Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1076
Views
0
Helpful
3
Replies

ACS 4.2 Simulate AD failure - cannot login

JIM T
Level 1
Level 1

‎02-03-2012 07:14 AM - edited ‎03-10-2019 06:47 PM

Hi

We have an ACS 4.2 installation and we have users configured on the user setup, they authenicate using the windows database (AD).

We ran failure tests and simulated AD failure but disabling the firewall rule.

So the ACS server is up, AD is down. Tested user login to a switch and get the following error. External DB user invalid.

It looks like as the ACS does not get a response from AD it rejects the user login.

What we want it to do is in the event of AD failure is to be able to login to the switch with the username configured on the switch. (as if ACS server does not respond)

Any ideas how we achive this.

Date Time Message-Type User-Name Group-Name Caller-ID Network  Access Profile Name Authen-Failure-Code Author-Failure-Code Author-Data NAS-Port NAS-IP-Address Filter  Information PEAP/EAP-FAST-Clear-Name EAP  Type EAP  Type Name Reason Access  Device Network  Device Group
02/03/201214:09:13Authen failedtest.testNetwork192.168.1.1(Default)External DB user invalid or bad password....tty310.0.0.1..........SWITCH30Office
Labels:
0 Helpful
3 Replies 3

Chris_Schubert
Level 1
Level 1

‎02-03-2012 07:43 AM

I think you're looking at setting up the switch with something like this:

aaa authentication login default group radius local

So if remote authentication fails, then try the local authentication on the switch.

0 Helpful

JIM T
Level 1
Level 1
In response to Chris_Schubert

‎02-06-2012 01:16 AM

I have this already configured

aaa authentication login default group tacacs+ local

but its the ACS server that is replying with Authen failed so the switch to ACS server is not broken and will not failover to local. Its the ACS to AD thats broken.

We need to configure the ACS to tell the switch to use local because the AD connection is broken. I just do not know how to do this.

0 Helpful

camejia
Level 3
Level 3
In response to JIM T

‎02-08-2012 03:43 PM

Hello,

The switch will always try to authenticate AD credentials as the ACS is still up. The fallback for AAA on the IOS will be triggered only when the ACS (in this specific scenario) is down. At that point the switch will get a timeout and move to the "local" IOS database as fallback.

You can configure the AAA command with "local" in front of "group tacacs+" as follows:

aaa authentication login default local group tacacs+

The above command will allow you to authenticate on the switch with both Local IOS credentials and TACACS+ credentials.

For your simulated downtime the IOS will not fallback to the local credentials as the ACS is still able to reply with a Reject to the switch even when the AD is down.

The suggested command will allow you to access the IOS with Local or TACACS+ credentials.

Please rate if you find the provided information helpful.

Regards.

0 Helpful
Customers Also Viewed These Support Documents