Windows Authentication issues with ACS v3.3

a.lowe · ‎04-25-2005

We are using the ACS v3.3 to do TACACS authentication for network device administration. This is authentication is via windows Authentication.

The issue I have is that ACS will not authenticate users from one domain (e.g. domain1), BUT it will authenticates users from other domain (domain2 & domain3). The server is based in domain1. The failing user’s accounts are in the same domain as the server domain1.

The local server support team have said that this is not an issue with the server (as they are able to log on to the actual server - with their local domain admin account based in domain1)

If I fail the TACACS service over to a backup server in doamin2, then all user authentications succeed, regardless of the location of their windows account.

Any one have an idea how I can test or fix this ?

gfullage · ‎04-25-2005

We'd need to see what the logs say, but it's probably a permissions issue with the user that is running the ACS services.

Go under System Config - Service Control, enable Full logging and restart. Then try a test authentication for a user in domain1.

After it fails, go to c:\program files\Cisco Secure ACS v3.x\CSAuth\Logs and open the auth.log file. Near the bottom search for the user that you just tested, and there'll be some lines there about it trying to authenticate the user, checking the external database and it failing. Post those back onto this forum and it should give us an an indication as to what's happening.

m-carey · ‎05-03-2005

I am having a similar problem but have the appliance, which log is that that I should view?