Core issue
This issue arises due to Cisco bug ID CSCeg40355.
If a Cisco Secure ACS that is configured for remote logging fails to successfully transmit an accounting log to the remote server, authentication attempts to the ACS server during this time may fail.
The authentication failure may not be reported at all, or it may be reported incorrectly (as being successfully authenticated).
Note: The authentication reports show that the credentials are good and the authentication request did pass. What failed is the RADIUS accounting request since RADIUS authentication was not available. Then the actual logging failed. This is the right behavior.
Resolution
As a workaround, perform either one of these two steps:
Problem Type
Troubleshoot software feature
Connectivity
Product Family
Cisco Secure access control server