Re: ACS 5.2 with Active Directory

Samer Ghishan · ‎03-08-2011

I have installed ACS 5.2 and configured it to join the Company's Domain as an External database with Active directory 2008.

I'm facing a problem that the user once authenticated using it's active directory account it's cached in the ACS and take a while for the ACS to clear this username.

For example, if user TEST authenticates and then we removed this user from the AD and then tried again; it authenticates although this users is removed from the AD !!! same thing happens when we change the user group on the AD, it takes a while for the ACS to clear the old user attributes and get the new ones from the AD.

it there an aging time for this caching mechanism, or can i clear the dynamic users manually just like in ACS 4.X ?

slawford · ‎03-15-2011

Hi Samer,

I have tested this in my lab with ACS 5.2 to Windows 2008 AD and see an access reject as soon as I delete the test user.

Do you have multiple domain controllers in your AD environment? If so, are you sure that the user changes have been replicated fully in AD?

Also when you say it takes a while for user changes to be reflected in ACS, roughly how long are we talking (seconds, minutes, hours)?

Steve.

jwright · ‎05-24-2011

I am having a similar problem in my environment. We have an AD group for wireless users. ACS doesn't seem to work when users are added to this group for hours. I don't see any options for update intervals or the like. If I find something I will post.

Samer Ghishan · ‎05-24-2011

Hi,

I've solved the problem. It was an AD replication issue. There was a third AD server that I was not aware of that replicates every 3 hours, and the DNS I'm using is replying to the ACS with that server's IP. I've configured the DNS to always reply back with the other two AD server's IPs and everything worked fine.

I figured that out when I tried to capture the ACS traffic through a wireshark and found the third AD server's IP in the logs.

Hope this will help you.