acs 4.0 AD with local enale password

Answered Question
Sep 12th, 2007

Hi,

i had the following scenario working in ACS 3.3:

ACS 3.3 tacacs server communicating with my Active Directory. so to login to a router you have to put user and pass of AD, and then the enable password is stored locally on acs3.3.this has been working great.

now in ACS 4.0 the same scenario results in error : CS user unknown.

the only way to make this happen it to authenticate without the AD, both the login on the router (user and pass) and then the enable be locally on ACS4.0

plz any workaround ?

I have this problem too.
0 votes
Correct Answer by Jagdeep Gambhir about 9 years 2 months ago

when we use windows password for

enable authentication it works, but when we choose "use seprate password", enable authentication fails, if that the case, we are hitting a bug.

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsd86017&Subm

it=Search

CSCsd86017

ACS 4.0 separate TACACS enable password fails authentication

First Found-in Version 4.0(1.27)

Symptom:

TACACS+ Enable Password fails if explictly set to "use separate

password" if using an external authentication source (such as Windows). User is able to log in fine, but when they issue the enable command, the user fails authentication and the failed attempts logs states:

"cs user unknown"

Same setup works fine if the enable password is set to be Windows password or "Use

CiscoSecure PAP password" (although it is worth noting that the latter is automatically blanked out and becomes effectively the Windows password).

This is a regression bug, these features worked correctly in 3.3.3 and earlier codes.

Regards,

~JG

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
josephium Wed, 09/12/2007 - 05:03

i have already configured this, its still the same problem.

thanks

Jagdeep Gambhir Wed, 09/12/2007 - 05:08

Please restart the services.

Unknown user policy is not configured.

=> External user database -> Unknown user policy -> Select "check the External user database" -> under "select database" = Windows database. After configuring it, restart the ACS services.

Regards,

josephium Wed, 09/12/2007 - 05:19

thank you for your quick response, but i have tried this and i still have the same problem, the problem is not with AD authentication, the problem is afterwards with the enable password ACS4.0 is not recognizing that the enable password is stored localy for any AD user. allthough i have set it to local and set it to search for it internally.the same settings in ACS 3.3 is working fine.

Thank you

Premdeep Banga Wed, 09/12/2007 - 05:27

Check if this applies,

CSCsd86017 : ACS 4.0 separate TACACS enable password fails authentication

Affected : 4.0(1) build 27

Resolved : 4.1(1) Build 23 or higher

Regards,

Prem

Correct Answer
Jagdeep Gambhir Wed, 09/12/2007 - 05:29

when we use windows password for

enable authentication it works, but when we choose "use seprate password", enable authentication fails, if that the case, we are hitting a bug.

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsd86017&Subm

it=Search

CSCsd86017

ACS 4.0 separate TACACS enable password fails authentication

First Found-in Version 4.0(1.27)

Symptom:

TACACS+ Enable Password fails if explictly set to "use separate

password" if using an external authentication source (such as Windows). User is able to log in fine, but when they issue the enable command, the user fails authentication and the failed attempts logs states:

"cs user unknown"

Same setup works fine if the enable password is set to be Windows password or "Use

CiscoSecure PAP password" (although it is worth noting that the latter is automatically blanked out and becomes effectively the Windows password).

This is a regression bug, these features worked correctly in 3.3.3 and earlier codes.

Regards,

~JG

josephium Wed, 09/12/2007 - 05:50

yes thank you this is the issue, so it's a bug , thank you again for your quick response,

one more question regarding this issue, when you say : " Same setup works fine if the enable password is set to be Windows password"

so if i put enable password to be windows password,will it be the same as the login password i entered previously with the username ?

thank you

Actions

This Discussion