Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
555
Views
0
Helpful
1
Replies

ACS Appliance Authentication with AD

frenzeus
Level 4
Level 4

‎04-19-2005 05:33 PM - edited ‎03-10-2019 02:07 PM

Hi all,

Have recently installed the ACS Solution Engine. Customer needed to use AD as an external d/b for aaa authentication for engineers accessing their cisco boxes.

I have setup according to the documentation from cisco. Installed a remote agent to authenticate on behalf of the acs-se.

All is well. There are 2 child domains. The remote agent is a member server of the 1st child domain, so authenticating users belonging to the first child domain is not a problem. However, when users of the 2nd child domain tried to access the cisco boxes, the remote agent (belonging to the 1st child domain) failed to access the DC's AD of the 2nd child domain. Checked the acs log files and it says "External DB account restriction".

The remote agent has it's services run by a username that belongs to the 1st child domain, ie. CSACS. This user already has been granted read access to all the user folders in the AD of the 2nd child domain. Heck, by default, all users have read access even between child domains. There's no policy restriction applied for cross-domain access.

What could possibly be the problem? Any help, greatly appreciate it.

Labels:
0 Helpful
1 Reply 1

didyap
Level 6
Level 6

‎04-25-2005 12:24 PM

In case of Windows Active Directory and Remote agent ,services of remote agent should be bind with the user existing in enterprise admin, rather than domain admin if you are getting the error "External DB account restriction"

0 Helpful
Customers Also Viewed These Support Documents