Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1324
Views
0
Helpful
5
Replies

ACS v5.6 and authorization problems with remote forest

simong
Level 1
Level 1

‎02-20-2018 08:25 AM - edited ‎02-21-2020 10:46 AM

Folks,

 

I have a weird ACS authorisation problem on which I'm hoping the AAA community here can shed some light...

 

Users & computers exist in a remote AD (abc.local) which has a 2-way Forest Trust AD with the AD to which ACS v5.6 is joined (xyz.net)

 

My ACS will 'authorise' AD-authenticated in the abc.local AD ONLY IF ExternalGroups ARE NOT configured in the authorisation rule.  If ExternalGroups are configured, the authorisation fails with 'Access-Reject'

 

Any ideas?

Labels:
0 Helpful
5 Replies 5

Jatin Katyal
Cisco Employee
Cisco Employee

‎02-20-2018 08:58 AM

It seems during the user lookup, the AD groups are not popping up for that specific user, hence not matching the authz policy and getting the results ( Deny ) from the Default one. In order to verify, look at the details of radius authentication log for external AD groups. Was this working in the past ? also do you have forest 2-way trust ?

~ JK

 

~Jatin
0 Helpful

simong
Level 1
Level 1
In response to Jatin Katyal

‎02-20-2018 10:55 AM - edited ‎02-20-2018 11:13 AM

Hi Jatin, thanks for replying. This particular AD authorization policy is a new requirement to enable wifi mobility with partner organisation's AD. The RADIUS authorisation log does contain an entry indicating 'Retrieval of all groups was not possible' (or similar message) but I've seen this message before and ignored it as no problems were encountered.

 

There is a forest 2-way trust in place with this AD. Authz policies for other Ad's that do work are external 2-way trusts so I don't have a working precedent though I'm presuming it is a supported configuration.

 

If there was a handy command which could be used with the ACS ADCLIENT CLI troubleshooting to obtain the list of groups an AD user belongs then this may help to highlight the underlying issue.

 

Regards,

Simon

0 Helpful

ajc
Level 7
Level 7
In response to simong

‎02-21-2018 08:02 AM

Not sure if you are aware about this.

 

ACS-EOL.png

 

 

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to simong

‎02-21-2018 08:54 AM

Lets check the debugs:

Can you enable the debug-adclient enable & duplicate the issue while having a external groups in the authz condition.

For more info on how to enable debugs.

https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/command/reference/cli/cli_app_a.html#53984

then check show acs-logs filename ACSADAgent.log

 

~Jatin
0 Helpful

simong
Level 1
Level 1
In response to Jatin Katyal

‎02-22-2018 01:47 AM

Hi Jatin,

 

Thank you for suggestion - it has proven most helpful! 

There are errors being logged for a particular AD login such as :

 

Feb 22 09:26:08 bv-acs5 adclient[18044]: DEBUG <fd:42 MS-RPC user authentication > base.adagent.domaininfo isForeignDomain: Domain abc.local not in map 

 

Feb 22 09:26:08 bv-acs5 adclient[18044]: DEBUG <fd:28 CAPIGetObjectBySID > base.aduser Domain doesn't trust us.  Fetching a foreign object S-1-5-21-1005532245-1684542211-154385

9470-5758

 

Feb 22 09:26:08 bv-acs5 adclient[18044]: DIAG  <fd:28 CAPIGetObjectBySID > base.adagent S-1-5-21-1005532245-1684542211-1543859470-9931 is from a one-way trust.  Creating fake o

bject

 

Feb 22 09:26:08 bv-acs5 adclient[18044]: DEBUG <fd:28 CAPIGetObjectBySID > base.aduser Creating foreign user object dn <GUID=71ad1fee32e9428fa1f1a428e33889cf>;<SID=010500000000

0005150000005534ef3b031368640e6d055c56320000>;CN=71ad1fee32e9428fa1f1a428e33889cf,CN=Foreign User,CN=One Way Trust,DC=XYZ,DC=NET

 

Now....where to investigate these error codes and translate to microsoft lingo!

0 Helpful
Customers Also Viewed These Support Documents