cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2906
Views
0
Helpful
0
Comments
TCC_2
Level 10
Level 10

Core issue

This problem occurs due to the presence of Cisco bug ID CSCef34765.

When Cisco Secure Access Control Server (ACS) for Microsoft Windows version 3.3 has two Lightweight Directory Access Protocol (LDAP) external databases (DBs) listed in this DB order:

  • LDAP-1
  • LDAP-2

Authentication works fine if the user belongs to LDAP-1. But, if you belong to LDAP-2, ACS does not start to query LDAP-2:

The AUTH.log shows this output:

AUTH IAttempting authentication for Unknown User 'XX'
AUTH IExternal DB [DServDll.dll]: Starting PAP AuthUser
AUTH IExternal DB [DServDll.dll]: Comparing domain name "yy" user name XX' case insensitive
AUTH IExternal DB [DServDll.dll]: Domain qualifier section did not match.
AUTH IExternal DB [DServDll.dll]:External DS User XX@ZZ PW [----]
failed authentication: fffff7fc

Resolution

For a workaround, first check if there is more than one database included in the Selected Databases list on the Unknown User Policy page.

If yes, then change the order of the databases in that list so that the Windows database is not first.

This bug is fixed in Cisco Secure ACS for Windows version 3.3.2.

In order to download Cisco Secure ACS for Windows version 3.3.2, use the TAC Service Request Tool in order to open a case with Cisco Technical Support.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: