07-26-2012 12:49 PM - edited 03-10-2019 07:20 PM
Hello ,I´m having this problem:
I have 2 AD domains y 2 different forrests (i.e domain1.com and domain2.com) and they were configured to trust each other (two-way trust).
In the AD enviroment it works great.
The problem is that in ACS wich is intergrated with domain1.com y can´t see the groups of the other domain domain2.com.
If I look for them under Directory Groups they don´t appear and if i put them manually in Group Name (with sintax domain2.com/Users/GroupX) and then I add it with Add^ button I am able to add them and to use them in policies but they don´t work (I get errors and nothing is authenticated).
I´m using ACS 5.3.0.40.5 version and Windows 2003 server enterprise edition.
I´ve read this post
https://supportforums.cisco.com/thread/2064843
but I couldn´t make it work.
If someone knows how I can get this working I will really appreciate it.
Thanks in advance.
Regards.
Solved! Go to Solution.
09-03-2012 03:54 PM
AAA Protocol > RADIUS Authentication Detail
ACS
session ID
:
Date : September 3, 2012
Generated on September 3, 2012 2:30:12 PM EST
Authentication Summary
Logged At: September 3,2012 10:09:41.676 AM
RADIUS Status:
Authentication failed:15039 Selected
Authorization Profile is DenyAccess
NAS Failure:
Username: sipcarra
MAC/IP Address: y.y.y.y
Network Device: DRPIX:z.z.z.z
Access Service: All Radius users
Identity Store:
Authorization Profiles: DenyAccess
CTS Security Group:
Authentication Method: PAP_ASCII
Actions
Troubleshoot Authentication
View Diagnostic Messages
Audit Network Device Configuration
View Network Device Configuration
View ACS Configuration Changes
Authentication Result
RadiusPacketType=AccessReject
AuthenticationResult=UnknownUser
Session Events
Sep 3,12 10:09:41.676 AM Radius authentication failed for USER: xxxxx MAC: y.y.y.y
AUTHTYPE: Radius authentication failed
Authentication Details
Logged At: September 3,2012 10:09:41.676 AM
ACS Time: September 3,2012 10:09:41.663 AM
ACS Instance: xxxxx01
Authentication Method: PAP_ASCII
EAP Authentication
Method :
EAP Tunnel Method :
User
ACS Username: sipcarra
RADIUS Username : sipcarra
Calling Station ID: x.x.x.x
Framed IP Address:
Host Lookup:
Network Device
Network Device: DRPIX
Network Device
Groups:
Migrated_NDGs:All Migrated_NDGs:Loc1 / DRC all
Device Type:All Device Types
Location:All Locations
NAS IP Address: a.a.a.a
NAS Identifier:
NAS Port: 7360512
NAS Port ID:
NAS Port Type: Virtual
Access Policy
Access Service: All Radius users
Identity Store:
Authorization Profiles: DenyAccess
Exception
Authorization Profiles:
Active Directory
Domain:
simnetad.simplot.com.au
Identity Group: All Groups:External
Access Service
Selection Matched Rule
:
Radius Network Access
Identity Policy Matched
Rule:
Default
Selected Identity Stores
:
Internal Users, AD1
Query Identity Stores:
Selected Query Identity
Stores:
Group Mapping Policy
Matched Rule:
Default
Authorization Policy
Matched Rule:
Default
Authorization
Exception Policy
Matched Rule:
CTS
CTS Security Group:
Other
ACS Session ID: ____
Audit Session ID:
Tunnel Details: Tunnel-Client-Endpoint=(tag=0) x.x.x.x
H323 Attributes:
SSG Attributes:
Cisco-AVPairs: ip:source-ip=x.x.x.x
Other Attributes:
ACSVersion=acs-5.3.0.40-B.839
ConfigVersionId=164
Device Port=1025
RadiusPacketType=AccessRequest
Protocol=Radius
Service-Type=Framed
Framed-Protocol=PPP
Called-Station-ID=z.z.z.z
Device IP Address=z.z.z.z
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - All Radius users
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store -
24210 Looking up User in Internal Users IDStore - Test
24216 The user is not found in the internal users identity store.
24430 Authenticating user against Active Directory
24412 User not found in Active Directory
22016 Identity sequence completed iterating the IDStores
22056 Subject not found in the applicable identity store(s).
22058 The advanced option that is configured for an unknown user is used.
22060 The 'Continue' advanced option is configured in case of a failed authentication request.
Evaluating Group Mapping Policy
15006 Matched Default Rule
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - DenyAccess
15039 Selected Authorization Profile is DenyAccess
11003 Returned RADIUS Access-Reject
09-04-2012 05:35 PM
Hi,
Please follow the steps in order to troubleshoot this.
ssh into the ACS and issue the command "acs-config"
wait 45 seconds
Then run debug-adclient enable (this enables debug level logging for AD related communication
Reproduce your issue and note the time stamp in the logs
In the monitoring and reporting section there is an option for "ACS Support Bundle" download that with only the debug-logs option enabled.
After downloading the logs you should be able to open them with winrar, and look in the logs directory then in the debug logs directory. Please open the ACSADAgent.log file that contains the timeframe when this occured, if there is a lot of traffic running it could be in the other incremental logs. You can open this log with wordpad (or notepad++)
Take a look at the events that occured at the timestamp noted before and see what response you are receiving from AD.
Thanks,
Tarik Admani
*Please rate helpful posts*
09-05-2012 01:05 AM
I just published a doc that will help you with the debugging:
https://supportforums.cisco.com/docs/DOC-26787
Please rate it if you find it helpful.
thanks,
Tarik Admani
*Please rate helpful posts*
09-05-2012 01:24 AM
Hey Tarik,
Thanks very much indeed and we have updated the ACS to the latest patch 5-3-0-40-6 and currently testing all the VPN users now and at the moment we dont see any failures now and we are waiting for previous failed VPN users to connect now and will update accordingly.
In the meantime, we tried to enter "acs-config" by ssh to the VM on which ACS is running and this prompts for a Username/Password and when we enter the GUI credentials(for acsadmin superadmin user), it hangs and sometimes comes up with "Connecting" message and does nothing. The ssh was from Putty terminal software and do you think using Secure CRT is a better option. We also lost access to the web gui and had to restart the VM to bring it back up.
Thanks and Regards,
Mohan
09-11-2012 09:45 PM
Hello,
Just checking if there is any update to the "acs-config" issue.
Also, I have a scenario where several iphones/ipads have to be authenticated via Cisco ACS 5.3 and WLC. Currently, all the idevices are using PEAP with username/passwords and this is required to be moved to an EAP-TLS based configuration, so that there is no need to enter username/password credentials on the idevice and the clients will rely on only on certificate based authentication.
In the current ACS setup, the Identity store sequence configuration is password based and this general sequence is mapped to the access service profiles for Default Network Access (external AD) for all users. If we create a new IDentity store and select the "Certificate based" option, then a new access service policy has to be defined to map all the idevices to this ID sequence, which means creation of additional access service policies. Currently there are two service policies one for device access and one for network access and i am not sure if by creating new policy how the idevice traffic will hit this policy. Please advise how do we go about implementing this feature for idevices with no username/password credentials but should use only certificate based authentication.
Thanks very much for your help.
09-11-2012 10:17 PM
Mohan,
Sorry that I missed your message on the 5th. I do not know why the services will stop when running the acs-config command, I have never experienced the issues that you are facing. If this is on a virtual machine can you validate the settings just to make sure there isnt anything misconfigured on the virtual machine?
Also as far as certificate based authentication, you should be able to use one certificate authentication profile and then fall back on password based sequence. You should not have to create another service policy, just map this identity sequence store over to the Identity configuration for the radius (network access) service policy.
I have attached a configuration that should work for what you are requesting. I hope this helps!
Tarik Admani
*Please rate helpful posts*
09-11-2012 10:24 PM
Fantastic!! and thanks again and will try this and see how this goes and also check the VM settings for the "acs-configs" debug as this really hangs the ACS and required a restart to bring it back up and as it now going into production, may be will have to test this later..
Thanks again.
Mohan
09-11-2012 10:29 PM
Mohan,
That is interesting when you do get around to looking at this issue a little deeper please open another thread so it catches my attention and we can segement the conversation for future users.
Thanks,
Tarik Admani
*Please rate helpful posts*
09-12-2012 06:11 PM
Hi Tarik,
we did that change and seem to hit the Access-reject from Radius and authentication worked ok . Then, we had to put in AD1 in the the additional identity stores accessed to retrieve attributes for authorization policy processing and it worked fine now! So just why is it going to retreive the attributes from the additional ID store for EAP-TLS ceritificates.
Thanks again.
Mohan
09-12-2012 08:02 PM
Mohan,
When you configure a certificate authentication profile, you are authenticating the client based on the certificate it presents, you do not check with Active Directory for the username, and there is not password that is transmitted. It is all based on the root CA that you configure in the C.A.P, this is very similar to SSL where the CA is the piece that validates the client. You can choose to perform binary comparison with AD in order to perform a binary check of the client certificate with the certificate that is published to this user account in AD, that will add additional security in verifying the user account.
The answer to your questions is below;
In addition, you can configure an optional list of databases from which additional attributes can be retrieved. These additional databases can be configured irrespective of whether you use password-based or certificate-based authentication.
If a certificate-based authentication is performed, the username is populated from a certificate attribute and this username is used to retrieve attributes from all the databases in the list. For more information on certificate attributes, see Configuring CA Certificates.
When a matching record is found for the user, the corresponding attributes are retrieved. ACS retrieves attributes even for users whose accounts are disabled or whose passwords are marked for change.
Tarik Admani
*Please rate helpful posts*
09-13-2012 06:25 AM
Hi Tarik,
Great explanation again. but i thought that enabling Binary comparison with the Root CA installed on the ACS ( apart from the Identity certificate in the Local cert section) is going to break the cert authentication, so this was left unchecked. So, from what i understand, enabling Binary certificate and removing the AD1 from the additional attribute section will be a valid solution?
Thanks again.
Mohan
09-13-2012 08:02 AM
It will only break cert authentication if the certificate isnt published to the user account in active directory. Which in this case may be true since you are using certificates on your i-devices.
No enabling the binary comparison is an additional check to see if the user is not only providing the user cert that is signed by your CA, but it does a check to make sure the cert is identitical to the one that was issued and published to the AD user account.
Thanks,
Tarik Admani
*Please rate helpful posts*
09-13-2012 08:12 AM
OK. Will enable the Binary check comparison and will leave the attrib settings unchanged.Once again, thanks a tonne for everything..will keep you posted on the testing activities then.
Best Regards,
Mohan
09-18-2012 11:26 PM
Hi Tarik,
Just want to clarify the following:
1.Using ACS for kerberos authentication on idevices internal sites so that the users do not need to enter username/password
2. Configuring Incremental backs on ACS 5.3 as we seem to getting the Incremental backups not configured System Alarm message. I was reading through your other post on this, but which is the best way to go about it.
Thanks and Regards,
Mohan
09-19-2012 08:11 AM
Mohan,
You can not use kerberos authentication for Idevices since they do not join the Active Directory domain, you will have to use eap-tls and that is done through certificate authentication (based on the identity cert and if it signed but the root in the CAP profile).
Configuring incremental backups is a little touchy, if you have set it up more than once then you could be running into an issue where the backup process maybe overlapping. However, are you running scheduled backups of your ACS configuration? If so, are they at the same time as your incremental backups?
(basically incremental backups are for the monitoring database, and the scheduled backups are for the ACS configuration)
Thanks,
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide