cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

966
Views
0
Helpful
1
Replies
gadzi11255333
Beginner

ACS, AD domains and a strange error

Hello.

We have : ACS 5.8.1.4< three domain (Win2012) primary oneil.local
                                                                      subdomain vuko.oneil.local/ booka.oneil.local
All users connect via VPN  without problems from these domains.
We have new domain line.local. From the forest. It configured to trust with oneil.local (two-way trust)...
But users from domain line.local have a problem with VPN connection. Authentication failed...
A very strange error.

If someone knows how I can get this working I will really appreciate it.
Thanks in advance.
Regards.

 

RADIUS Authentication Details
RADIUS Status:Authentication failed

ACSVersion=acs-5.8.1.4-B.462.x86_64 : ConfigVersionId=430 :
Device Port=34573 : RadiusPacketType=AccessRequest : Protocol=Radius :
Called-Station-ID=140.100.200.101 : CVPN3000/ASA/PIX7.x-DAP-Tunnel-Group-Name=DefaultWEBVPNGroup :
AD-User-Candidate-Identities=Zaharova_E_V@line.local : AD-User-DNS-Domain=line.local : AD-User-NetBios-Name=LINE :
AD-User-Resolved-Identities=Zaharova_E_V@line.local : AD-User-Join-Point=ONEIL.LOCAL :
AD-User-Resolved-DNs=CN=Захарова Елена Валерьевна,OU=Managers,OU=Employees,DC=Line,DC=local :
StepData=11=Zaharova_E_V@line.local :
StepData=12=oneil.local :
StepData=13=oneil.local :
StepData=15=Zaharova_E_V@line.local :
StepData=18=Zaharova_E_V@line.local :
StepData=21=ERROR_INTERNAL : IdentityAccessRestricted=false : Device IP Address=10.4.0.36

 

 

11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15008 Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
15041 Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - AD1
24210 Looking up User in Internal Users IDStore - Zaharova_E_V@line.local
24216 The user is not found in the internal users identity store.
24430 Authenticating user against Active Directory
24325 Resolving identity - Zaharova_E_V@line.local
24313 Search for matching accounts at join point - oneil.local
24319 Single matching account found in forest - oneil.local
24323 Identity resolution detected single matching account
24343 RPC Logon request succeeded - Zaharova_E_V@line.local
24402 User authentication against Active Directory succeeded
24432 Looking up user in Active Directory - Zaharova_E_V@line.local
24326 Searching subject object by UPN - Zaharova_E_V@line.local
24328 Subject object not found in a cache
24330 Lookup SID By Name request succeeded
24333 Lookup Object By SID request failed - ERROR_INTERNAL
24478 Error while validating the user or host in Active Directory; the IdentityAccessRestricted flag is not altered
22037 Authentication Passed
22023 Proceed to attribute retrieval
24210 Looking up User in Internal Users IDStore - Zaharova_E_V@line.local
24216 The user is not found in the internal users identity store.
22038 Skipping the next IDStore for attribute retrieval because it is the one we authenticated against
22016 Identity sequence completed iterating the IDStores
15044 Evaluating Group Mapping Policy
24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory
15035 Evaluating Exception Authorization Policy
15042 No rule was matched
15036 Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - DenyAccess
15039 Selected Authorization Profile is DenyAccess
11003 Returned RADIUS Access-Reject

 

1 ACCEPTED SOLUTION

Accepted Solutions
thomas
Cisco Employee

You probably have not received any answers because ACS is long past End of Support.  

Please upgrade to ISE: ACS to ISE Migration

View solution in original post

1 REPLY 1
thomas
Cisco Employee

You probably have not received any answers because ACS is long past End of Support.  

Please upgrade to ISE: ACS to ISE Migration

View solution in original post

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel