Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1025
Views
0
Helpful
3
Replies

Active Directory Integration acs 5.1

tapedeckghost
Level 1
Level 1

‎08-25-2011 02:12 PM - edited ‎03-10-2019 06:20 PM

Hello, I'm relatively new to this forum.

I suspect my problem may be a simple one. I'm attempting to integrate an acs 5v into the domain through the gui. The connection will establish, and the status will read 'connected', just as it lists the domain I've submitted. However, I can't seem to find anything listed under the directory groups, and when I run a connection test, I simply get 'Global Catalogue port status error.' Eventually, I'd like to configure this as a radius server.

Anyone else experience this?

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Nicolas Darchis
Cisco Employee
Cisco Employee

‎08-26-2011 12:51 AM

Well, I would check the global catalog connectivity :-)

Knowing which DC are global catalog in your domain and sniffing ACS-GC conversation might help.

Are there firewalls inbetween ?

0 Helpful

azharshahzadaexternal
Level 1
Level 1

‎10-01-2013 05:22 AM

Hi

I am have same problem, I am trying to Integrate ACS 5.4  with Active Directory. and give me GLobal catalog Port error. Please see my  adccheck report:

Do you want to continue?  (yes/no) yes
OSCHK    : Verify that this is a supported OS                          : Pass
PATCH    : Linux patch check                                           : Pass
PERL     : Verify perl is present and is a good version                : Pass
SAMBA    : Inspecting Samba installation                               : Pass
SPACECHK : Check if there is enough disk space in /var /usr /tmp       : Pass
HOSTNAME : Verify hostname setting                                     : Pass
NSHOSTS  : Check hosts line in /etc/nsswitch.conf                      : Pass
DNSPROBE : Probe DNS server 172.18.233.18                              : Pass
DNSPROBE : Probe DNS server 10.26.236.26                               : Warning
         : This DNS server does not appear to respond to TCP
         : requests. This is OK for small domains but will cause
         : problems otherwise. Note that the VMware NAT service
         : does not support TCP - this is normal.

DNSCHECK : Analyze basic health of DNS servers                         : Warning
         : One or more DNS servers are dead or marginal.
         : Check the following IP addresses in /etc/resolv.conf.
         :
         : The following table lists the state of all configured
         : DNS servers.
         :  10.26.236.26 (unknown): TCP dead but UDP OK
         :  172.18.233.18 (nia-bks-x.evxxxx.xxxxxxx.xxxxxxx.be): OK
         : Only one good DNS server was found
         : You might be able to continue but it is likely that you
         : will have problems.
         : Add more good DNS servers into /etc/resolv.conf.

WHATSSH  : Is this an SSH that DirectControl works well with           : Pass
SSH      : SSHD version and configuration                              : Note
         : You are running OpenSSH_5.3p1, CiscoSSL 0.9.8r.1.3.
         :

DOMNAME  : Check that the domain name is reasonable                    : Pass
ADDC     : Find domain controllers in DNS                              : Pass
ADDNS    : DNS lookup of DC bebrdc173.be01.awl.atosorigin.net          : Pass
ADPORT   : Port scan of DC bebrdc173.be01.awl.atosorigin.net           : Pass
ADDNS    : DNS lookup of DC bebrvmdc075.be01.awl.atosorigin.net        : Pass
ADPORT   : Port scan of DC bebrvmdc075.be01.awl.atosorigin.net         : Pass
ADDNS    : DNS lookup of DC bebrvmdc199.be01.awl.atosorigin.net        : Pass
ADPORT   : Port scan of DC bebrvmdc199.be01.awl.atosorigin.net         : Pass
ADDNS    : DNS lookup of DC bebrvmdc200.be01.awl.atosorigin.net        : Pass
ADPORT   : Port scan of DC bebrvmdc200.be01.awl.atosorigin.net         : Pass
ADGC     : Check Global Catalog servers                                : Warning
         : There is no GC in site "bebr-st_main".
         : It is recommended that a GC exist in each site.

DCUP     : Check for operational DCs in be01.awl.atosorigin.net        : Pass
SITEUP   : Check DCs for be01.awl.atosorigin.net in our site           : Pass
DNSSYM   : Check DNS server symmetry                                   : Pass
ADSITE   : Check that this machine's subnet is in a site known by AD   : Pass
GSITE    : See if we think this is the correct site                    : Pass
TIME     : Check clock synchronization                                 : Pass
ADSYNC   : Check domains all synchronized                              : Pass
3 warnings were encountered during check. We recommend checking these before pro                                                                                                                     ceeding

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to azharshahzadaexternal

‎10-01-2013 09:04 AM

What error are you getting while integrating ACS with AD? Please attach the screen shot.

Do you know which DC is acting as a gloabal catalog in your network.

Do we have all the ports open required ACS to commubicate with AD?

If there is a firewall between ACS and AD, certain ports need to be  opened in order to allow ACS to communicate with AD. The following are  the default ports to be opened:



Protocol

Port number

LDAP


389/udp


SMB


445/tcp


KDC


88/(tcp/udp)


Global catalog


3268/tcp


KPASS


464/tcp


NTP


123/udp


DNS


53/(tcp/udp)

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful
Customers Also Viewed These Support Documents