Re: "24427 Access to Active Directory failed" error in ACS 5.1

Vincent Fortrat · ‎01-03-2011

Hello,

I'm working on implementing a RADIUS authentication for wireless access with the following :

- PCs running Windows 7, protocol used is PEAP (without validating the server certificate to make it simple at first),

- AP 1252 configured to use a RADIUS server to authenticate (it's working good with an ACS server 4.2),

- ACS Server 5.1.0.44.5 running as VM connected to an AD domain and working good with VPN connections,

- AD domain running on Windows 2003 Server.

My ACS VM is working good since a couple of months for VPN (RADIUS) and administration (TACACS) remote access, both using Active Directory. Now, I'd like to use it to authenticate people connecting to a 1252 Cisco access point but I'm getting this error "24427 Access to Active Directory failed". I switched from PEAP to LEAP but this is the same.

All I can get running the expert troubleshoot

Investigating failure code: 24427 Access to Active Directory failed

Checking if Active Directory is configured

Active Directory is configured

Attempting connection to Active Directory

Connection to Active Directory was successful.

Troubleshooting completed.

Click on Show Results Summary to view results.

I followed this guide, at least for the ACS certificate section :

http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml

Anyone has an idea where the problem may come from?

Thanks in advance,

Vincent

Federico Ziliotto · ‎01-05-2011

Hi Vincent,

Does the AD user have dialin permissions enabled by any chance?
This is to confirm whether we may be hitting a known limitation.

To further investigate this we could collect some initial logs from ACS 5.1, in order to start isolating the issue:

1. Log in to the ACS command line and enable the following debugs:

admin# acs-config
Escape character is CNTL/D.

Username:
Password:

acsadmin(config-acs)# debug-adclient enable
acsadmin(config-acs)# debug-log mgmt level debug
acsadmin(config-acs)# debug-log runtime level debug

2. Recreate the issue a couple of times.

3. Take note of the time stamp when you recreate the issue and then collect the ACS support bundle from the Monitoring & Report Viewer, under

Troubleshooting > ACS Support Bundle

Please be sure of collecting the support bundle while checking the following options:

Include full configuration database = Unchecked
Include debug logs = All
Include local logs = All
Include core files = All
Include monitoring and reporting logs (all categories checked) = Include files from the last 1 day

Also, please communicate the time stamp when the issue is observed, so that we can track it faster in the logs.

Regards,

Fede

--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Vincent Fortrat · ‎01-05-2011

Hi Fede,

Thanks for your reply.

I used the administrator account to join the AD, I checked and it has dial-in permissions.

I have downloaded the ACS support bundle, I tried to extract it but all I can get is a .gpg file...how can I check the log files?

Since the max size for uploaded content is 50MB, I joined the entire file which sizes 18MB.

FYI, I recreated the issue at 5:04PM.

Best regards,

Vincent

Federico Ziliotto · ‎01-05-2011

Thank you Vincent,

It looks like the support bundle was generated with encryption enabled.

Would it be possible to please re-generate it with the following options?

Encrypt Support Bundle = Unchecked <<< IMPORTANT

Include full configuration database = Unchecked

Include debug logs = All

Include local logs = All

Include core files = All

Include monitoring and reporting logs (all categories checked) = Include files from the last 1 day

Regards,

Fede

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Vincent Fortrat · ‎01-06-2011

Federico,

I don't see any option to enable or not the encryption. It seems that this features is only supported by ACS 5.2 and I'm using 5.1.

Best regards,

Vincent

Federico Ziliotto · ‎01-06-2011

That's right Vincent, sorry if I didn't include all the details in my previous message.

I already tried yesterday also to decrypt the bundle with one of our ACS 5.1, but it failed, so that's why I thought of asking anyway.

Maybe you could test to decrypt the support bundle from your side directly:

1. Load the support bundle to an FTP location.

2. Create an FTP repository on ACS to point to this FTP location.

3. SSH to ACS and enter the "acs-config" mode:

admin# acs-config

Escape character is CNTL/D.

Username:

Password:

acsadmin(config-acs)#

4. Then please decrypt the bundle with the following command:

decrypt-support-bundle acs-support-bundle-01-05-2011-17-05.tar.gz

Regards,

Fede

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Federico Ziliotto · ‎01-06-2011

Hi Vincent,

As a further option apart from trying to decrypt the support bundle on your side, could you maybe try to collect it one more time? (being sure to include the logs from the last failure)

If the previous one was corrupted, then the failure in decrypting it could be expected.

Regards,

Fede

Vincent Fortrat · ‎01-06-2011

I'm stuck at step 4, I am not able to decrypt the support bundle :

acs/ACSAdmin(config-acs)# decrypt-support-bundle pc_vincent_ftp acs_acs_support.tar.gpg
Decrypting Support Bundle...
Repository: pc_vincent_ftp
Support Bundle: acs_acs_support.tar.gpg
Unable to import file 'acs_acs_support.tar.gpg' from remote repository 'pc_vincent_ftp'

Looking at my FTP server log file, ACS doesn't even try to access the repository which is working (I used it to load the patch file for ACS).

I tried using FTP but it doesn't work either. Did you manage to get this command working?

Regards,

Vincent

Federico Ziliotto · ‎01-06-2011

Hi Vincent,

That's exactly the very same error message I am getting.

Could you maybe test by recreating the issue today and re-download the support bundle with the logs just from today?

Then, without trying to uncompress the bundle with other tools, just attach it here (or even try to decrypt it yourself with the procedure I posted before)

I am suspecting that something got corrupted in the previous support bundle.

Regards,

Fede

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Federico Ziliotto · ‎01-06-2011

Hi Vincent,

That's exactly the very same error message I am getting.

Could you maybe test by recreating the issue today and re-download the

support bundle with the logs just from today?

Then, without trying to uncompress the bundle with other tools, just

attach it here (or even try to decrypt it yourself with the procedure I

posted before)

I am suspecting that something got corrupted in the previous support bundle.

Regards,

Fede

--

If this helps you and/or answers your question please mark the question

as "answered" and/or rate it, so other users can easily find it.

Vincent Fortrat · ‎01-06-2011

Like you suggest, I re-downloaded the support bundle but I'm still not able to decrypt it.

Best regards,

Vincent

Federico Ziliotto · ‎01-06-2011

Hi Vincent,

The next best alternative I could think of is to collect the log files through "show" commands on the ACS command line:

show acs-logs filename ACSManagement.log

show acs-logs filename acsRuntime.log

show acs-logs filename ACSADAgent.log

You would need to please log the full output of these three commands right after having recreated the issue.

In case you'd like to filter even further for a specific month (so not to collect also the logs from December for example), you could also try the following syntax:

show acs-logs filename ACSManagement.log | i Jan

show acs-logs filename acsRuntime.log | i Jan

show acs-logs filename ACSADAgent.log | i Jan

Regards,

Fede

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Vincent Fortrat · ‎01-07-2011

Hi Federico,

I did try to run the commands but the log files are pretty big ! and almost impossible to copy/paste in a text file. Any idea to download the full files from ACS ?

Regards,

Vincent

Federico Ziliotto · ‎01-07-2011

Hi Vincent,

I know it's a bit of a pain :-(

You could maybe try to simply keep scrolling and logging the text output in the meantime (so no copy+paste needed).
In Putty for example, this can be done by right-clicking on the window's bar and selecting

change settings... > logging > all session output > (browse to where you'd like to save the file) > apply

Unfortunately, the only logs we can transfer through the "copy" command are those for ADE, which are not useful for our issue.
The debugging logs we are looking for are stored internally and cannot be retrieved via FTP for example with the standard commands. There is a patch that we could install to access the underlying Linux OS, but for us to publish this you would need to go through the official channel of a TAC case:
http://tools.cisco.com/ServiceRequestTool/create/launch.do

Regards,

Fede

--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Vincent Fortrat · ‎01-11-2011

Hi Federico,

I'm currently out of office for a couple of days. I'll let you know as soon as I have some more information to investigate our problem, probably on friday.

Best regards,

Vincent