Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2530
Views
0
Helpful
5
Replies

ACS 5.3 - Active Directory - Limit/control which DCs can be used to auth

Go to solution
gonnason
Level 1
Level 1

‎01-11-2012 12:36 PM - edited ‎03-10-2019 06:42 PM

Hi all,

I have a Cisco ACS server deployed for TACACS and RADIUS authentication for end users.

Everything works well, it is joined to the domain, people can auth most of the time. However it appears that ACS is trying to auth against *ANY* DC within my domain.

dns.findsrv FindSrvFromDns runs, and pulls every DC for use. Not all of these are reachable, nor do all fo them have the same user structure.

Is there some way to specify or limit/control what DCs are queried?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
camejia
Level 3
Level 3

‎01-11-2012 12:50 PM

Hello,

Unfortunately at this point there is no way to control which DC's should be queried by the ACS. The ACS will retrieve all the available DC's on your AD Domain and contact any of them.

An enhancement request is already filed and developers are working on it to include the feature on future releases. Here is the information:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062

ACS should be able to query only desired DCs

Symptom:
Currently on 5.0 and 5.1, the ACS queries the  DNS with the domain, in order to get a list of all the DCs in the domain  and then tries to communicate with all of them.

If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.

A lot of customers are asking for a change on this behavior.
It  should be possible to define which DCs to contact and/or make ACS to  interpret  DNS Resource Records Registered by the Active Directory  Domain Controller to facilitate the location of domain controllers.  Active Directory uses service locator, or SRV, records. An SRV record is  a new type of DNS record described in RFC 2782, and is used to identify  services located on a Transmission Control Protocol/Internet Protocol  (TCP/IP) network.

Conditions:
Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.

Workaround:
Make sure ALL DCs are UP and reachable from the ACS.

Hope this clarifies it.

Regards.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
camejia
Level 3
Level 3

‎01-11-2012 12:50 PM

Hello,

Unfortunately at this point there is no way to control which DC's should be queried by the ACS. The ACS will retrieve all the available DC's on your AD Domain and contact any of them.

An enhancement request is already filed and developers are working on it to include the feature on future releases. Here is the information:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062

ACS should be able to query only desired DCs

Symptom:
Currently on 5.0 and 5.1, the ACS queries the  DNS with the domain, in order to get a list of all the DCs in the domain  and then tries to communicate with all of them.

If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.

A lot of customers are asking for a change on this behavior.
It  should be possible to define which DCs to contact and/or make ACS to  interpret  DNS Resource Records Registered by the Active Directory  Domain Controller to facilitate the location of domain controllers.  Active Directory uses service locator, or SRV, records. An SRV record is  a new type of DNS record described in RFC 2782, and is used to identify  services located on a Transmission Control Protocol/Internet Protocol  (TCP/IP) network.

Conditions:
Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.

Workaround:
Make sure ALL DCs are UP and reachable from the ACS.

Hope this clarifies it.

Regards.

0 Helpful

Go to solution
gonnason
Level 1
Level 1
In response to camejia

‎01-11-2012 01:44 PM

Thank you for your answer. It isn't what I wanted to hear but it is clear.

Odd thing is that it also seems to Follow *ANY* domain trusts, and query their DCs.

So say I have the following:

xyz.com has trusts with the following domains:

abc.com

dev.xyz.com

So ACS gets a list of DCs of xyz.com, AND a list of all DCs of all trusted Domains; and proceeds to query them all. This is wrong.

My DCs in my main Domain xyz.com respond correctly when queried:

dig any _ldap._tcp.corp.xyz.com @10.10.1.23 +short

0 100 389 site1dc01.corp.xyz.com.

0 100 389 site2dc01.corp.xyz.com.

0 100 389 site3dc02.corp.xyz.com.

0 100 389 site4dc01.corp.xyz.com.

0 100 389 site3dc01.corp.xyz.com.

0 100 389 site5dc01.corp.xyz.com.

This is the only list of DCs TACACS should use. It should not spider through Trusted Domains.

0 Helpful

Go to solution
camejia
Level 3
Level 3
In response to gonnason

‎01-11-2012 02:15 PM

Hello,

I do not have a straight forward answer for TACACS+ requests querying Trusted Domains. Actually, for the ACS to contact Trusted or Child Domains to its local domain we need to use NETBIOS or UPN format for the username:

Note You  have to add a UPN suffix or NETBIOS prefix to the username when  authenticating to a domain that the ACS is not joined to, including the  child domains. 

The above note is included on the ACS documentation:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1053213

Regards.

0 Helpful

Go to solution
dchamorro
Level 1
Level 1

‎01-15-2012 06:41 AM

There actually IS a way to control what DC's are used by ACS, but it has nothing ot do with ACS. Once the ACS machines are added to your domain, move the machines to an OU/container of your choice. Then use Active Directory Sites and Services to make the domain restrictions. We had to do this in our environment as we have over 150 DC's.

0 Helpful

Go to solution
rishikesh_khedkar
Level 1
Level 1
In response to dchamorro

‎07-09-2012 04:54 AM

Hello, my name is Rishi and I have a quick question.

Can we have the same ACS appliance integrated with a diff OU in the AD (maybe with a diff IP address range) ?

If so, how?

Thanks,

Rishi

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents