Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
753
Views
0
Helpful
2
Replies

Cisco ACS 5.3.0.40 and tacacs authentication against AD accounts

humphres1
Level 1
Level 1

‎05-30-2013 03:34 AM - edited ‎03-10-2019 08:28 PM

We have successfully deployed a new ACS 5.3 which we use to do tacacs authentication against switches using an AD identity store. This all works fine. What we have found however is that when we type the incorrect password for an AD account (once), this immediately locks out the account on AD despite having a policy of three failed attempts before lockout (configured AD end). We are thinking the ACS is sending multiple authentication requests to AD for a single tacacs login request at the switch end if authentication fails and thereby reaching the three attempts very quickly if the password is incorrect. Ideally we only want the ACS to try once per request.

We have searched everywhere for a configurable item on the ACS for how it deals with a failed password authentication request but can only find an advanced option under the identity section of the service policy we use for tacacs, but this is set to Reject if authentication fails - nothing to define how many times to try.

can anyone explain if this is the default action the ACS takes when trying to authenticate against AD identity store (multiple attempts if auth fails) or if this can be configured only to try once per request?

thanks for any insight regarding this                  

Labels:
0 Helpful
2 Replies 2

jrabinow
Level 7
Level 7

‎05-30-2013 03:38 AM

Please ensure that have latest patch for ACS 5.3 installed. There are some fixes related to active directory that I think are relevant to this specific case. Latest patch is  5.3.0.40.9

I think relevant CDETS is CSCtz03211    ACS 5.3 sends multiple authentication attempts to Active Directory

In any case there were seevral important Active Dierctory related fixes included in patches for 5.3 and these are recommended for operation with Active Directory

0 Helpful

humphres1
Level 1
Level 1
In response to jrabinow

‎05-30-2013 03:44 AM

brilliant, thanks for the response, we will try the patch.

thanks again.

0 Helpful
Customers Also Viewed These Support Documents