Sitemap

Amicuk Programming Answers

ACS 5.1 Authentication against AD problem

-0001-11-30   Views:13

Advertisement

I have a pair of ACS 5.1 virtual appliances in a master/slave configuration, running build 5.1.0.44.  We have it configured to authenticate TACACS against Active Directory, but have run into a problem with the account of one my colleagues.  His accou

I have a pair of ACS 5.1 virtual appliances in a master/slave configuration, running build 5.1.0.44.  We have it configured to authenticate TACACS against Active Directory, but have run into a problem with the account of one my colleagues.  His account password recently expired and since changing it he is no longer able to authenticate on devices pointing to the master ACS server, but has no issue with devices pointing to the slave ACS server.  Several other users have changed their passwords in AD and have not encountered this problem.
ACS View shows the following error in the TACACS+ authentication log:  "24421 Change password against Active Directory failed since it is disabled in configuration".  The account we use to connect to active directory does not have permission to send password changes, so I have disabled changing passwords in the AD identity store configuration.  As a test, I enabled password changing and instead saw this error:  "24407 User authentication against AD failed since user is required to change his password". 
I've had him change passwords numerous times, try different SSH clients, and different PCs.  I also had him lock his account out, and then try logging on and instead was presented with this error: "24415 User authentication against AD failed since user's account is locked out".  So it seems that ACS is correctly querying AD but seems to be caching the fact that his account has expired.
The only difference between the two ACS servers are that they are querying different AD servers.  I've gotten our AD team to reset his password, check that his account is not locked on a particular AD server, and that replication is functioning.  I've also restarted the services and cold started the ACS virtual machine to no effect.  I have yet to try clearing the AD configuration and re-entering it.
show logging application acs reveals the following:
ActiveDirectoryClient,19/10/2011,08:46:25:307,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
ying to reconnect.,ActiveDirectoryClient.cpp:2429
ActiveDirectoryClient,19/10/2011,08:46:25:311,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
ActiveDirectoryClient,19/10/2011,08:49:27:468,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
ying to reconnect.,ActiveDirectoryClient.cpp:2429
ActiveDirectoryClient,19/10/2011,08:49:27:475,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
ActiveDirectoryIDStore,19/10/2011,08:49:27:475,ERROR,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,ActiveDirectoryIDStore::onPlainAuthenticateAndQueryEvent - User password expired but change
password configuration is disabled - authentication failed,ActiveDirectoryIDStore.cpp:525
I am aware that I can upgrade to 5.1.0.44.6 and intend to do so (although CSCsr81297 concerns me as we make extensive use of AD for authentication), but I don't know that there is any guarantee that this will fix it.
Any ideas on what might be the cause, and how I can fix this?
Thanks!

The replay answer
Advertisement
Hello,
It is complicated to explain this rule but hopelly you will understand.
I suggest you to do an identity store sequence that will point to the AD and RSA. this is like the user unknow policy in ACS 4.x
Once this is done you can create 2 authorization policies 1 based on RSA authentication and another based on AD authentication.
To give you a better clear example is there any difference between AD and RSA authentication? Do they have the same rights? Please detail what you need to configure besides AD and RSA simultanuos authentication.
Regards,
Sebastian Aguirre

Go to See the other 2 answers

ACS 5.1 Authentication against AD problem

Category:DefaultRelease time:-0001-11-30Views:130

I have a pair of ACS 5.1 virtual appliances in a master/slave configuration, running build 5.1.0.44.  We have it configured to authenticate TACACS against Active Directory, but have run into a problem with the account of one my colleagues.  His accou[More]

Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed

Category:DefaultRelease time:-0001-11-30Views:130

Hi, I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance. ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years. Recently we bought a Cisco 4710 ACE appliance. Whe[More]

There is a problem with this connection's security certificate The remote computer cannot be authenticated due to problems with its security certificate. Security certificate problems might indicate an attempt to fool you or intercept any data you send

Category:DefaultRelease time:-0001-11-30Views:130

Hi, I have this Windows 2008 R2 on which I installed remoteapp some years ago. Now the certificate expired and I get the message "There is a problem with this connection's security certificate The remote computer cannot be authenticated due to proble[More]

ACS for Device authentication

Category:DefaultRelease time:-0001-11-30Views:130

Hello I am looking to deploy a NAC device in our office and currently have an ACS server that handles wireless authentication. I would like to know if the ACS is capable of authenticating users on a LAN with both 802.1x and device detection (such as[More]

ACS 3.3 Windows group mapping problem

Category:DefaultRelease time:2015-10-11Views:130

Hi, I?m running Cisco Secure ACS v.3.3 at Win 2000 server(sp4). ACS server is member of AD domain X. Additional there are two AD forests, so: domains X and Y are in the same forest, but domain Z is member of the second one. Trust relationships betwee[More]

ACS 4.2 authentication and Privelged exec mode on Test Router.

Category:DefaultRelease time:2015-10-11Views:130

The goal is to have ACS authenticate my username via ssh and allow me to get into privileged exec mode once authenticated. Details below. I have ACS 4.2 Solution Engine and I have a test router with the following commands setup: aaa new-model aaa aut[More]

LMS 3.2 and ACS 5.1 authentication issues

Category:DefaultRelease time:-0001-11-30Views:130

Hi all, Installed LMS 3.2 (running Common Services 3.3.0) and i'm having problems authenticating. I get the error :- -Tacacs+ Connectivity - Reachable -HTTP/HTTPS Connectivity - Not Reachable...Protocol mismatch detected. AAA client - Not Applicable[More]

ACS 5.2 Authentication Issue with Local & Global ADs

Category:DefaultRelease time:-0001-11-30Views:130

Hi I am facing authentication issue with ACS 5.2. Below is AAA flow (EAP-TLS), - Wireless Users >> Cisco WLC >> ADs <-- everything OK - Wireless Users >> Cisco WLC >> ACS 5.2 >> ADs <-- problem Last time I tested with A[More]

802.1x between Switch 3750 and ACS 4.2 Authentication faild --need help

Category:DefaultRelease time:-0001-11-30Views:130

I configured the Switch 3750 and ACS for 802.1x authentication. when I used the windows as the 802.1x client, it prompted "click here to enter user name and pasword for the network " as normal. The problem is that after I entered username and pa[More]

ACS Server: External Authentication configuration error

Category:DefaultRelease time:-0001-11-30Views:130

Hi ALL I have installed the ACS server and configure properly and it works fine. But whenever i restart the machine, following error message appears on the external database configuration wizard. External Authentication Configuration Error ACS has en[More]

ACS External Windows Authentication: Pre-Windows 2000 name only works

Category:DefaultRelease time:-0001-11-30Views:130

Hello. I have attempted to map ACS to Windows AD 2003 as an External Database. That works, but only if I authenticate using the Pre-Windows 2000 name (sometimes called the "down-level" name). If I use the Windows 2003 login name, I get a 529 err[More]

Hot
I have windows vista.  When I visit a web page that requires flash, it instructs me to download it (even though I'm sure I have it ialready...).  I do so, it says it has downloaded successfully but I still cannot view the website.  I have uninstalled [More]
Hi All, I just get an MacBook Pro the last week, I was happy with the UI of the OS at first sight, but when come to the setting of the network, I am really frustrated. I get a SE P1i cell phone, I would like to use it as a usb modem for my MAC so tha [More]
Hi all, I'm currently using the Report Generation Tool for Labview '11 and cannot seem to figure out how to edit the font properties for a graph's legend. Attached is a screenshot of an example output. The Excel Graph Font.vi's Help file says that it [More]
I have enabled TRANSLATION and ATTACHMENTS menu on my oracle form(form customization). but if i click on attachment menu the window opens for attachments but when i am going to close a window it throws an exception as **FRM-40735: POST_FORM trigger r [More]
Hi, I tried today to enable the wiki service for the first time.  Everything seemed ok-it turns on, I can log in, I can create wikis and files.  However, when i attempt to upload a file the spinner continues forever and the file does not upload.  Loo [More]
If I click on "open image in new window" or paste an image address directly in as the url, Safari sometimes downloads that image and sometimes displays the image directly in the browser. Why? I'd like to always have it display directly in the br [More]
SOund goes out on my iPhone 6, and it effects the Alarm as well.  Playing Solitary...there's no sound until I re-boot my phone.  Why?Hi there Wade, From what I gather, your iPhone 6 has an intermittent sound issue which you're able to temporarily res [More]
Hi everyone! I'm wondering if this ThinkPad 250GB 7200 rpm FDE Serial ATA Hard Drive  (http://shop.lenovo.com/SEUILibrary/controller/e/web/LenovoPortal/en_US/catalog.workflow:item.detail?...) offered at the Lenovo website is compatible with my Lenovo [More]
Are there any free OLDER VERSION dreamweaver downloads, not trials; but full version downloads?Nothing from Adobe is free beyond the 30 day trial.  If you want free software, you'll need to look at plain HTML editors.  See link below for options. htt [More]
I've read posts here and talked to techs saying that the OTA update is supposed to be today and well it's today so is it delayed? Just wondering I've checked a few times and it says no new software available. Anyone have an idea of when?Tboltaz wrote [More]