topic Re: ACS 5.2 to use local database when LDAP fails in Network Access Control

ACS 5.2 to use local database when LDAP fails

adrian_teo — Mon, 11 Mar 2019 00:56:01 GMT

Hi all, i'm trying to configure acs 5.2 to LDAP external idenity store, when LDAP failes ACS 5.2 should use internal indenity store. I configured A sequence to use LDAP 1st then Internal and i shut off the link to the LDAP but ACS will not use internal, AAA Diagnostics keeps telling me that Cannot establish connection with LDAP server and will not use the internal store.

Re: ACS 5.2 to use local database when LDAP fails

Tiago Antunes — Thu, 24 Mar 2011 07:49:57 GMT

Hi,

Most likely you are missing the "Continue" option on the Authentication policy.

Please take a look at the screenshot:

Here i configured the Identity Sequence "Magic Happens" and select "Continue" "If Process Fails" so it moves sequencially along the Identity Sources configured inside.

HTH,
Tiago

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Re: ACS 5.2 to use local database when LDAP fails

adrian_teo — Thu, 24 Mar 2011 11:29:10 GMT

Hi Tiago,

That does not work when access to the LDAP fails. I get the below error but does not move the authentication to the next identity store.

24019 Connection error was encountered

Re: ACS 5.2 to use local database when LDAP fails

jrabinow — Thu, 24 Mar 2011 11:36:10 GMT

Current functionality is that in case access to database in the sequence (in this case LDAP) fails no further access to databases in the sequence is attempted and may proceed to authorization based on options specified to be performed in case of failure.

There is a feature defined to make this behavio configurable and will be in ACS 5.3

Re: ACS 5.2 to use local database when LDAP fails

adrian_teo — Thu, 24 Mar 2011 11:44:18 GMT

Hi jrabinow,

Thanks for the reply, so just let me get this right. As of the current available software 5.2.0.26.3 if the indenity store sequence is configured and if the 1st identity store fails (in this case LDAP) the authentication stopped and theres no way to configure it to move on to the next store. Is there a official statement on this on any of the release notes? I need a official reply from cisco, is the next move to log a tac case to get the official reply that the feature will be available in the ACS 5.3 release???

Re: ACS 5.2 to use local database when LDAP fails

muhammad feroz — Thu, 24 Mar 2011 15:50:52 GMT

Hi guys

To work failover to ldap,

first you configure sequence for authentication database like this

1.Local database

2.Ldap or AD (if you have)

it works i have tested this.. you just need to reverse.

Re: ACS 5.2 to use local database when LDAP fails

jrabinow — Thu, 24 Mar 2011 23:59:12 GMT

I am aware of the following CDETS:

CSCtl05416: Identity sequence ignored if AD fails

Would apply equally to LDAP failures

Note the LDAP can have a primary and secondary defined. In such a case a failure would only occur if both failed

Re: ACS 5.2 to use local database when LDAP fails

maddalena.selis — Fri, 03 Feb 2012 16:08:21 GMT

Hi to all,

I have same issue with AD and Internal database.

About CSCtl05416 at that link

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtl05416 you can see " Fixed-In 5.3(0.40)"

So, I upgraded to that version and configured a sequence to use LDAP first then Internal. In version 5.3(0.40) we have a new check box in the Identity Store Sequence configuration: "Continue to next identity store in the sequence" but it don't works, I have same problem as 5.2, when I shut the link to the LDAP, ACS will not use Internal.

Thanks in advance,

Maddalena