Hope you're well!
I am facing some access issue after completed the ACS (5.1) and AD (Windows 2003) integration, details underneath.
Enable password for (Router, Switches) is working fine if identify source is "Internal Users", unfortunately after completed the integration between ACS to MS AD, and change the Identity source to "AD1" I got the following result
1. able to access network device (cisco switch) using MS AD username and password via SSH/Telnet.
2. Enable password is not working (using the same user password configured in MS AD.
3. When I revert back and change the ACS identity source from "AD1" to "Internal Users" enable password is working fine.
Switch Tacacs Configuration
|aaa authentication login default none|
|aaa authentication login ACS group tacacs+ local|
|aaa authentication enable default group tacacs+ enable|
|aaa authorization exec ACS group tacacs+ local|
|aaa authorization commands 15 ACS group tacacs+ local|
|aaa accounting exec ACS start-stop group tacacs+|
|aaa accounting commands 15 ACS start-stop group tacacs+|
|aaa authorization console|
|aaa session-id common|
|tacacs-server host 10.X.Y.11|
|tacacs-server timeout 20|
|tacacs-server key gacakey|
|line vty 0 4|
|access-class 5 in|
|exec-timeout 5 0|
|login authentication ACS|
|authorization commands 15 ACS|
|authorization exec ACS|
|accounting commands 15 ACS|
|accounting exec ACS|
This is my first ACS - AD integration experience, hoping to fix this issue with your support, thanks in advance.
Your device-side setup looks fine. I suspect it's on the AD or ACS-AD end.
Have you had a look at the configuration guide example for ACS-LDAP here? It has some tips on verifying the ACS-LDAP connectivity.
Once you've confirmed the simple ones there are check out OK, we can look more closely at what remaining issues (if any) you might be seeing.