04-24-2011 08:42 AM - edited 03-10-2019 06:01 PM
Hi All,
My ACS5.2 joined Windows 2003 Active Directory successfully. I created Support group with user1 in the internal store, also created Support-AD group with userad1 in the AD store. Identity Store Sequency is set Internal first, then AD. I can map Support-AD group to the local Support group without any problem.
Internal user gets authenticated and authorized OK. However, if the user is an AD user, the rule for AD users is not picked. So it goes to default.
I must have missed something. Please help. I have uploaded my screenshots.Thanks in advance.
Solved! Go to Solution.
04-25-2011 05:32 AM
Robert,
Someting I've found to be very useful when troubleshooting these types of issues in ACS 5.2 is the monitoring and report viewer. If you launch it and then choose AAA protocol on the left under Catalog it will present you with several reports, one of them being TACACS authentication. Run the report and then choose the details by clicking the small magnifying glass under one of the entries that resulted in the use of the default rule. The details are very good and will show the step by step processing results and at what point your default rule is being chosen.
Hope this helps.
Greg
04-25-2011 01:38 PM
Looking at the identity policy for AD device admin it is selecting the "Identity Source" as "Internal Users"
It should instead select the Identity sequence (can't remember what was called but something like "Internal First")
everything else seems OK
If still doesn't work the information on the authentication details will be very helpful. It shows which AD groups were in fact retrieved
04-25-2011 05:32 AM
Robert,
Someting I've found to be very useful when troubleshooting these types of issues in ACS 5.2 is the monitoring and report viewer. If you launch it and then choose AAA protocol on the left under Catalog it will present you with several reports, one of them being TACACS authentication. Run the report and then choose the details by clicking the small magnifying glass under one of the entries that resulted in the use of the default rule. The details are very good and will show the step by step processing results and at what point your default rule is being chosen.
Hope this helps.
Greg
04-25-2011 05:32 AM
Robert,
Someting I've found to be very useful when troubleshooting these types of issues in ACS 5.2 is the monitoring and report viewer. If you launch it and then choose AAA protocol on the left under Catalog it will present you with several reports, one of them being TACACS authentication. Run the report and then choose the details by clicking the small magnifying glass under one of the entries that resulted in the use of the default rule. The details are very good and will show the step by step processing results and at what point your default rule is being chosen.
Hope this helps.
Greg
04-25-2011 01:38 PM
Looking at the identity policy for AD device admin it is selecting the "Identity Source" as "Internal Users"
It should instead select the Identity sequence (can't remember what was called but something like "Internal First")
everything else seems OK
If still doesn't work the information on the authentication details will be very helpful. It shows which AD groups were in fact retrieved
04-25-2011 02:03 PM
Thanks for the reply.
I found out the problem. I created a Identity Store Sequence but I forgot to choose this newly created Sequence(Choose Internal user or AD won't work). Once I specify this sequence under the Identity, everything works as expected.
Thanks again.
01-05-2012 06:46 AM
Hello Robert
I am facing the same problems like you.
Pls can you help me to configure ACS to join the AD ?
My goal is to authenticate users on AD for access to cisco routers and switches
I configured local users on ACS5.2 and I tested them. Everything is working fine (authentication, authorization etc)
Now I try to authenticate users from AD without success
I would like to send you the screenshots of the current configuration. Can you pls tell me where is the mistake or what have I forgotten to apply ?
Pls send me an email to send you the screenshots
Happy New Year
Kostas Papachristofis
Message was edited by: Kostas Papachristofis I attach the screenshots
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide