Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2109
Views
9
Helpful
4
Replies

ACS 5.2 Active Directory

Go to solution
jason.yates
Level 1
Level 1

‎11-09-2010 01:42 AM - edited ‎03-10-2019 05:33 PM

Firstly, thanks for taking the time to read my post / question.

I'm currently in the process of setting up an ACS 5.2 device and authenticating wired clients via their AD credentials (Single Sign On option in Win 7). The question I have is, what happens to the set-up if the AD servers become unavailable?

I can use the command

authentication event server dead action authorize vlan XXX

To help mitigate any issues should the ACS servers fail however if the AD server goes down is the authentication treated as a failure?

I've tested every other eventuality on my test setup however this is one that I can't test and can't seem to find any documentation about.

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee

‎11-09-2010 03:24 AM

Hi,

One of the wonderful features of ACS 5.x is that you can define what to do when the AD is unavailable!!

Please take a look at the screenshot.

When AD is unavailable, the process will fail and you can specify what to do with the authentication: Reject, Drop or Continue.

"Continue" will work as a passed authentication.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

Preview file
142 KB
4 Replies 4

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎11-09-2010 03:19 AM

Hi Jason,

first you can have several Domain Controllers in your AD, so that limits the down possibility.

What ACS decides the authentication is, is configurable, If AD is your only database in the policy you can decide in the advanced options if you consider "user not found" as reject or not, if you consider "process failed" as drop or reject etc ...

Accses policies-> your policy-> identity-> advanced options.

If you set drop on ACs, it will become a "no-response" on the switch.

Hope this helps,

Nicolas

===

Don't forget to rate answers that you find useful

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee

‎11-09-2010 03:24 AM

Hi,

One of the wonderful features of ACS 5.x is that you can define what to do when the AD is unavailable!!

Please take a look at the screenshot.

When AD is unavailable, the process will fail and you can specify what to do with the authentication: Reject, Drop or Continue.

"Continue" will work as a passed authentication.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Preview file
142 KB

Go to solution
jason.yates
Level 1
Level 1
In response to Tiago Antunes

‎11-09-2010 07:53 AM

Tiago,

Many thanks for your reply, come to think of it, I do remember seeing those options when settings things up.

Regards

0 Helpful

Go to solution
jmecklenburg
Level 2
Level 2
In response to Tiago Antunes

‎08-16-2011 08:34 AM

Hi Tiago

I'm using PEAP MSCHAP for user authentication, as I can resolve the authentication if the AD is down

Regards

fixie rider
0 Helpful
Customers Also Viewed These Support Documents