Lee, If you pre pay for M$ technical services, get your MS-TAM engineer involved too/start MS TAC case. AD logs are hard to read, don't tell you much and most AD admins never want to help out in this area I find.
;-) CB From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Lee H Badman Sent: Tuesday, August 27, 2013 1:05 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Cisco ACS "condition"- anyone else seen anything similar Thanks, Chad- we have no choice but to use the ACS->AD account as the hook to verify user accounts. No sign of account lockout, but we're still digging:) From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Chad Burnham Sent: Tuesday, August 27, 2013 3:01 PM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Cisco ACS "condition"- anyone else seen anything similar HI Lee, A few years back I used ACS -> AD account for Ciscoworks LMS. Ciscoworks does multi-threaded tasks under the hood. This resulted in multiple/fast auths using the AD account. The AD controller(s) saw this as an attack and thus caused the AD account to be momentarily locked out. After a few minutes, AD would allow the account to be used again. I moved away from AD integration for this reason in this case. Once I moved to local CW account, AD was out of the mix and Ciscoworks performed normal. Chad From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Lee H Badman Sent: Tuesday, August 27, 2013 10:12 AM To: [email protected]<mailto:[email protected]> Subject: [WIRELESS-LAN] Cisco ACS "condition"- anyone else seen anything similar Today, after several days of no-problem ramping up to full strength on our large WLAN 7.4.110 environment, we had two fleeting spates of disruption in the authentication of clients against AD. Each episode lasted a few minutes, and resulted in our Cisco ACS 5.4s showing large volumes of these failure reasons: 11051 RADIUS packet contains invalid state attribute 24463 Internal error in the ACS Active directory We have a TAC case open, and am waiting to hear back from our AD admin on whether there are any logs showing trouble between the accounts we use on the ACS boxes and the Domain Controllers. Has anyone seen similar that can comment or theorize? Regards- Lee Badman ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
