The bug you are refering to - Page 2

fuhrersk8 · ‎02-11-2016

Hi Guys;

We had a primary/secondary ACS 5.6 deployment working beautifully with all of our switches authenticating (TACACS) with our Active Directory accounts.

We decided to upgrade to version 5.8.0.32. Both virtual machines upgraded successfully (at least that was the message form each vm after upgarded).

But, after the upgrade, bot ACS were disconnected form the AD. We rejoined both of them successfully, but now, after the upgrade, all of the authorization rules referencing AD (active directory accounts) are being ignored and it goes directly to the default deny rule.

The local accounts existing on the ACS authenticate successfully. It is the Rules referencing AD accounts.

All diagnostic tests pass successfully., ecen in the ACS logs, the users from AD gets authenticated, but in the authorization rules the ACS ignores the existing AD rules and uses the Default deny Rule.

Any ideas?

Thanks in advanced Guys!

noticketnomas · ‎07-26-2016

Has anyone been able to resolve this issue? I'm having the same problem here. Upgraded from 5.6 to 5.8 with latest patch and user group attributes went fubar.

fuhrersk8 · ‎04-21-2016

Hi;

Below solution as explained by Cisco TAC:

"As you can see the Ability to read tokenGroups attributes was added. From the logs we can see the following error:

Error code: 60173 (symbol: LW_ERROR_TOKEN_GROUPS_INSUFFICIENT_PERMISSIONS)

Therefore we need to request the Active Directory administrator to update the permissions for the ACS computer account in Active Directory.

The command to update the permissions is “dsacls [distinguished name of domain] /I:T /G "User or Group":rp;tokenGroups” ""

Attached are the meaning of the AD commands.

Hope this helps.

Regards,

H-J B · ‎04-22-2016

Hi,

We have set the permissions on the AD but no changes. But thx for the response
Our smartnet is not active jet, so I can't create a SR at this moment.

I've reinstall the 5.7 and wait for the smartnet :-(

fuhrersk8 · ‎04-22-2016

Hi;

In my case, the AD administrator actually didn't execute the command as stated by Cisco TAC; what they did instead was to add the ACS object in an AD Object group with Pre-Windows 2000 type of access and then the ACS was able to read the tokenGroupos as required.

Regards,

H-J B · ‎04-26-2016

Hi all,

thx for the response.

It is a bug. CSCuy12884

jrabinow · ‎05-05-2016

The bug you are refering to is resolved in 5.8p2

fuhrersk8 · ‎02-12-2016

Hello;

Not even the ACS admin authorization rule is working. It was working on previous version 5.6.

That is, we were able to access the ACS as SuperAdmin with our AD accounts.

Thanks again.

Regards,

mark.brown@qg.com · ‎07-19-2016

We ran into this same issue. The problem ended up just being that ACS lost the domain in External Identity Stores>Active Directory.

We re-joined to the domain and problem was solved.

ACS 5.8.0.32 not matching Active Directory Authorization Rules for TACACS after upgrade from 5.6