Re: ACS v5.6 and authorization problems with remote forest

simong · ‎02-20-2018

Folks,

I have a weird ACS authorisation problem on which I'm hoping the AAA community here can shed some light...

Users & computers exist in a remote AD (abc.local) which has a 2-way Forest Trust AD with the AD to which ACS v5.6 is joined (xyz.net)

My ACS will 'authorise' AD-authenticated in the abc.local AD ONLY IF ExternalGroups ARE NOT configured in the authorisation rule. If ExternalGroups are configured, the authorisation fails with 'Access-Reject'

Any ideas?

Jatin Katyal · ‎02-20-2018

It seems during the user lookup, the AD groups are not popping up for that specific user, hence not matching the authz policy and getting the results ( Deny ) from the Default one. In order to verify, look at the details of radius authentication log for external AD groups. Was this working in the past ? also do you have forest 2-way trust ?

~ JK

~Jatin

simong · ‎02-20-2018

Hi Jatin, thanks for replying. This particular AD authorization policy is a new requirement to enable wifi mobility with partner organisation's AD. The RADIUS authorisation log does contain an entry indicating 'Retrieval of all groups was not possible' (or similar message) but I've seen this message before and ignored it as no problems were encountered.

There is a forest 2-way trust in place with this AD. Authz policies for other Ad's that do work are external 2-way trusts so I don't have a working precedent though I'm presuming it is a supported configuration.

If there was a handy command which could be used with the ACS ADCLIENT CLI troubleshooting to obtain the list of groups an AD user belongs then this may help to highlight the underlying issue.

Regards,

Simon

ajc · ‎02-21-2018

Not sure if you are aware about this.

Jatin Katyal · ‎02-21-2018

Lets check the debugs:

Can you enable the debug-adclient enable & duplicate the issue while having a external groups in the authz condition.

For more info on how to enable debugs.

https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/command/reference/cli/cli_app_a.html#53984

then check show acs-logs filename ACSADAgent.log

~Jatin

simong · ‎02-22-2018

Hi Jatin,

Thank you for suggestion - it has proven most helpful!

There are errors being logged for a particular AD login such as :

Feb 22 09:26:08 bv-acs5 adclient[18044]: DEBUG <fd:42 MS-RPC user authentication > base.adagent.domaininfo isForeignDomain: Domain abc.local not in map

Feb 22 09:26:08 bv-acs5 adclient[18044]: DEBUG <fd:28 CAPIGetObjectBySID > base.aduser Domain doesn't trust us. Fetching a foreign object S-1-5-21-1005532245-1684542211-154385

9470-5758

Feb 22 09:26:08 bv-acs5 adclient[18044]: DIAG <fd:28 CAPIGetObjectBySID > base.adagent S-1-5-21-1005532245-1684542211-1543859470-9931 is from a one-way trust. Creating fake o

bject

Feb 22 09:26:08 bv-acs5 adclient[18044]: DEBUG <fd:28 CAPIGetObjectBySID > base.aduser Creating foreign user object dn <GUID=71ad1fee32e9428fa1f1a428e33889cf>;<SID=010500000000

0005150000005534ef3b031368640e6d055c56320000>;CN=71ad1fee32e9428fa1f1a428e33889cf,CN=Foreign User,CN=One Way Trust,DC=XYZ,DC=NET

Now....where to investigate these error codes and translate to microsoft lingo!