Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


External db account restriction in Cisco ACS v3.3

I'm trying to setup a wireless network using cisco 1240AG access points (for AAA clients) and Cisco ACS 3.3 for the AAA server and Active Directory for authentication. Wireless laptops are able to communicate with the access points and the ACS but I keep getting an authentication error in the ACS server saying "Authentication Failed" and the reason its giving is "External DB account restriction". Any idea what this error is? I think ACS isn't able to communicate with AD or something. Please advice. Thank you.

Cisco Employee

Meaning of the error message

External DB account restriction : The Windows User Account is restricted : The windows administrator must reset this option.

ACS troubleshooting guide


When you try to authenticate via ACS and see failed authentication on the ACS,could you please take a look on the group you are dropped in.

This can occur either due to permission issues or if your user is being mapped to DISABLED or NO-ACCESS group on the ACS.

Once you have the group which the failed user belongs to, go to that group and click on edit group. It shouldn't ne disabled or noaccess group (Group 0 is what we called noaccess group).

If you're getting mapped to correct map then this is surely windows permission issue. You have to ensure that ACS software running on windows machine should have domain admin rights.

There are some permissions those need to be granted on the windows machine it is installed.You may check from below listed link

1.Acs is installed on the member server or DC and permissions are configured as per the following doc:

If you're running ACS on member server do make sure that you have completed post installation task for local security policy.




Do rate helpful posts~


I logged into the ACS v3.3 and selected the "Group setup" the disabled box is uncheck under the Group disabled. Do I need to manually add the user to enable the authentication ?Sorry for any inconvenience as I am still new to ACS. Please advice. Thank you.


Hi Jimmy,

Please check the user properties on the Active directory. Maybe the dial-in properties are defined as denied. please change them to "allow access".

Let us know how it goes.




No worries, keep us posted until you get the resolution.

Well, if the users resides on the ACS internal database and not in the AD-active directory then you have to placed users manually in their resoective groups. However, if this setup includes active directory then group mapping would do.




Do rate helpful posts~


Previously, all the users are able to authenticate. But unable to authenticate anymore and no configuration changes on the AP, ACS and AD. AD and ACS are in domain A while users laptops are in domain B.


The authentication is done by the Windows Database configured in the Unknown user policy. By right if the user account is not in the ACS, it will automatically authenticate via external windows database.


Hi all,

Check the dial-in under the user account but is for the VPN remote access dial in. But seem no settings can be change.

Date TimeMessage-TypeUser-NameGroup-NameCaller-IDAuthen-Failure-CodeAuthor-Failure-CodeAuthor-DataNAS-PortNAS-IP-Address
01/31/201118:09:38Authen failedtester02..0012.f08a.36d4External DB user invalid or bad password....663172.24.11.10
01/31/201118:09:04Authen failedTester02..0012.f08a.36d4External DB user invalid or bad password....662172.24.11.10

The tester02 username is created inside the AD for testing purpose. No account being created inside the ACS. Please advice. Thank you.


This is more of permission issue. looks like you are using ACS windows.

here are the steps to create file :

Below is the procedure to get the file from the ACS server.. Set detailed
logging mode(system config ==>service control ===>Services Log File
Configuration-full).  This will ensure that all the proper service startup information is
included in the file.

- Log onto the ACS server itself as the local administrator.
- Browse to the UTILS directory in the ACS program directory.(C:\program files\ciscosecure
acs v3.x\utils)
- Run the program there called CSSupport.
- Select "Set Log Levels Only" and click Next.
- Select "Set Diagnostic Log Verbosity to Maximum."
- Click Next, then click Finish.

At this point, we need to duplicate the issue. Once that's done, we need to gather the verbose logs created.  To do so, follow the instructions below AFTER the problem has been recreated and recorded:

- Log onto the ACS server itself as the local administrator.
- Browse to the UTILS directory in the ACS program directory.
- Run the program there called CSSupport.
- Select "Run Wizard" and click Next.
- Only do these steps if we need more than today's logs:
- Put a check in both "Previous Logs" checkbox.
- Select the number of days to go back.
- Click Next four times. Select the radius/tacacs capture option as applicable
- When the Finish button appears, click it.

The will be found in the UTILS\Support directory under the ACS program directory. This file contains all of the log information from ACS




~Do rate helpful posts~

Content for Community-Ad