Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2211
Views
0
Helpful
3
Replies

Cisco ACS 5.1 LDAP group search error

mrpaulhurd
Level 1
Level 1

‎05-10-2012 11:01 AM - edited ‎03-10-2019 07:04 PM

I have a problem where occasionally a user will attempt to login and the LDAP search will find the user but then fail when it does the group search.  The error I get is below

22037  Authentication Passed

22023  Proceed to attribute retrieval

24032  Sending request to secondary LDAP server

24016  Looking up user in LDAP Server - testuser

24004  User search finished successfully

24027  Groups search ended with an error

24034  Secondary server failover. Switching to primary server

24031  Sending request to primary LDAP server

24016  Looking up user in LDAP Server - testuser

24004  User search finished successfully

24027  Groups search ended with an error

22059  The advanced option that is configured for process failure is used.

22062  The 'Drop' advanced option is configured in case of a failed authentication request.

Some users never get this error, others will get it once in a while and I have one user that gets it every time they try and login.  Any ideas?

Labels:
0 Helpful
3 Replies 3

larsen_2011
Level 1
Level 1

‎05-11-2012 10:23 AM

I had the same Problem. I raised a case but the support was not good. I solved the problem by switching to AD as Identity store. A query to exactly the same groups here never gave an error. But if you need to use ldap, this is of course no solution.

If you make a tac case, i would like to learn the outcome!

Sent from Cisco Technical Support iPad App

0 Helpful

mrpaulhurd
Level 1
Level 1

‎05-11-2012 12:03 PM

I have opened a TAC case but haven't found a solution yet.  The ACS only allows one AD Identity Source and we're already using it with another domain so I am limited to using LDAP for this one. 

0 Helpful

charlie-hall
Level 1
Level 1

‎06-11-2012 09:42 AM

I just starting to get these same errors when I changed the LDAP Authentication Server from a FQDN to a domain name, ie.  'mydomain.com', instead of 'host1.mydomain.com' .   I am in the process of retiring a couple of domain servers and instead of just specifying one or two servers, I thought that by specifying the domain name, I could talk to any domain controller.

But the log shows:

24028  User's attributes are retrieved

24022  User authentication succeeded

24027  Groups search ended with an error

I can see if user authentication failed then getting "24027  Groups search ended with an error", but user authentication did not fail.

11001  Received RADIUS Access-Request

11017  RADIUS created a new session

Evaluating Service Selection Policy

15004  Matched rule

15012  Selected Access Service - Default Network Access

Evaluating Identity Policy

15006  Matched Default Rule

15013  Selected Identity Store - MY-Servers

24031  Sending request to primary LDAP server

24015  Authenticating user against LDAP Server

24028  User's attributes are retrieved

24022  User authentication succeeded

24027  Groups search ended with an error

22059  The advanced option that is configured for process failure is used.

22062  The 'Drop' advanced option is configured in case of a failed authentication request.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents