ACS 5.3 local user authentication

Vin Daniell · ‎11-13-2012

I want to have a local user in ACS that is permitted to login to routers. I have TACACS with AD already working but cannot get a local user to work. I used to do this in ACS 4.x.

I created a user in the internal identity store.
I tried configuring a policy to allow this users TACACS authentication multiple ways to no avail.

I cannot find a config example doc and cannot figure it out from the user guide as the documention is sorely lacking.

mauzamor · ‎11-13-2012

Hi Vin,

What's happening in your scenario is that you have your Access Policy/Identity using only AD1, this will force the ACS to check only in the Active Directory database.

If you want to use both databases you need to create an Identity Store Sequence, this is done under "Users and Identity Stores/External Identity Stores/Identity Store Sequences"

In this section you need to define both databases like the example below:

Then you need to use this option under Identity. Check below:

Let me know if it helps.

Vin Daniell · ‎11-13-2012

That did not seem to work. Here's what I have.

Vin Daniell · ‎11-13-2012

Oh and here's the error I'm getting.

Vin Daniell · ‎11-13-2012

Ok... it seems to be working now. I set the identity source to "internal users" then back to "TACACS+ search sequence" and now it's working.

Thanks!

mauzamor · ‎11-13-2012

Glad to know it's working now. Usually we use Internal Users first as the ACS database is smaller than the Active Directory.

Rate if it helps.