07-19-2021 05:02 AM
Hello.
We have : ACS 5.8.1.4< three domain (Win2012) primary oneil.local
subdomain vuko.oneil.local/ booka.oneil.local
All users connect via VPN without problems from these domains.
We have new domain line.local. From the forest. It configured to trust with oneil.local (two-way trust)...
But users from domain line.local have a problem with VPN connection. Authentication failed...
A very strange error.
If someone knows how I can get this working I will really appreciate it.
Thanks in advance.
Regards.
RADIUS Authentication Details
RADIUS Status:Authentication failed
ACSVersion=acs-5.8.1.4-B.462.x86_64 : ConfigVersionId=430 :
Device Port=34573 : RadiusPacketType=AccessRequest : Protocol=Radius :
Called-Station-ID=140.100.200.101 : CVPN3000/ASA/PIX7.x-DAP-Tunnel-Group-Name=DefaultWEBVPNGroup :
AD-User-Candidate-Identities=Zaharova_E_V@line.local : AD-User-DNS-Domain=line.local : AD-User-NetBios-Name=LINE :
AD-User-Resolved-Identities=Zaharova_E_V@line.local : AD-User-Join-Point=ONEIL.LOCAL :
AD-User-Resolved-DNs=CN=Захарова Елена Валерьевна,OU=Managers,OU=Employees,DC=Line,DC=local :
StepData=11=Zaharova_E_V@line.local :
StepData=12=oneil.local :
StepData=13=oneil.local :
StepData=15=Zaharova_E_V@line.local :
StepData=18=Zaharova_E_V@line.local :
StepData=21=ERROR_INTERNAL : IdentityAccessRestricted=false : Device IP Address=10.4.0.36
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15008 Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
15041 Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - AD1
24210 Looking up User in Internal Users IDStore - Zaharova_E_V@line.local
24216 The user is not found in the internal users identity store.
24430 Authenticating user against Active Directory
24325 Resolving identity - Zaharova_E_V@line.local
24313 Search for matching accounts at join point - oneil.local
24319 Single matching account found in forest - oneil.local
24323 Identity resolution detected single matching account
24343 RPC Logon request succeeded - Zaharova_E_V@line.local
24402 User authentication against Active Directory succeeded
24432 Looking up user in Active Directory - Zaharova_E_V@line.local
24326 Searching subject object by UPN - Zaharova_E_V@line.local
24328 Subject object not found in a cache
24330 Lookup SID By Name request succeeded
24333 Lookup Object By SID request failed - ERROR_INTERNAL
24478 Error while validating the user or host in Active Directory; the IdentityAccessRestricted flag is not altered
22037 Authentication Passed
22023 Proceed to attribute retrieval
24210 Looking up User in Internal Users IDStore - Zaharova_E_V@line.local
24216 The user is not found in the internal users identity store.
22038 Skipping the next IDStore for attribute retrieval because it is the one we authenticated against
22016 Identity sequence completed iterating the IDStores
15044 Evaluating Group Mapping Policy
24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory
15035 Evaluating Exception Authorization Policy
15042 No rule was matched
15036 Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - DenyAccess
15039 Selected Authorization Profile is DenyAccess
11003 Returned RADIUS Access-Reject
Solved! Go to Solution.
08-06-2021 06:39 PM
You probably have not received any answers because ACS is long past End of Support.
Please upgrade to ISE: ACS to ISE Migration
08-06-2021 06:39 PM
You probably have not received any answers because ACS is long past End of Support.
Please upgrade to ISE: ACS to ISE Migration
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide