This problem occurs due to the presence of Cisco bug ID CSCef34765.
When Cisco Secure Access Control Server (ACS) for Microsoft Windows version 3.3 has two Lightweight Directory Access Protocol (LDAP) external databases (DBs) listed in this DB order:
Authentication works fine if the user belongs to LDAP-1. But, if you belong to LDAP-2, ACS does not start to query LDAP-2:
The AUTH.log shows this output:
AUTH IAttempting authentication for Unknown User 'XX' AUTH IExternal DB [DServDll.dll]: Starting PAP AuthUser AUTH IExternal DB [DServDll.dll]: Comparing domain name "yy" user name XX' case insensitive AUTH IExternal DB [DServDll.dll]: Domain qualifier section did not match. AUTH IExternal DB [DServDll.dll]:External DS User XX@ZZ PW [----] failed authentication: fffff7fc
For a workaround, first check if there is more than one database included in the Selected Databases list on the Unknown User Policy page.
If yes, then change the order of the databases in that list so that the Windows database is not first.
This bug is fixed in Cisco Secure ACS for Windows version 3.3.2.
In order to download Cisco Secure ACS for Windows version 3.3.2, use the TAC Service Request Tool in order to open a case with Cisco Technical Support.
a simple question: to migrate an ASA firewall to a Firepower 1120 Threat Defense can I use the automated tool provided by Cisco? I understand that it only works with a Firepower Management Center while our solution is a local managed and we do not intend ...
Hi, Apology for my queries, just want to confirm. We have 2 units of N9K swtich and we were only given 1 PAK number. When we tried to register this PAK number to the 1st unit we got the information below:Can we still use the same PAK number for the 2...
Hi AllI have just ONE Ldap authenticantion in connection do VPN AnyConnectionSo Tried to find some option to use 2 Two LDAP (HA) just in case one fail I have secondary.I didn't find option secondary tunnel-group TUNNEL_VPN general-attributesadd...