Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
773
Views
0
Helpful
2
Replies

ACS authenticating Windows DB

r-marchetti
Level 1
Level 1

‎12-10-2004 12:22 AM - edited ‎03-10-2019 01:55 PM

Hi everybody,

I've a server running ACS for windows 3.3 used for 802.1x authentication. I only have 1 local ACS account (test) and I use an external DB to authenticate other users.

I asked Windows Domain administrator to create 3 groups:

- VLAN1 with 2 users

- VLAN2 with 2 users

- VLAN3 with 2 users

I configure "unknown user policy" to check windows db if the user is not locale, and I configured the domain and mapped the ACS groups in the following way:

- ACS group VLAN1 is mapped to Windows leaf VLAN1 of domain ESMLAB

- ACS group VLAN2 is mapped to Windows leaf VLAN2 of domain ESMLAB

- ACS group VLAN3 is mapped to Windows leaf VLAN3 of domain ESMLAB

/Default DB is mapped to <no-access>.

The strange thing is that ACS first choice is to use /Default so user don't access the network! I tried to map /Default to VLAN1 and users access the network and was associated to correct VLAN. In this way I check that the ACS correctly connect to DB to authenticate the user.

Which could be the cause that ACS first seems to use /default instead of the correct mapping? What I forget? Is the windows DB configured correctly?

Thanks

Regards

Roberto

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎12-12-2004 05:43 PM

Mappings are checked from a top-down perspective, so if you have the \DEFAULT domain appearing below the ESMLAB domain then this should be OK. What's probably happening is that ACS is unable to get any of the users windows group mapping properties and therefore doesn't know that they're in the VLANx Windows group. Because of this ACS always maps them through to the catch-all \DEFAULT group and they get no access accordingly.

As for why ACS can't get the users group mappings from Windows is usually a permissions problem, specifically in what user the CS services are running under on the ACS device, most often even a domain administrator doesn't have the right permissions. You don't mention if ACS is running on a DC or just on a member server. Running it on a DC usually resolves most permissions problems, particularly on an AD.

You can try the following to set the permissions correctly:

Instructions for changing privileges:

1) on the AD, go to Administrative Tools -> Domain Security Policy ->

Security Settings -> Local

Policies -> User Rights Assignment and

a) double click on "Act as part of the operating system"

b) check the "Define these policy settings" checkbox

c) Click add and enter : "domain\adminstrator"

d) Click Ok

e) double click on "Log on as a service"

f) check the "Define these policy settings" checkbox

g) Click add and enter : "domain\administrator"

h) Click Ok.

(Note: do the same for "Log on Locally")

2) Right click on "Security Settings" header and choose "Reload"

3) log into the ACS Machine with user = domain\administrator (please note that

the user must be

administrator and not another Domain Admin user).

4) Change the ACS Services to run under domain\administrator and restart them

all.

If that doesn't work, enable Full Logging under System Config - Service Control page, and restart the ACS services. Then try an authentication request, and check the latest auth.log file under the Program Files\CiscSecure ACS v3.3\CSAuth\Logs, there'll probably be some errors about not getting RAS permissions. You may need to send this to the TAC for further analysis.

0 Helpful

r-marchetti
Level 1
Level 1
In response to gfullage

‎12-15-2004 05:48 AM

Hi,

I spoke with AD administrator and I changed all ACS services to run under ESMLAB\administrator and restarted. On AD he checks the user ESMLAB\administrator "Act as part of the operating system", "Log on as a service" and "Log on Locally" checkboxes and everything is ok.

Now the situation is changed, but it still doesn't work. From ACS logs I see that users aren't mapped to any ACS groups and I obtain this error: "External DB account Restriction" on Failed attempts.

Looking at the file in Program Files\CiscSecure ACS v3.3\CSAuth\Logs I see the following lines:

AUTH 12/15/2004 14:31:46 I 0701 0920 AuthenProcessResponse: process response for 'ESMLAB\test01' against Windows Database

AUTH 12/15/2004 14:31:46 I 0365 0920 External DB [NTAuthenDLL.dll]: Starting MSCHAP authentication for user [ESMLAB\test01]

AUTH 12/15/2004 14:31:46 I 0365 0920 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user test01

AUTH 12/15/2004 14:31:46 E 0365 0920 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1300L)

AUTH 12/15/2004 14:31:46 I 2116 0920 Unknown User 'ESMLAB\test01' was not authenticated

AUTH 12/15/2004 14:31:46 I 5081 0920 Done RQ1027, client 6, status -2046

AUTH 12/15/2004 14:31:46 I 5094 0920 Worker 3 processing message 8.

AUTH 12/15/2004 14:31:46 I 5081 0920 Start RQ1027, client 6 (127.0.0.1)

AUTH 12/15/2004 14:31:46 I 0701 0920 AuthenProcessResponse: process response for 'ESMLAB\test01' against Windows Database

AUTH 12/15/2004 14:31:46 I 0350 0920 EAP: PEAP: Second phase: 26 authentication FAILED

AUTH 12/15/2004 14:31:46 I 5081 0920 Done RQ1027, client 6, status -1058

Any other suggestions?

Thanks

Roberto

0 Helpful
Customers Also Viewed These Support Documents