Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3116
Views
0
Helpful
7
Replies

ACS 5.2 to use local database when LDAP fails

adrian_teo
Level 1
Level 1

‎03-23-2011 09:46 AM - edited ‎03-10-2019 05:56 PM

Hi all, i'm trying to configure acs 5.2 to LDAP external idenity store, when LDAP failes ACS 5.2 should use internal indenity store. I configured A sequence to use LDAP 1st then Internal and i shut off the link to the LDAP but ACS will not use internal,  AAA Diagnostics keeps telling me that Cannot establish connection with LDAP server and will not use the internal store.

Labels:
0 Helpful
7 Replies 7

Tiago Antunes
Cisco Employee
Cisco Employee

‎03-24-2011 12:49 AM

Hi,

Most likely you are missing the "Continue" option on the Authentication policy.

Please take a look at the screenshot:

Here i configured the Identity Sequence "Magic Happens" and select "Continue" "If Process Fails" so it moves sequencially along the Identity Sources configured inside.

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

adrian_teo
Level 1
Level 1
In response to Tiago Antunes

‎03-24-2011 04:29 AM

Hi Tiago,

             That does not work when access to the LDAP fails. I get the below error but does not move the authentication to the next identity store.

24019 Connection error was encountered

0 Helpful

jrabinow
Level 7
Level 7
In response to adrian_teo

‎03-24-2011 04:36 AM

Current functionality is that in case access to database in the sequence (in this case LDAP) fails no further access to databases in the sequence is attempted and may proceed to authorization based on options specified to be performed in case of failure.

There is a feature defined to make this behavio configurable and will be in ACS 5.3

0 Helpful

adrian_teo
Level 1
Level 1
In response to jrabinow

‎03-24-2011 04:44 AM

Hi jrabinow,

                Thanks for the reply, so just let me get this right. As of the current available software 5.2.0.26.3 if the indenity store sequence is configured and if the 1st identity store fails (in this case LDAP) the authentication stopped and theres no way to configure it to move on to the next store. Is there a official statement on this on any of the release notes? I need a official reply from cisco, is the next move to log a tac case to get the official reply that the feature will be available in the ACS 5.3 release???

0 Helpful

muhammad feroz
Level 1
Level 1
In response to adrian_teo

‎03-24-2011 08:50 AM

Hi guys

To work failover to ldap,

first you configure sequence for authentication database like this

1.Local database

2.Ldap or AD (if you have)

it works i have tested this.. you just need to reverse.

0 Helpful

jrabinow
Level 7
Level 7
In response to adrian_teo

‎03-24-2011 04:59 PM

I am aware of the following CDETS:

CSCtl05416: Identity sequence ignored if AD fails

Would apply equally to LDAP failures

Note the LDAP can have a primary and secondary defined. In such a case a failure would only occur if both failed

0 Helpful

maddalena.selis
Level 1
Level 1

‎02-03-2012 08:08 AM

Hi to all,

I have same issue with AD and Internal database.

About CSCtl05416 at that link

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtl05416 you can see " Fixed-In 5.3(0.40)"

So, I upgraded to that version and configured a sequence to use LDAP first then Internal. In version 5.3(0.40) we have a new check box in the Identity Store Sequence configuration: "Continue to next identity store in the sequence" but it don't works, I have same problem as 5.2, when I shut the link to the LDAP, ACS will not use Internal.

Thanks in advance,

Maddalena

0 Helpful
Customers Also Viewed These Support Documents