
Include monitoring and reporting logs (all categories checked) = Include files from the last 1 day
Also, please communicate the time stamp when the issue is observed, so that we can track it faster in the logs.
Regards,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
01-05-2011 08:58 AM
Hi Federico,
Thanks for take care about my question, but I already solved it. Maybe I did not explain myself well. The problem was that I could not see the Group List on the ACS (Users and Identity Stores > External Identify Stores > Active Directory > Directory Groups) when I used that path to find the groups created on the Win Server AD the list was empty.
I did some test on the ACS config synchronizing it with a Win Server 2003 and it worked perfect, so the problem should be on the Win server 2008 configuration, and actually it was. On the Win Server 2008 AD role, there is an option named Microsoft Identity Management for UNIX (in Win Server 2003 seems to be enable by default on the AD installation) and "voila" problem solved, the AD database is publicized on the ACS.
Anyways, thanks for the debugging tips i did not know about that.
Regards
Jose.
01-05-2011 09:01 AM
Hi Jose,
Thank you for letting me know, glad that your issue is fixed now.
Feel free to ping us back in case you'd need any further assistance with ACS in the future.
Regards,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
01-07-2011 10:27 AM
I have the problem again. The components used are:
A. Cisco ACS 5.2 Virtualized on VMWare and with the Demo License (valid for 90 days).
B. Windows Server 2008 Enterprise Edtion (x64)
This server runs: DNS, AD, CA.
NTP service (Meinberg NTP software) this machine is used by the devices as NTP server to sync.
I did the next:
1. I Created 12 users and Assigned to 3 groups on Win AD (Employees, Engineers, Outsourcing)
2. I registered the ACS 5.2 IP on the DNS.
3. Under "Users and Identity Stores > External Identify Stores > Active Directory > General" I've test the domain connection using a Username and Password with privileges and the "test connection" was successful. Then I Saved Changes and the Joined Domain was correct and the Connectivity Status appeared as CONNECTED.
4. The I go to "Users and Identity Stores > External Identify Stores > Active Directory > Directory Groups" and when I click on Select the pop-up window show this information:
Search Base DN DC=sona,DC=lab (which is Correct), but does not show any group from the AD database.
I've looked for these kinds of issues on the web, but the information about application using ACS 5.X and Win Server 2008 is almost inexistent.
01-10-2011 12:43 AM
Thank you for pinging back on this one Jose.
At this stage I'd guess that the fastest way to isolate the issue would be through some logs on ACS:
1. Log in to the ACS command line and enable the following debugs:
admin# acs-config
Escape character is CNTL/D.
Username:
Password:
acsadmin(config-acs)# debug-adclient enable
acsadmin(config-acs)# debug-log mgmt level debug
acsadmin(config-acs)# debug-log runtime level debug
2. Recreate the issue a couple of times by trying to list the AD groups in the authentication rule and even by trying to list them under
Users and Identity Stores > External Identify Stores > Active Directory > Directory Groups > select...
3. Take note of the time stamp when you recreate the issue and then collect the ACS support bundle from the Monitoring & Report Viewer, under
Troubleshooting > ACS Support Bundle
Please be sure of collecting the support bundle while checking the following options:
Encrypt Support Bundle = Unchecked
Include full configuration database = Unchecked
Include debug logs = All
Include local logs = All
Include core files = All
Include monitoring and reporting logs (all categories checked) = Include files from the last 1 day
Also, please communicate the time stamp when the issue is observed, so that we can track it faster in the logs.
Regards,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
03-22-2011 10:29 PM
Jose, how are you going with this, any progress? I'm in the middle of troubleshooting ACS 5.2 (v5.2.0.26.3) with Win 2008 R2 AD, and I'm getting a lot of strange results - groups missing, status "disconnected" etc.
Soon I will post the full details of the problem but I'd be interested to hear if you ever resolved the issues above.
Thanks
Rob
03-23-2011 02:15 PM
Hi Rob,
Actually I stop working on this issue with Win Server 2008, I started to working with Win Server 2003 again. I had no time to do the Debugs that Federico Request to validate the ACS behaviour.
Once Again, I only had problems with the Active Directory, the connection works the synchronization seems to work but when I look for the groups or the users the ACS does not show anything.
Could you please update this post in case you find a solution??
Thakns and Regards,
Jose.
07-12-2011 06:01 PM
Hi Fede,
We are having the very same issue as listed above (and the same configuration), unfortunately we may not be in a position to use a 2003 server in our Windows 2008 infrastructure due to recent policy changes.
Do you know whether this is a common issues with Windows 2008 R2?
07-12-2011 06:40 PM
First thing to check is your ACS hostnames. Are they longer than 15 characters? This is what caused all the trouble for us, after a rebuild to shorter 15 chars-or-less ACS hostnames, everything worked fine.
Of course, make sure that DNS is set up correctly and NTP is in sync too.
I'd also suggest NOT using 5.2.0.44.3, we;re running reliably on 5.2.0.44.2 and I wouldn't patch it beyond this unless really forced to.
Best of luck,
Rob
07-12-2011 06:55 PM
Hi Rob,
Yeah we ensured that NTP was in sync and DNS appeared to be setup correctly, ACS name was 14 characters....
However we are running version 5.2.0.26, I cant see any other version apart from this for the ACS appliance?
07-12-2011 09:15 PM
Hi Stephen,
Patch bundles, suggest you download patch bundle 2. Also, sorry, I did mean 5.2.0.26.2 (not 5.2.0.44.2).
You need to d/l 5-2-0-26-2.tar.gpg and patch appropriately.
Did a computer account for the ACS turn up in AD when you joined the domain?
Do you have nested groups or groups with odd characters in AD? ACS hates nested groups (e.g. global groups inside global groups or whatever) and I also saw it have a tantrum when we tried to enumerate a group with a hash in the name.
Can you ping the domain name (e.g. ping myactivedirectorydomain.org) from the cli?
Nslookup all the DC's?
Further to that, from the cli run a "tech dumptcp" and have a look at what is really going on.
Good luck,
Cheers
Rob
07-13-2011 03:09 PM
Hi Rob,
Got it working in the end, it was related to the patch, however applying the patch did not seem to fix it. I changed the NETBIOS name of the AD server and I think this may have upset ACS. Reinstalled the ACS server and works like a treat.
Really appreciate all your help in this matter.
Cheers
Steve
09-05-2011 09:16 AM
I have exactly same problem with windows 2008 r2 AD and I generated ACS Support Bundle. But I couldn't figure out the problem. I did most of the above things and still stuck with that.
Need your help guys....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide