cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1594
Views
0
Helpful
3
Replies
Highlighted
Beginner

Cisco ACS 4.2.1 authentication problem

We are using cisco ACS 4.2.1 on windows 2003  to authenticate  with windows 2003 Actice Directory. We have update Active directory server windows 2008 version. We have checked the configuration of ACS on windows database and no problem but we can't see in ACS dynamic user. I have authentication problem ACS 4.2.1 to Windows 2008 R2 active directory.

Everyone's tags (3)
3 REPLIES 3
Cisco Employee

Cisco ACS 4.2.1 authentication problem

Can someone help to answer this question? I have one customer who also asked me about this. One thing I found is ACS 5.3 can support AD on Windows 2008 R2 but my customer don't want to pay for upgrade.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/device_support/sdt53.html

Beginner

Cisco ACS 4.2.1 authentication problem

Hi there,

This is a very common question "ACS 4.x supports authentication with 2008 R2", unfortunately the answer is no. The only ACS server that supports authentication against this specific DB is ACS 5.2.0.26 and later, not even ACS 5.1.0.44 supports this.

You can check the Release notes to confirm this:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/release/notes/acs_52_rn.html

However there are workarounds, for example you can use LDAP, or you can use Radius proxy. Using LDAP should work unless you are using PEAP as this protocol doesn't support LDAP as the DB.

Radius proxy means that the authentication request will reach the ACS 4.x and this server will send the request to MS IAS or NPS for the authentication, the problem here is that you will need to use two Radius servers.

Rate if it helps!

Beginner

Cisco ACS 4.2.1 authentication problem

Hi there,

There is a section in the ACS 4.x where you can define if the ACS should show the dynamic users or not, make sure that this option is unchecked, for this go to External User Databases/Unknown User Policy/Configure Caching Unknown Users

Also if you are facing authentication issues with ACS 4.x and Windows 2008 R2, you may want ready my previous answer.

Let me know if this helps.