Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ACS Authentication via Internal DB vs External DB


I designing an FCAPS solution for my client and I have a few questions about authentication via interal DB vs external DB.

Can ACS be configured to do authentication via external DB first and fallback to the internal DB if the external DB is unavailable?

If I configure ACS for external authentication via Windows AD, can my devices (AAA client) still use TACACS+?  From what I read in the users guide to communication between Windows AD and ACS is RADIUS but I'm not sure if that means the communication between ACS and the devices has to be RADIUS as well.

Please advise.




When an authentication request comes to the ACS, first the ACS Internal Database is checked and if the user is not found in the Internal Database then the request is forwarded to the ACS "Unknown User Policy" and if you have configured your Active Directory to work with the ACS, the request would be sent to it.

If you are using the ACS 3.x/4.x, you can go to

You can configure the devices to use Radius/tacacs even if the User is authenticated through the Active Directory.

The ACS communicates to the Active Directory in the following manner:

When ACS authenticates to Windows it uses standard API calls to send the username/password
to the local member server that ACS is installed on.  That member server then forwards the
authentication request to the local domain controller.  The local domain controller checks
it's local SAM database and if the user does not exist there, it forwards requests to all
trusted domains until it gets a success

To check the different Databases supported, you can go to



Can ACS be configured to do authentication via external DB first and fallback to the internal DB if the external DB is unavailble?

Can ACS send and event/trap when an unknown user is discovered?


"Internal database lookup" can be configured first only when your network devices are authenticating using Radius Protocol. This is possible using an ACS feature called Network Access Profiles.

I would not considered at the Internal Database as a fallback of AD, ACS keeps  track of the existing AD users because the ACS or Remote Agent (Installed on a Windows AD Member Server) is part of the AD Domain.

The ACS creates a dynamic entry for each user, but still looks up the User's Password against the AD database.

Back to your original question, ACS does not talk to AD (Installed on a Windows AD Member Server) using Radius and your Network Devices can be configured to talk Radius or Tacacs to ACS.

Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube