i had the following scenario working in ACS 3.3:
ACS 3.3 tacacs server communicating with my Active Directory. so to login to a router you have to put user and pass of AD, and then the enable password is stored locally on acs3.3.this has been working great.
now in ACS 4.0 the same scenario results in error : CS user unknown.
the only way to make this happen it to authenticate without the AD, both the login on the router (user and pass) and then the enable be locally on ACS4.0
plz any workaround ?
when we use windows password for
enable authentication it works, but when we choose "use seprate password", enable authentication fails, if that the case, we are hitting a bug.
ACS 4.0 separate TACACS enable password fails authentication
First Found-in Version 4.0(1.27)
TACACS+ Enable Password fails if explictly set to "use separate
password" if using an external authentication source (such as Windows). User is able to log in fine, but when they issue the enable command, the user fails authentication and the failed attempts logs states:
"cs user unknown"
Same setup works fine if the enable password is set to be Windows password or "Use
CiscoSecure PAP password" (although it is worth noting that the latter is automatically blanked out and becomes effectively the Windows password).
This is a regression bug, these features worked correctly in 3.3.3 and earlier codes.