Solved: Re: ACS 5.3 - Active Directory - Limit/control which DCs can be

gonnason · ‎01-11-2012

Hi all,

I have a Cisco ACS server deployed for TACACS and RADIUS authentication for end users.

Everything works well, it is joined to the domain, people can auth most of the time. However it appears that ACS is trying to auth against *ANY* DC within my domain.

dns.findsrv FindSrvFromDns runs, and pulls every DC for use. Not all of these are reachable, nor do all fo them have the same user structure.

Is there some way to specify or limit/control what DCs are queried?

camejia · ‎01-11-2012

Hello,

Unfortunately at this point there is no way to control which DC's should be queried by the ACS. The ACS will retrieve all the available DC's on your AD Domain and contact any of them.

An enhancement request is already filed and developers are working on it to include the feature on future releases. Here is the information:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062

ACS should be able to query only desired DCs

Symptom:
Currently on 5.0 and 5.1, the ACS queries the DNS with the domain, in order to get a list of all the DCs in the domain and then tries to communicate with all of them.

If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.

A lot of customers are asking for a change on this behavior.
It should be possible to define which DCs to contact and/or make ACS to interpret DNS Resource Records Registered by the Active Directory Domain Controller to facilitate the location of domain controllers. Active Directory uses service locator, or SRV, records. An SRV record is a new type of DNS record described in RFC 2782, and is used to identify services located on a Transmission Control Protocol/Internet Protocol (TCP/IP) network.

Conditions:
Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.

Workaround:
Make sure ALL DCs are UP and reachable from the ACS.

Hope this clarifies it.

Regards.

View solution in original post

camejia · ‎01-11-2012

Hello,

Unfortunately at this point there is no way to control which DC's should be queried by the ACS. The ACS will retrieve all the available DC's on your AD Domain and contact any of them.

An enhancement request is already filed and developers are working on it to include the feature on future releases. Here is the information:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062

ACS should be able to query only desired DCs

Symptom:
Currently on 5.0 and 5.1, the ACS queries the DNS with the domain, in order to get a list of all the DCs in the domain and then tries to communicate with all of them.

If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.

A lot of customers are asking for a change on this behavior.
It should be possible to define which DCs to contact and/or make ACS to interpret DNS Resource Records Registered by the Active Directory Domain Controller to facilitate the location of domain controllers. Active Directory uses service locator, or SRV, records. An SRV record is a new type of DNS record described in RFC 2782, and is used to identify services located on a Transmission Control Protocol/Internet Protocol (TCP/IP) network.

Conditions:
Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.

Workaround:
Make sure ALL DCs are UP and reachable from the ACS.

Hope this clarifies it.

Regards.

gonnason · ‎01-11-2012

Thank you for your answer. It isn't what I wanted to hear but it is clear.

Odd thing is that it also seems to Follow *ANY* domain trusts, and query their DCs.

So say I have the following:

xyz.com has trusts with the following domains:

abc.com

dev.xyz.com

So ACS gets a list of DCs of xyz.com, AND a list of all DCs of all trusted Domains; and proceeds to query them all. This is wrong.

My DCs in my main Domain xyz.com respond correctly when queried:

dig any _ldap._tcp.corp.xyz.com @10.10.1.23 +short

0 100 389 site1dc01.corp.xyz.com.

0 100 389 site2dc01.corp.xyz.com.

0 100 389 site3dc02.corp.xyz.com.

0 100 389 site4dc01.corp.xyz.com.

0 100 389 site3dc01.corp.xyz.com.

0 100 389 site5dc01.corp.xyz.com.

This is the only list of DCs TACACS should use. It should not spider through Trusted Domains.

camejia · ‎01-11-2012

Hello,

I do not have a straight forward answer for TACACS+ requests querying Trusted Domains. Actually, for the ACS to contact Trusted or Child Domains to its local domain we need to use NETBIOS or UPN format for the username:

Note You have to add a UPN suffix or NETBIOS prefix to the username when authenticating to a domain that the ACS is not joined to, including the child domains.

The above note is included on the ACS documentation:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1053213

Regards.

dchamorro · ‎01-15-2012

There actually IS a way to control what DC's are used by ACS, but it has nothing ot do with ACS. Once the ACS machines are added to your domain, move the machines to an OU/container of your choice. Then use Active Directory Sites and Services to make the domain restrictions. We had to do this in our environment as we have over 150 DC's.

rishikesh_khedkar · ‎07-09-2012

Hello, my name is Rishi and I have a quick question.

Can we have the same ACS appliance integrated with a diff OU in the AD (maybe with a diff IP address range) ?

If so, how?

Thanks,

Rishi

ACS 5.3 - Active Directory - Limit/control which DCs can be used to auth