Showing results for 
Search instead for 
Did you mean: 

ACS 4.2 Simulate AD failure - cannot login



We have an ACS 4.2 installation and we have users configured on the user setup, they authenicate using the windows database (AD).

We ran failure tests and simulated AD failure but disabling the firewall rule.

So the ACS server is up, AD is down. Tested user login to a switch and get the following error. External DB user invalid.

It looks like as the ACS does not get a response from AD it rejects the user login.

What we want it to do is in the event of AD failure is to be able to login to the switch with the username configured on the switch. (as if ACS server does not respond)

Any ideas how we achive this.

Date Time Message-Type User-Name Group-Name Caller-ID Network  Access Profile Name Authen-Failure-Code Author-Failure-Code Author-Data NAS-Port NAS-IP-Address Filter  Information PEAP/EAP-FAST-Clear-Name EAP  Type EAP  Type Name Reason Access  Device Network  Device Group
02/03/201214:09:13Authen failedtest.testNetwork192.168.1.1(Default)External DB user invalid or bad password....tty310.0.0.1..........SWITCH30Office


I think you're looking at setting up the switch with something like this:

aaa authentication login default group radius local

So if remote authentication fails, then try the local authentication on the switch.

I have this already configured

aaa authentication login default group tacacs+ local

but its the ACS server that is replying with Authen failed so the switch to ACS server is not broken and will not failover to local. Its the ACS to AD thats broken.

We need to configure the ACS to tell the switch to use local because the AD connection is broken. I just do not know how to do this.


The switch will always try to authenticate AD credentials as the ACS is still up. The fallback for AAA on the IOS will be triggered only when the ACS (in this specific scenario) is down. At that point the switch will get a timeout and move to the "local" IOS database as fallback.

You can configure the AAA command with "local" in front of "group tacacs+" as follows:

aaa authentication login default local group tacacs+

The above command will allow you to authenticate on the switch with both Local IOS credentials and TACACS+ credentials.

For your simulated downtime the IOS will not fallback to the local credentials as the ACS is still able to reply with a Reject to the switch even when the AD is down.

The suggested command will allow you to access the IOS with Local or TACACS+ credentials.

Please rate if you find the provided information helpful.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: