cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

660
Views
0
Helpful
4
Replies
abison.varghese
Beginner

Secondary ACS is not authenticating for Dynamic users

Hi all,

I have two ACS server for windows with 4.2 version. My problem is that if the primary ACS server is down, the dynamic users from the windows database in not able to authenticate with secondary ACS server. Please note that if a user added to the ACS , this user can authenticate with windows database. Only the dynamic mapping is not happening with second ACS server.

A fast response will be appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
ansalaza
Beginner

Does the Unknown User Policy points to the Windows Database in both cases? Are Dynamic Users enabled under the Unknown User Policy?

Are these ACS for Windows Servers or ACS SE with a Remote Agent installed on a AD member Server?


If those are Remote Agents, check the External Database > Windows Configuration > Remote Agent Selection. Is the same Remote Agent selected on both ACS Servers?

Please be aware that if you switch the order of RA it would delete all your Group Mappings.

View solution in original post

4 REPLIES 4
ansalaza
Beginner

Does the Unknown User Policy points to the Windows Database in both cases? Are Dynamic Users enabled under the Unknown User Policy?

Are these ACS for Windows Servers or ACS SE with a Remote Agent installed on a AD member Server?


If those are Remote Agents, check the External Database > Windows Configuration > Remote Agent Selection. Is the same Remote Agent selected on both ACS Servers?

Please be aware that if you switch the order of RA it would delete all your Group Mappings.

I missed your note: ACS server for windows with 4.2 version.

Is the Secondary ACS Server installed on the same domain as the Primary Server?

Dynamic users are not replicated...authentications should create the new Dynamic User on the Secondary Server.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAdv.html#wp756078

Are the ACS Services configured with a Domain Admin account under "Log On As"?

It is important to comply with ACS Post-Installation Tasks:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/windows/postin.html#wp1041304

Hi ansalaza,

Thanks for your response. Let me answer your queries.

1. Both ACS servers are is the same domain

2. It is configured as domain account under "Log On As"

I will check the unknown user policy in the secondary ACS and will update you. Please note that I could authenticate the AD users with secondary ACS if the user is statically added to the ACS database. Only dynamic users from AD is not authenticating and giving the error "unknown username" in the failed attempts logs.

Hi Ansalaza,

Excellent, You have pointed out. I have done the changes in the unknown user policy and it is working.

Thank you once again.

Regards

Abison

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube