I logged into the ACS v3.3 and selected the "Group setup" the disabled box is uncheck under the Group disabled. Do I need to manually add the user to enable the authentication ?Sorry for any inconvenience as I am still new to ACS. Please advice. Thank you.

Hi Jimmy,

Please check the user properties on the Active directory. Maybe the dial-in properties are defined as denied. please change them to "allow access".

Let us know how it goes.

Regards,

Anisha

No worries, keep us posted until you get the resolution.

Well, if the users resides on the ACS internal database and not in the AD-active directory then you have to placed users manually in their resoective groups. However, if this setup includes active directory then group mapping would do.

Group-mapping

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/qg.html#wp940515

Rgds,

Jatin

Do rate helpful posts~

Previously, all the users are able to authenticate. But unable to authenticate anymore and no configuration changes on the AP, ACS and AD. AD and ACS are in domain A while users laptops are in domain B.

The authentication is done by the Windows Database configured in the Unknown user policy. By right if the user account is not in the ACS, it will automatically authenticate via external windows database.

Hi all,

Check the dial-in under the user account but is for the VPN remote access dial in. But seem no settings can be change.

Date Time Message-Type User-Name Group-Name Caller-ID Authen-Failure-Code Author-Failure-Code Author-Data NAS-Port NAS-IP-Address 01/31/2011 18:09:38 Authen failed tester02 .. 0012.f08a.36d4 External DB user invalid or bad password .. .. 663 172.24.11.10 01/31/2011 18:09:04 Authen failed Tester02 .. 0012.f08a.36d4 External DB user invalid or bad password .. .. 662 172.24.11.10

The tester02 username is created inside the AD for testing purpose. No account being created inside the ACS. Please advice. Thank you.

This is more of permission issue. looks like you are using ACS windows.

here are the steps to create package.cab file :

Below is the procedure to get the package.cab file from the ACS server.. Set detailed
logging mode(system config ==>service control ===>Services Log File
Configuration-full).  This will ensure that all the proper service startup information is
included in the package.cab file.

- Log onto the ACS server itself as the local administrator.
- Browse to the UTILS directory in the ACS program directory.(C:\program files\ciscosecure
acs v3.x\utils)
- Run the program there called CSSupport.
- Select "Set Log Levels Only" and click Next.
- Select "Set Diagnostic Log Verbosity to Maximum."
- Click Next, then click Finish.

At this point, we need to duplicate the issue. Once that's done, we need to gather the verbose logs created.  To do so, follow the instructions below AFTER the problem has been recreated and recorded:

- Log onto the ACS server itself as the local administrator.
- Browse to the UTILS directory in the ACS program directory.
- Run the program there called CSSupport.
- Select "Run Wizard" and click Next.
- Only do these steps if we need more than today's logs:
- Put a check in both "Previous Logs" checkbox.
- Select the number of days to go back.
- Click Next four times. Select the radius/tacacs capture option as applicable
- When the Finish button appears, click it.

The package.cab will be found in the UTILS\Support directory under the ACS program directory. This file contains all of the log information from ACS

HTH

Rgds,

Jatin

~Do rate helpful posts~