01-03-2011 11:26 AM - edited 03-10-2019 05:41 PM
Hello,
I'm working on implementing a RADIUS authentication for wireless access with the following :
- PCs running Windows 7, protocol used is PEAP (without validating the server certificate to make it simple at first),
- AP 1252 configured to use a RADIUS server to authenticate (it's working good with an ACS server 4.2),
- ACS Server 5.1.0.44.5 running as VM connected to an AD domain and working good with VPN connections,
- AD domain running on Windows 2003 Server.
My ACS VM is working good since a couple of months for VPN (RADIUS) and administration (TACACS) remote access, both using Active Directory. Now, I'd like to use it to authenticate people connecting to a 1252 Cisco access point but I'm getting this error "24427 Access to Active Directory failed". I switched from PEAP to LEAP but this is the same.
All I can get running the expert troubleshoot
Investigating failure code: 24427 Access to Active Directory failed |
Checking if Active Directory is configured |
Active Directory is configured |
Attempting connection to Active Directory |
Connection to Active Directory was successful. |
Troubleshooting completed. |
Click on Show Results Summary to view results. |
I followed this guide, at least for the ACS certificate section :
http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml
Anyone has an idea where the problem may come from?
Thanks in advance,
Vincent
01-11-2011 02:04 AM
Thank you Vincent, looking forward to hearing back from you.
Regards,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
02-22-2011 09:26 AM
Hi Federico,
I hope you're doing great since our last conversation.
Since my last post, I upgraded my ACS to 5.2 version. I did exactly the same thing as previously with 5.1 release and I'm getting the exact same error...
But now, I'm able to generate a support bundle without encryption so you will be able to take a look at the log files.
I experienced my authentication failure around 17:15PM today.
Thans again for your help,
Best regards,
Vincent
02-23-2011 08:11 AM
Hi,
I'm not giving up so I did some additionnal tests today. I make it work by changing the protocol and/or the inner method used by the protocol. My conclusion is each time I use MS-CHAP (v1 or v2) as inner method it fails (LEAP, EAP-FAST or MS-PEAP) but each time I use EAP-GTC as inner method it works (EAP-FAST and CISCO-PEAP).
I checked my ACS configuration. In the "allowed protocols" section of my default network access policy, MS-CHAP inner method is allowed for PEAP and EAP-FAST.
Any idea what could cause the problem?
Thanks in advance,
Vincent
01-04-2012 07:03 AM
Hi,
My problem was gone for some time and since yesterday, I'm having trouble authenticating with any protocol using MSCHAP as inner method. I upgraded my ACS server to 5.3.0.40 (patch 1) but the problem is still there.
Any idea or investigation tip to help ?
Vincent
01-04-2012 07:25 AM
AD User must have permissions to add and remove users and machines in the field.
And make sure your password is working perfectly, you can test by logging on any machinein the field.
01-04-2012 07:43 AM
Hi Jonatas,
Thanks for your answer. My user is an administrator and has right to add and remove users and machines. My password is working perfectly good.
Vincent
01-07-2012 11:31 AM
HI Vincent,
- Could you go to the AD configuration click on test connection and check if it shows connected?
- Please login to the ACS through SSH, do nslookup (you domain name) and check if it resolves?
Regards,
Kush
01-09-2012 12:32 AM
Hi,
Last week, I finally found out what was going on with my ACS, sometimes working, sometimes not working. It was actually not a problem on the ACS but on the Active Directory, particularly on my secondary domain controller. I don't know yet which feature or setting is wrong but each time he's assuming the role of domain controller (after a reboot of the primary for example), my ACS is failing to access the active directory.
I'll let you know if I have some more information about the problem.
Vincent
07-20-2012 09:41 AM
hey there, I ran into the same issue with 5.3 and it turned out being this bug. i came across your post looking for instructions on retrieving the logs. thanks mate.
Authentication starts failing with this error: 24495 Active Directory servers are not available. in the ACS 5.3 logs.
Check the ACSADAgent.log file through the CLI of the ACS 5.x for messages such as:Mar 11 00:06:06 xlpacs01 adclient[30401]: INFO
07-22-2012 12:00 AM
The CDETS you refer to has been resolved on ACS 5.3 and is included in patch 3 and onwards. If you are going to install a ptahc on 5.3 I recommend to take the latest patch which is patch 5. The workaround for the CDETS has been updated
07-22-2012 07:02 AM
The patch is cumulative, if so I would be able to go straight from say patch 2 to patch 5 right?
07-22-2012 07:03 AM
Yes. That is correct. Patch is cumulative
07-22-2012 07:05 AM
Much appreciated
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide