Sitemap

Amicuk Programming Answers

ACS 5.1 Authentication against AD problem

-0001-11-30   Views:13

Advertisement

I have a pair of ACS 5.1 virtual appliances in a master/slave configuration, running build 5.1.0.44.  We have it configured to authenticate TACACS against Active Directory, but have run into a problem with the account of one my colleagues.  His accou

I have a pair of ACS 5.1 virtual appliances in a master/slave configuration, running build 5.1.0.44.  We have it configured to authenticate TACACS against Active Directory, but have run into a problem with the account of one my colleagues.  His account password recently expired and since changing it he is no longer able to authenticate on devices pointing to the master ACS server, but has no issue with devices pointing to the slave ACS server.  Several other users have changed their passwords in AD and have not encountered this problem.
ACS View shows the following error in the TACACS+ authentication log:  "24421 Change password against Active Directory failed since it is disabled in configuration".  The account we use to connect to active directory does not have permission to send password changes, so I have disabled changing passwords in the AD identity store configuration.  As a test, I enabled password changing and instead saw this error:  "24407 User authentication against AD failed since user is required to change his password". 
I've had him change passwords numerous times, try different SSH clients, and different PCs.  I also had him lock his account out, and then try logging on and instead was presented with this error: "24415 User authentication against AD failed since user's account is locked out".  So it seems that ACS is correctly querying AD but seems to be caching the fact that his account has expired.
The only difference between the two ACS servers are that they are querying different AD servers.  I've gotten our AD team to reset his password, check that his account is not locked on a particular AD server, and that replication is functioning.  I've also restarted the services and cold started the ACS virtual machine to no effect.  I have yet to try clearing the AD configuration and re-entering it.
show logging application acs reveals the following:
ActiveDirectoryClient,19/10/2011,08:46:25:307,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
ying to reconnect.,ActiveDirectoryClient.cpp:2429
ActiveDirectoryClient,19/10/2011,08:46:25:311,WARN ,3032882080,cntx=0000253027,sesn=ciscoacslc/108180474/33226,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
ActiveDirectoryClient,19/10/2011,08:49:27:468,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::isLRPC_ConnectionError] Retryable error 6 (LRPC failed) received. Tr
ying to reconnect.,ActiveDirectoryClient.cpp:2429
ActiveDirectoryClient,19/10/2011,08:49:27:475,WARN ,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,[ActiveDirectoryClient::plainTextAuthenticate] PAP authentication for user: parrishg has fai
led due to error: 16:Password expired,ActiveDirectoryClient.cpp:994
ActiveDirectoryIDStore,19/10/2011,08:49:27:475,ERROR,3031829408,cntx=0000253057,sesn=ciscoacslc/108180474/33228,user=parrishg,ActiveDirectoryIDStore::onPlainAuthenticateAndQueryEvent - User password expired but change
password configuration is disabled - authentication failed,ActiveDirectoryIDStore.cpp:525
I am aware that I can upgrade to 5.1.0.44.6 and intend to do so (although CSCsr81297 concerns me as we make extensive use of AD for authentication), but I don't know that there is any guarantee that this will fix it.
Any ideas on what might be the cause, and how I can fix this?
Thanks!

The replay answer
Advertisement
Hello,
It is complicated to explain this rule but hopelly you will understand.
I suggest you to do an identity store sequence that will point to the AD and RSA. this is like the user unknow policy in ACS 4.x
Once this is done you can create 2 authorization policies 1 based on RSA authentication and another based on AD authentication.
To give you a better clear example is there any difference between AD and RSA authentication? Do they have the same rights? Please detail what you need to configure besides AD and RSA simultanuos authentication.
Regards,
Sebastian Aguirre

Go to See the other 2 answers

ACS 5.1 Authentication against AD problem

Category:DefaultRelease time:-0001-11-30Views:130

I have a pair of ACS 5.1 virtual appliances in a master/slave configuration, running build 5.1.0.44.  We have it configured to authenticate TACACS against Active Directory, but have run into a problem with the account of one my colleagues.  His accou[More]

Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed

Category:DefaultRelease time:-0001-11-30Views:130

Hi, I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance. ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years. Recently we bought a Cisco 4710 ACE appliance. Whe[More]

There is a problem with this connection's security certificate The remote computer cannot be authenticated due to problems with its security certificate. Security certificate problems might indicate an attempt to fool you or intercept any data you send

Category:DefaultRelease time:-0001-11-30Views:130

Hi, I have this Windows 2008 R2 on which I installed remoteapp some years ago. Now the certificate expired and I get the message "There is a problem with this connection's security certificate The remote computer cannot be authenticated due to proble[More]

ACS for Device authentication

Category:DefaultRelease time:-0001-11-30Views:130

Hello I am looking to deploy a NAC device in our office and currently have an ACS server that handles wireless authentication. I would like to know if the ACS is capable of authenticating users on a LAN with both 802.1x and device detection (such as[More]

ACS 3.3 Windows group mapping problem

Category:DefaultRelease time:2015-10-11Views:130

Hi, I?m running Cisco Secure ACS v.3.3 at Win 2000 server(sp4). ACS server is member of AD domain X. Additional there are two AD forests, so: domains X and Y are in the same forest, but domain Z is member of the second one. Trust relationships betwee[More]

ACS 4.2 authentication and Privelged exec mode on Test Router.

Category:DefaultRelease time:2015-10-11Views:130

The goal is to have ACS authenticate my username via ssh and allow me to get into privileged exec mode once authenticated. Details below. I have ACS 4.2 Solution Engine and I have a test router with the following commands setup: aaa new-model aaa aut[More]

LMS 3.2 and ACS 5.1 authentication issues

Category:DefaultRelease time:-0001-11-30Views:130

Hi all, Installed LMS 3.2 (running Common Services 3.3.0) and i'm having problems authenticating. I get the error :- -Tacacs+ Connectivity - Reachable -HTTP/HTTPS Connectivity - Not Reachable...Protocol mismatch detected. AAA client - Not Applicable[More]

ACS 5.2 Authentication Issue with Local & Global ADs

Category:DefaultRelease time:-0001-11-30Views:130

Hi I am facing authentication issue with ACS 5.2. Below is AAA flow (EAP-TLS), - Wireless Users >> Cisco WLC >> ADs <-- everything OK - Wireless Users >> Cisco WLC >> ACS 5.2 >> ADs <-- problem Last time I tested with A[More]

802.1x between Switch 3750 and ACS 4.2 Authentication faild --need help

Category:DefaultRelease time:-0001-11-30Views:130

I configured the Switch 3750 and ACS for 802.1x authentication. when I used the windows as the 802.1x client, it prompted "click here to enter user name and pasword for the network " as normal. The problem is that after I entered username and pa[More]

ACS Server: External Authentication configuration error

Category:DefaultRelease time:-0001-11-30Views:130

Hi ALL I have installed the ACS server and configure properly and it works fine. But whenever i restart the machine, following error message appears on the external database configuration wizard. External Authentication Configuration Error ACS has en[More]

ACS External Windows Authentication: Pre-Windows 2000 name only works

Category:DefaultRelease time:-0001-11-30Views:130

Hello. I have attempted to map ACS to Windows AD 2003 as an External Database. That works, but only if I authenticate using the Pre-Windows 2000 name (sometimes called the "down-level" name). If I use the Windows 2003 login name, I get a 529 err[More]

Hot
I have set up an apple ID. but when I try to download an app from my iphone it just says that my account has not yet been used in the itunes store and wont let me go any further. can you help?Raghu do you have access to high speed Internet access at [More]
I've recently restored my iPhone 4S and going back through my old messages none of the pictures can be opened. It's replaced with a blue question mark.  Can anyone help?No app installed that will view the pics and bar codes.   Which email client are [More]
It is a MacBook Pro, mid June 2009 model and 13". I've followed the installation videos adequately and the orginal 2 x 2GB have been removed with the new 2 x 4GB successfully slotted in. It turns on and goes past the first Apple logo and the "di [More]
I have a new laptop Dell XPS 15 and since i instaled itunes every time i sync mi Iphone 4 itunes crashes before finishing the sync, why is that? Why?Debit cards are no longer accepted in all countries - if you have a card on your account then it has [More]
i have a control block VIEW1 with some fields YEAR, MONTH, STAFF, and button SEARCH with the trigger when-button-pressed having pl/sql code " go_block(view2); execute_query;" view2 is data block displaying 10 records on canvas with the fields NA [More]
Is there an easy way to resize columns in the explain plan grid? They are difficult to resize if the values in them are long, especially the access and filter columns at the end.There is only one way to resize these right now (and thats the one you a [More]
I have tried downloading about 6 times and this is the message I keep getting.  Pls. tell me what I am doing wrong Exit Code: 7 Please see specific errors below for troubleshooting. For example, ERROR: -------------------------------------- Summary - [More]
I have been using a Mac Mini for my media center for a while and just got a new one with the two drive option. It has a 256GB SSD (where the OS is stored) and a 750GB HHD. My iTunes library is about 400GB. When I try to use migration assistant to tra [More]
I want to transfer disk space from Mac to windows. We use Bootcmp and the space on the computer is available to the Mac side only. Please help.Buy a copy of Paragon Camp Tune.Read other 2 answers [More]
I have 2 table, t1, t2, in t2, there is a field Memo_in, what I want to get is every thing in t1, where t2.Memo_in='N'. how do i do? thanks.Hi Junliu, what u need to do is not join but normal sql statement to link it. so u must have the key column to [More]