09-27-2004 08:42 AM - edited 03-10-2019 01:49 PM
Basic config issue is :
1) User Account is added to ACS 3.3
2) User Account is added to Group with correct Privilege Levels
3) User Password Authentication: is listed as "Windows Database"
4) TACACS+ Enable Control: is set to user group settings
5) And TACACS+ Enable is also set to "Windows Database"
In External DB all windows Domains are listed (but not down to specific group mapping)
Here is the problem, every thing works fine.
Users can log onto router in User mode (using domain password) & change to EN mode (using domain password)
As long as the "Unknown user policy" is set to check against "Windows". this works.
But if it is set to "fail Unknown users" then no one can gain access
09-27-2004 11:10 PM
We have the same problem, but get no reply
Take a look at
Cheers
Michael
09-28-2004 11:47 PM
Hi Michael,
We opened a TAC case ans was given the following info;
CSCef84196
First Found-in Version 3.3(1)
Symptom:
users created on acs but mapped to external DB manually fail authentication
Condition:
-this happens when unkown user policy is set to fail authentication attempt.
Workaround:
- set unkown policy to check external database.
if dynamic users aren't desired to authenticate, you can map the external DB to a disabled group.
and put the manually mapped users in an enabled group.
Ther is no fix available yet!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide