Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8967
Views
22
Helpful
5
Replies

Active Directory operation has failed because of an unspecified error in the ACS (after migration to Server 2012 R2 Domain Controllers)

Go to solution
NPT_2
Level 2
Level 2

‎07-03-2014 11:06 PM - edited ‎03-10-2019 09:51 PM

Hello,

We are experiencing an inability to authenticate our wireless client devices via Cisco ACS connected to Active Directory.  We are getting the following errors in ACS:

24444 Active Directory operation has failed because of an unspecified error in the ACS

and 

11051 RADIUS packet contains invalid state attribute

This seems to have started after we migrated from Windows Server 2008 R2 Domain Controllers to Windows Server 2012 R2 Domain Controllers.   

Is there some sort of compatibility issue that we might be running into?  

We are running ACS Version:5.2.0.26.11

What do you think?  Our VPN Connections using this same ACS device and Domain Controllers seem to work just fine, but no one can authenticate to our wireless network.  

Under the active directory Identity store, Active Directory shows connected to the domain and a test result shows the connection test passed.  

Jim

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kushsriva
Level 1
Level 1

‎07-10-2014 03:32 AM

Hi,

 

According to the ACS 5.2 user guide, ACS 5.2 does not support windows 2012R2 servers. Here are the list of supported OS:

ACS supports these AD domains:

Windows Server 2003

Windows Server 2003 R2

Windows Server 2008

Windows Server 2008 R2

 

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/acsuserguide/users_id_stores.html#wp1248491

 

However ACS 5.5 with the latest patch does support the windows 2012R2 :

ACS supports these AD domains:

  • Windows Server 2003
  • Windows Server 2003 R2
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2 is supported after installing ACS 5.5 patch 1.
  • http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/users_id_stores.html#pgfId-1321235

 

 

 So you would need to upgrade the ACS to the latest version of ACS 5.5 in order for the AD integration to work.

 

To check the supported upgrade path, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/release/notes/acs_55_rn.html#pgfId-284251

 


Regards,

Kush

 

View solution in original post

5 Replies 5

Go to solution
mohanak
Cisco Employee
Cisco Employee

‎07-04-2014 02:23 AM

11051 RADIUS packet contains invalid state attribute :
 
System Created AD attributes should be protected
CSCuf26657
 
Description
Symptom:

User create attributes have the potential to overwrite system created ones changing the data type from boolean to string, causing authentication attempts to AD to fail. With the error messages below.
Authentication failed : 11051 RADIUS packet contains invalid state attribute
RADIUS Request dropped : 12315 PEAP inner method finished with failure

Conditions:

A user created attribute can overwrite a system created attribute, if a system created attribute exists with the same name. The user created attribute 'IdentityAccessRestricted' overwrote the system created one changing the data type from Boolean to string, causing authentication attempts to AD to fail.

IdentityAccessRestricted is a system created attribute that is created when an ISE node joins AD. If a duplicate attribute is created under Administration>External Identity Sources>Active Directory>Attributes, It will overwrite the data type changing the value from boolean to string.



Workaround:
1. Leave AD
2. Delete the AD connection
3. Rejoin AD

or

Restore from a backup.
 
24444 Active Directory operation has failed because of an unspecified error in the ACS :
ACS 5.x random 24429 and 24444 AD failures
CSCuh59288
 
Description
Symptom:
We are seeing some authentications fail with either of the following errors:
24429 Could not establish connection with Active Directory
24444 Active Directory operation has failed because of an unspecified error in the ACS

The failures are totally random.

24444 errors usually occurred for users that typed the wrong password or for usernames that did not exist in AD

Conditions:
ACS 5.3 patch 6

ACS is incorrectly interpreting the response it receives from AD. Rather than reading the response as a failure of the authentication attempt, the ACS is reading the response as a failure of the AD process/failure of connectivity to AD

Workaround:
N/A
 

Go to solution
NPT_2
Level 2
Level 2
In response to mohanak

‎07-06-2014 07:59 PM

The problem is these 2 messages just started popping up when we changed from AD Win2008R2 DC's to Win2012R2 DC's.  This appears to be preventing all wireless connections from our wireless clients on all AP's across our network.  On the plus side it is not affecting our VPN connectivity that uses the same ACS server for authentication.  That being said:

1.  I'm going to try disjoining ACS from AD and then rejoining it to see if it fixes the problem.  

 

2.  However, I'm thinking that version 5.2 of ACS has some sort of compatibility issue with Windows Server 2012 R2 and I will have to upgrade to a newer version.    

 

Can anyone confirm #2?  If so, what version do I need to upgrade ACS to in order to get around this issue if this is the root cause?  

I'm thinking I'm likely going to have to open a TAC case in the morning if no can confirm these theories.  

Jim

0 Helpful

Go to solution
NPT_2
Level 2
Level 2
In response to NPT_2

‎07-07-2014 03:06 PM

Disjoining and rejoining ACS from AD unfortunately did nothing to fix the problem.  

I then decided to upgrade to version 5.4.  This upgrade was incredibly slow and after it completed I still was unable to authenticate to the wireless network.  

I took one last chance and upgraded to the latest 5.5.0.46 ACS Software.  Miraculously this fixed the problem and the authentication errors went away and clients are now able to connect to and authenticate to the wireless network without issue.  

 

Jim  

0 Helpful

Go to solution
kushsriva
Level 1
Level 1

‎07-10-2014 03:32 AM

Hi,

 

According to the ACS 5.2 user guide, ACS 5.2 does not support windows 2012R2 servers. Here are the list of supported OS:

ACS supports these AD domains:

Windows Server 2003

Windows Server 2003 R2

Windows Server 2008

Windows Server 2008 R2

 

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/acsuserguide/users_id_stores.html#wp1248491

 

However ACS 5.5 with the latest patch does support the windows 2012R2 :

ACS supports these AD domains:

  • Windows Server 2003
  • Windows Server 2003 R2
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2 is supported after installing ACS 5.5 patch 1.
  • http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/users_id_stores.html#pgfId-1321235

 

 

 So you would need to upgrade the ACS to the latest version of ACS 5.5 in order for the AD integration to work.

 

To check the supported upgrade path, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/release/notes/acs_55_rn.html#pgfId-284251

 


Regards,

Kush

 

Go to solution
NPT_2
Level 2
Level 2

‎07-10-2014 09:05 AM

Thanks for the response.  I ended up upgrading to the latest 5.5 version which fixed the problem and everything is working great.  I just wish I would have had your message earlier as I upgraded in the hopes (but not knowing for sure the new version would fix my issue. 

 

Jim

0 Helpful
Customers Also Viewed These Support Documents