cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

558
Views
10
Helpful
5
Replies
Vin Daniell
Beginner

ACS 5.3 local user authentication

I want to have a local user in ACS that is permitted to login to routers. I have TACACS with AD already working but cannot get a local user to work. I used to do this in ACS 4.x.

  • I created a user in the internal identity store.
  • I tried configuring a policy to allow this users TACACS authentication multiple ways to no avail.

I cannot find a config example doc and cannot figure it out from the user guide as the documention is sorely lacking.

5 REPLIES 5
mauzamor
Beginner

Hi Vin,

What's happening in your scenario is that you have your Access Policy/Identity using only AD1, this will force the ACS to check only in the Active Directory database.

If you want to use both databases you need to create an Identity Store Sequence, this is done under "Users and Identity Stores/External Identity Stores/Identity Store Sequences"

In this section you need to define both databases like the example below:

Then you need to use this option under Identity. Check below:

Let me know if it helps.

That did not seem to work. Here's what I have.

Oh and here's the error I'm getting.

Ok... it seems to be working now. I set the identity source to "internal users" then back to "TACACS+ search sequence" and now it's working.

Thanks!

Glad to know it's working now. Usually we use Internal Users first as the ACS database is smaller than the Active Directory.

Rate if it helps.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube