Solved: AAA Enable failing on second ACS Server

Vivek Venugopal · ‎10-07-2010

I have 2 Windows 2003 servers running ACS 4.2, authenticating with AD. I have configured TACACS+ authentication on both for my PIX 515 running version 7.24. TACACS+ authentication works fine on both. However, when I use the "aaa authentication enable console ProsperAdminAuth LOCAL" , the enable password works only with the first ACS server. When the first server is unavailable, it fails on the second ACS server and the Failed Authentication on ACS reports "ACS password invalid". It does not allow the LOCAL password either. I have verified all password and there is no issue there. I know that for sure because TACACS auth works. Anyone seen this issue or know what I could try?

Thanks

Vivek

jedubois · ‎10-08-2010

Hello,

External Database configuration is not replicated between ACS servers so my guess here is that on your secondary ACS if you go to External User Databases -> Unknown User Policy you will find that under Configure Enable Password Behavior you are set to "The Internal Database" instead of "The database in which the user profile is held."

--Jesse

View solution in original post

jedubois · ‎10-08-2010

Hello,

External Database configuration is not replicated between ACS servers so my guess here is that on your secondary ACS if you go to External User Databases -> Unknown User Policy you will find that under Configure Enable Password Behavior you are set to "The Internal Database" instead of "The database in which the user profile is held."

--Jesse

Vivek Venugopal · ‎10-08-2010

That was it. Thanks so much for your help. Really appreciate it.