Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
778
Views
0
Helpful
2
Replies

Cisco ACS 5.2 looses connectivity to AD - are there any ways to make this choose local?

Go to solution
golly_wog
Level 1
Level 1

‎06-06-2011 07:16 AM - edited ‎03-10-2019 06:08 PM

Hi

I'm trying to configure ACS 5.2 so that should it loose connectivity to Active Directory it chooses the local authentication, however I can't seem to make this work.

Within ACS 5.2, Access-Policies, Access Services, Default Device Admin, Identity,

I have a single rule configured for any device that matches tacacs to use the identity source of Active Directory,

If authentication failed: Reject

If user not found: Reject

If process failed: Drop

When the ACS can not access Active Directory, when I debug TACACS authentication on any 65k or 2921 device I get "Received Authen status error"

According to the RFC this should try the next configued TACACS server, but it doesn't.

If the status equals TAC_PLUS_AUTHEN_STATUS_ERROR, then the host is indicating that it is experiencing an 
unrecoverable error and the authentication should proceed as if that host could not be contacted.

I want to make it clear, if the ACS device is un-available then the Cisco switch will choose local authentication, but if the ACS is available but it's link to AD is broken it seems there doesn't seem to be a way to get the device to timeout and fail over to local.

cheers

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jrabinow
Level 7
Level 7

‎06-06-2011 11:36 AM

In general this issue can be addressed by defining an identity sequence containing Active Directory and internal user data base so that if user is not found the internal user definition will be used. Problem will this approach is that is active directory is not accessible this is defined as a process failure and the identity sequence is existed and so the internal user record will not be accessed. In this case can configure the identity policy to proceed to authorization and can detect the case that a process failure has occured but the user has not yet been authenticated.

There is a CDETS opened on this issue and a feature defined for ACS 5.3 that will allow the authentication to continue to access the internal user database after a process error. ACS 5.3 will be available later in the year

View solution in original post

0 Helpful
2 Replies 2

Go to solution
jrabinow
Level 7
Level 7

‎06-06-2011 11:36 AM

In general this issue can be addressed by defining an identity sequence containing Active Directory and internal user data base so that if user is not found the internal user definition will be used. Problem will this approach is that is active directory is not accessible this is defined as a process failure and the identity sequence is existed and so the internal user record will not be accessed. In this case can configure the identity policy to proceed to authorization and can detect the case that a process failure has occured but the user has not yet been authenticated.

There is a CDETS opened on this issue and a feature defined for ACS 5.3 that will allow the authentication to continue to access the internal user database after a process error. ACS 5.3 will be available later in the year

0 Helpful

Go to solution
golly_wog
Level 1
Level 1
In response to jrabinow

‎06-07-2011 01:22 AM

Hi jrabinow

Many thanks for the excellent reply. Thank you so much, that clears it up.

cheers

0 Helpful
Customers Also Viewed These Support Documents