02-11-2016 06:09 AM - edited 03-10-2019 11:28 PM
Hi Guys;
We had a primary/secondary ACS 5.6 deployment working beautifully with all of our switches authenticating (TACACS) with our Active Directory accounts.
We decided to upgrade to version 5.8.0.32. Both virtual machines upgraded successfully (at least that was the message form each vm after upgarded).
But, after the upgrade, bot ACS were disconnected form the AD. We rejoined both of them successfully, but now, after the upgrade, all of the authorization rules referencing AD (active directory accounts) are being ignored and it goes directly to the default deny rule.
The local accounts existing on the ACS authenticate successfully. It is the Rules referencing AD accounts.
All diagnostic tests pass successfully., ecen in the ACS logs, the users from AD gets authenticated, but in the authorization rules the ACS ignores the existing AD rules and uses the Default deny Rule.
Any ideas?
Thanks in advanced Guys!
07-26-2016 08:52 PM
Has anyone been able to resolve this issue? I'm having the same problem here. Upgraded from 5.6 to 5.8 with latest patch and user group attributes went fubar.
04-21-2016 06:24 AM
Hi;
Below solution as explained by Cisco TAC:
"As you can see the Ability to read tokenGroups attributes was added. From the logs we can see the following error:
Error code: 60173 (symbol: LW_ERROR_TOKEN_GROUPS_INSUFFICIENT_PERMISSIONS)
Therefore we need to request the Active Directory administrator to update the permissions for the ACS computer account in Active Directory.
The command to update the permissions is “dsacls [distinguished name of domain] /I:T /G "User or Group":rp;tokenGroups” ""
Attached are the meaning of the AD commands.
Hope this helps.
Regards,
04-22-2016 06:13 AM
Hi,
We have set the permissions on the AD but no changes. But thx for the response
Our smartnet is not active jet, so I can't create a SR at this moment.
I've reinstall the 5.7 and wait for the smartnet :-(
04-22-2016 07:17 AM
Hi;
In my case, the AD administrator actually didn't execute the command as stated by Cisco TAC; what they did instead was to add the ACS object in an AD Object group with Pre-Windows 2000 type of access and then the ACS was able to read the tokenGroupos as required.
Regards,
04-26-2016 01:47 AM
Hi all,
thx for the response.
It is a bug. CSCuy12884
05-05-2016 03:29 PM
The bug you are refering to is resolved in 5.8p2
02-12-2016 06:51 AM
Hello;
Not even the ACS admin authorization rule is working. It was working on previous version 5.6.
That is, we were able to access the ACS as SuperAdmin with our AD accounts.
Thanks again.
Regards,
07-19-2016 02:21 PM
We ran into this same issue. The problem ended up just being that ACS lost the domain in External Identity Stores>Active Directory.
We re-joined to the domain and problem was solved.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: