04-25-2012 06:54 AM - edited 03-10-2019 07:02 PM
Hi !
A customer uses Active Directory where some group names contain special characters (ç ~ '^). The Cisco ACS 5.2 is presenting the warnings: "
Not all Active Directory user groups are retrieved successfully. One or more of thegroup's canonical name was not retrieved "(Category
CSCOacs_Identity_Stores_Diagnostics; code 24457).
Question: What are the results of these warnings to the customer's network? Slow? Loss of access?
Thank you,
Leonardo.
05-12-2012 08:55 PM
Hello. Could you please post the screenshot of the warnings ?
I'm guessing there will be no problems because those groups are not retrieved and then you could not use them in the ACS rules.
On the other hand do you have username with special characters ? I have an issue when using PEAP EAP-MSCHAPv2 and non-english characters.
03-19-2014 08:13 PM
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113571-acs5-ad-int-config-00.html
03-19-2014 11:02 PM
Hi,
That's high probably because of ACS handles ascii characters only.
in older versions (4.x) there was a known problem:
'''snip'''
Problem: ACS Error Message - Not all user Active Directory groups are retrieved successfully...
Why is the Not all user Active Directory groups are retrieved successfully. One or more of the group's canonical name was not retrieved error message seen on ACS?
Solution
This issue occurs because unicode characters are used in the group name on AD. Since ACS sees AD groups as ASCII text, the unicode characters are not translated correctly. As a result, the group membership is not retrieved. Remove the unicode character from the AD configuration in order to resolve this issue.
'''snip'''
in ACS 5.3 vesion I can see some of those issues are resolved as per the release notes:
CSCtn26604 ACS 5 did not support UNICODE characters in certificates. This problem is resolved now.
CSCto72918 ACS 5.2 did not support Unicode characters in AAA client shared secret. This problem is resolved now.
However, I did't find anything talking about none-ascii usernames. But maybe that's applied.
is it possible for you to make a test with version 5.3 or higher and check if it works?
Regards,
Amjad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide