Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1750
Views
0
Helpful
5
Replies

ACS5.2 joined the AD, authorizing user through Internal OK, through AD not working

Go to solution
robert.huang
Level 1
Level 1

‎04-24-2011 08:42 AM - edited ‎03-10-2019 06:01 PM

Hi All,

My ACS5.2 joined Windows 2003 Active Directory successfully. I created Support group with user1 in the internal store, also created Support-AD group with userad1 in the AD store. Identity Store Sequency is set Internal first, then AD. I can map Support-AD group to the local Support group without any problem.

Internal user gets authenticated and authorized OK. However, if the user is an AD user, the rule for AD users is not picked. So it goes to default.

I must have missed something. Please help. I have uploaded my screenshots.Thanks in advance.

Labels:
Preview file
157 KB
Preview file
125 KB
Preview file
112 KB
Preview file
90 KB
Preview file
94 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
GregCover
Level 1
Level 1

‎04-25-2011 05:32 AM

Robert,

Someting I've found to be very useful when troubleshooting these types of issues in ACS 5.2 is the monitoring and report viewer.  If you launch it and then choose AAA protocol on the left under Catalog it will present you with several reports, one of them being TACACS authentication.  Run the report and then choose the details by clicking the small magnifying glass under one of the entries that resulted in the use of the default rule.  The details are very good and will show the step by step processing results and at what point your default rule is being chosen.

Hope this helps.

Greg

View solution in original post

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to GregCover

‎04-25-2011 01:38 PM

Looking at the identity policy for AD device admin it is selecting the "Identity Source" as "Internal Users"

It should instead select the Identity sequence (can't remember what was called but something like "Internal First")

everything else seems OK

If still doesn't work the information on the authentication details will be very helpful. It shows which AD groups were in fact retrieved

View solution in original post

0 Helpful
5 Replies 5

Go to solution
GregCover
Level 1
Level 1

‎04-25-2011 05:32 AM

Robert,

Someting I've found to be very useful when troubleshooting these types of issues in ACS 5.2 is the monitoring and report viewer.  If you launch it and then choose AAA protocol on the left under Catalog it will present you with several reports, one of them being TACACS authentication.  Run the report and then choose the details by clicking the small magnifying glass under one of the entries that resulted in the use of the default rule.  The details are very good and will show the step by step processing results and at what point your default rule is being chosen.

Hope this helps.

Greg

0 Helpful

Go to solution
GregCover
Level 1
Level 1

‎04-25-2011 05:32 AM

Robert,

Someting I've found to be very useful when troubleshooting these types of issues in ACS 5.2 is the monitoring and report viewer.  If you launch it and then choose AAA protocol on the left under Catalog it will present you with several reports, one of them being TACACS authentication.  Run the report and then choose the details by clicking the small magnifying glass under one of the entries that resulted in the use of the default rule.  The details are very good and will show the step by step processing results and at what point your default rule is being chosen.

Hope this helps.

Greg

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to GregCover

‎04-25-2011 01:38 PM

Looking at the identity policy for AD device admin it is selecting the "Identity Source" as "Internal Users"

It should instead select the Identity sequence (can't remember what was called but something like "Internal First")

everything else seems OK

If still doesn't work the information on the authentication details will be very helpful. It shows which AD groups were in fact retrieved

0 Helpful

Go to solution
robert.huang
Level 1
Level 1
In response to jrabinow

‎04-25-2011 02:03 PM

Thanks for the reply.

I found out the problem. I created a Identity Store Sequence but I forgot to choose this newly created Sequence(Choose Internal user or AD won't work). Once I specify this sequence under the Identity, everything works as expected.


Thanks again.

0 Helpful

Go to solution
Kostas Papachristofis
Level 1
Level 1
In response to robert.huang

‎01-05-2012 06:46 AM

Hello Robert

I am facing the same problems like you.

Pls can you help me to configure ACS to join the AD ?

My goal is to authenticate users on AD for access to cisco routers and switches

I configured local users on ACS5.2 and I tested them. Everything is working fine (authentication, authorization etc)

Now I try to authenticate users from AD without success

I would like to send you the screenshots of the current configuration. Can you pls tell me where is the mistake or what have I forgotten to apply ?

Pls send me an email to send you the screenshots

Happy New Year

Kostas Papachristofis

Message was edited by: Kostas Papachristofis I attach the screenshots

120000-ACS5.2-snapshot.rar.zip
0 Helpful
Customers Also Viewed These Support Documents