https://community.cisco.com/t5/network-access-control/cisco-acs-5-3-0-40-and-tacacs-authentication-against-ad-accounts/m-p/2218425#M131637 <HTML><HEAD></HEAD><BODY><P> brilliant, thanks for the response, we will try the patch.</P><P>thanks again.</P></BODY></HTML> Thu, 30 May 2013 10:44:00 GMT humphres1 2013-05-30T10:44:00Z https://community.cisco.com/t5/network-access-control/cisco-acs-5-3-0-40-and-tacacs-authentication-against-ad-accounts/m-p/2218423#M131604 <P>We have successfully deployed a new ACS 5.3 which we use to do tacacs authentication against switches using an AD identity store. This all works fine. What we have found however is that when we type the incorrect password for an AD account (once), this immediately locks out the account on AD despite having a policy of three failed attempts before lockout (configured AD end). We are thinking the ACS is sending multiple authentication requests to AD for a single tacacs login request at the switch end if authentication fails and thereby reaching the three attempts very quickly if the password is incorrect. Ideally we only want the ACS to try once per request.</P><P></P><P>We have searched everywhere for a configurable item on the ACS for how it deals with a failed password authentication request but can only find an advanced option under the identity section of the service policy we use for tacacs, but this is set to Reject if authentication fails - nothing to define how many times to try.</P><P></P><P>can anyone explain if this is the default action the ACS takes when trying to authenticate against AD identity store (multiple attempts if auth fails) or if this can be configured only to try once per request?</P><P></P><P>thanks for any insight regarding this&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Mon, 11 Mar 2019 03:28:58 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-5-3-0-40-and-tacacs-authentication-against-ad-accounts/m-p/2218423#M131604 humphres1 2019-03-11T03:28:58Z https://community.cisco.com/t5/network-access-control/cisco-acs-5-3-0-40-and-tacacs-authentication-against-ad-accounts/m-p/2218424#M131618 <HTML><HEAD></HEAD><BODY><P>Please ensure that have latest patch for ACS 5.3 installed. There are some fixes related to active directory that I think are relevant to this specific case. Latest patch is&nbsp; 5.3.0.40.9</P><P></P><P>I think relevant CDETS is <A href="https://www.cisco.com/cisco/psn/bssprt/bss?searchType=bstbugidsearch&amp;page=bstBugDetail&amp;BugID=CSCtz03211" target="_blank">CSCtz03211</A>&nbsp;&nbsp;&nbsp; ACS 5.3 sends multiple authentication attempts to Active Directory</P><P></P><P>In any case there were seevral important Active Dierctory related fixes included in patches for 5.3 and these are recommended for operation with Active Directory</P></BODY></HTML> Thu, 30 May 2013 10:38:24 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-5-3-0-40-and-tacacs-authentication-against-ad-accounts/m-p/2218424#M131618 jrabinow 2013-05-30T10:38:24Z https://community.cisco.com/t5/network-access-control/cisco-acs-5-3-0-40-and-tacacs-authentication-against-ad-accounts/m-p/2218425#M131637 <HTML><HEAD></HEAD><BODY><P> brilliant, thanks for the response, we will try the patch.</P><P>thanks again.</P></BODY></HTML> Thu, 30 May 2013 10:44:00 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-5-3-0-40-and-tacacs-authentication-against-ad-accounts/m-p/2218425#M131637 humphres1 2013-05-30T10:44:00Z