https://community.cisco.com/t5/network-access-control/acs-3-0-2-authenticating-users-from-active-directory-and-nt4/m-p/189819#M439165 <P>We are running ACS 3.02 on an Active Directory Domain Controller. Most users are still in NT4 but some are migrated to AD (SIDHistory migration) and as such have their NT4 account of the same name, disabled. ACS has both domains configured in the domain list. </P><P></P><P>The Problem: </P><P>User accounts in AD get locked out after one bad password when authenticating against a NAS -- the domain policies are three attempts. This happens when the NT account of the same name is disabled. </P><P></P><P>It appears like ACS looks at both domains, finds the same user name in the NT domain (which is disabled intentionally) and then locks out the AD account.</P><P></P><P>Interestingly, if the User account in NT is "expired" this does not happen. </P><P></P><P>E.g.</P><P>AD domain - "Domain A" and "User A" - everything is enabled</P><P>NT domain - "Domain B" and "User A" - the user account is disabled</P><P></P><P>User A attempts auth against a NAS, and supplies the wrong password only once. User A in Domain A then gets locked out. If User A in Domain B is not disabled, the one bad password attempt does not lock out User A in Domain A.</P> Sun, 10 Mar 2019 14:22:25 GMT rdone-burcea 2019-03-10T14:22:25Z https://community.cisco.com/t5/network-access-control/acs-3-0-2-authenticating-users-from-active-directory-and-nt4/m-p/189819#M439165 <P>We are running ACS 3.02 on an Active Directory Domain Controller. Most users are still in NT4 but some are migrated to AD (SIDHistory migration) and as such have their NT4 account of the same name, disabled. ACS has both domains configured in the domain list. </P><P></P><P>The Problem: </P><P>User accounts in AD get locked out after one bad password when authenticating against a NAS -- the domain policies are three attempts. This happens when the NT account of the same name is disabled. </P><P></P><P>It appears like ACS looks at both domains, finds the same user name in the NT domain (which is disabled intentionally) and then locks out the AD account.</P><P></P><P>Interestingly, if the User account in NT is "expired" this does not happen. </P><P></P><P>E.g.</P><P>AD domain - "Domain A" and "User A" - everything is enabled</P><P>NT domain - "Domain B" and "User A" - the user account is disabled</P><P></P><P>User A attempts auth against a NAS, and supplies the wrong password only once. User A in Domain A then gets locked out. If User A in Domain B is not disabled, the one bad password attempt does not lock out User A in Domain A.</P> Sun, 10 Mar 2019 14:22:25 GMT https://community.cisco.com/t5/network-access-control/acs-3-0-2-authenticating-users-from-active-directory-and-nt4/m-p/189819#M439165 rdone-burcea 2019-03-10T14:22:25Z https://community.cisco.com/t5/network-access-control/acs-3-0-2-authenticating-users-from-active-directory-and-nt4/m-p/189820#M439166 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>What you are seeing is expected behavior on the version of ACS you are running. Your interpretation is quite accurate that it searches all the domain if you provide the wrong password until it finds the user succeeds. You may try to send the domain_name\user_name and test it again with wrong password, you may not see this behavior. If I am not completely off, this behavior is changed in acs version 3.2.</P><P></P><P>Regards,</P><P></P><P>Mynul</P></BODY></HTML> Wed, 02 Jul 2003 04:40:31 GMT https://community.cisco.com/t5/network-access-control/acs-3-0-2-authenticating-users-from-active-directory-and-nt4/m-p/189820#M439166 mhoda 2003-07-02T04:40:31Z