Re: TACACS "fail unknown users" after upgrade to ACS 3.3

paul-giles · ‎09-27-2004

Basic config issue is :

1) User Account is added to ACS 3.3

2) User Account is added to Group with correct Privilege Levels

3) User Password Authentication: is listed as "Windows Database"

4) TACACS+ Enable Control: is set to user group settings

5) And TACACS+ Enable is also set to "Windows Database"

In External DB all windows Domains are listed (but not down to specific group mapping)

Here is the problem, every thing works fine.

Users can log onto router in User mode (using domain password) & change to EN mode (using domain password)

As long as the "Unknown user policy" is set to check against "Windows". this works.

But if it is set to "fail Unknown users" then no one can gain access

michael.linhart · ‎09-27-2004

We have the same problem, but get no reply

Take a look at

Cheers

Michael

paul-giles · ‎09-28-2004

Hi Michael,

We opened a TAC case ans was given the following info;

CSCef84196

First Found-in Version 3.3(1)

Symptom:

users created on acs but mapped to external DB manually fail authentication

Condition:

-this happens when unkown user policy is set to fail authentication attempt.

Workaround:

- set unkown policy to check external database.

if dynamic users aren't desired to authenticate, you can map the external DB to a disabled group.

and put the manually mapped users in an enabled group.

Ther is no fix available yet!