05-10-2009 11:49 PM - edited 03-10-2019 04:29 PM
Hi all!
I have an ACS 3.3(2)b2 what authenticates users from external ADs. All the authentication is succeful from its own domain and from several trusted domain.
Now I'd like to add a new domain to the system, but when I try to authenticate from this domain it fails. In the "Failed Attempts" report the error message is the following: "External DB account restriction"
My setting:
Ext. User DBs --> DB Configuration --> Windows DB --> Configure --> I put it to the "Domain List" column in the "Configure Domain List" section.
The "... Grant Dialin Permission ..." checkbox is empty.
I have a valid group mapping also.
I found a bug in this version:
"Authentication succeeded only when The EAP-TLS client authenticate to the DC which connected directly to the ACS, but when the user is in the Trusted DC (only in the trusted DC) which connected to the first DC, the authentication didn't succeed and the Fail Attempts message was: "External DB account Restriction."
Same message occurred whether enabling the domain stripping in Windows external database settings or not. "
I could accept this bug if there wasn't many well working domains in the system.
Has anyone got any idea for this problem?
What I forgot to set?
By(e),
Miki
05-15-2009 04:09 AM
Check if you have a mapped to disabled group. Do not map multiple windows group to ACS group.
i.e.
WG1,WG2,WG3,* -----> ACS-GP1
Instead do it like,
WG1----> ACS-GP1
WG2----> ACS-GP1
05-15-2009 05:17 AM
Hi ssoberlik!
Thank you for your answer. I have only one mapping in the new domain, so I use one-to-on mapping. Although I use the ACS group in an other mapping in an other domain, but I think this is permitted.
In the AD security logs I see the authentication request what is successful, but int the ACS this failes.
Miki
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide