Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
544
Views
0
Helpful
2
Replies

Is ACS 3.3 user CSACS REQUIRED to be a Domain Admin

bnidacoc
Level 1
Level 1

‎08-08-2005 12:07 PM - edited ‎03-10-2019 02:15 PM

I have installed Cisco ACS 3.3 on a Windows 2003 member server. This server is not a controller (domain controller or otherwise), I am told it is just a "member" server.

I am told the directory is a 2003 directory by the server guys. I'm not sure if there is a difference between a 2000 directory and a 2003 directory.

This is being setup to authenticate AS5300 PPP users via TACACS to the ACS server, the ACS server in turn is to do an external database link to the active directory servers. A CSACS account is created and this account is a service and it is a local admin to the server ACS is installed on, and it has read all privileges to certain directory groups. I do firmly believe that all publicly documented requirements have been met.

Well, after 4 months of work on this, I was told a month back (not by the server guys) that in order for the ACS program to "read" the passwords of a group of directory users, that the CSACS MUST be a "Domain Admin"

After 3 months of this not working, this is the answer, the CSACS user must be made a domain admin.

How many of you have ACS 3.3 checking a Windows Active Directory with the CSACS account NOT being a "Domain Admin" of the Active Directory or a "Local Admin" of *all* of the directory controllers?

Comments?

Labels:
0 Helpful
2 Replies 2

Not applicable

‎08-12-2005 12:03 PM

Cisco has observed that, in some customer environments, there are issues related to ACS external user authentication to a Windows Active Directory (AD). This problem can occur due to a permissions issue in the AD.

Depending on the Windows environment, some member servers do not have the appropriate permissions to:

Read the AD in order to validate the users authentication credentials

Retrieve the dial-in permission authorization

Enumerate a group listing in order to perform the ACS group mapping function.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_field_notice09186a00800b1583.shtml

0 Helpful

rvcsmartnet
Level 1
Level 1

‎08-26-2005 06:11 AM

Hi,

I am using ACS3.2 on Windows 2000 member server SP4. I use it for out Wireless client, all works fine except when i use our ACS to authenticate VPN Concentrator 3020E client, it fails with error on ACS about Dial-in permission issue, although the users in AD have all the Dial-in permissions needed.

For you please see if this link helps, this is what i followed and it works on our live wireless network.

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/win32sig.htm#wp10311

Regards.

0 Helpful
Customers Also Viewed These Support Documents