09-12-2007 04:41 AM - edited 03-10-2019 03:23 PM
Hi,
i had the following scenario working in ACS 3.3:
ACS 3.3 tacacs server communicating with my Active Directory. so to login to a router you have to put user and pass of AD, and then the enable password is stored locally on acs3.3.this has been working great.
now in ACS 4.0 the same scenario results in error : CS user unknown.
the only way to make this happen it to authenticate without the AD, both the login on the router (user and pass) and then the enable be locally on ACS4.0
plz any workaround ?
Solved! Go to Solution.
09-12-2007 05:29 AM
when we use windows password for
enable authentication it works, but when we choose "use seprate password", enable authentication fails, if that the case, we are hitting a bug.
http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsd86017&Subm
it=Search
CSCsd86017
ACS 4.0 separate TACACS enable password fails authentication
First Found-in Version 4.0(1.27)
Symptom:
TACACS+ Enable Password fails if explictly set to "use separate
password" if using an external authentication source (such as Windows). User is able to log in fine, but when they issue the enable command, the user fails authentication and the failed attempts logs states:
"cs user unknown"
Same setup works fine if the enable password is set to be Windows password or "Use
CiscoSecure PAP password" (although it is worth noting that the latter is automatically blanked out and becomes effectively the Windows password).
This is a regression bug, these features worked correctly in 3.3.3 and earlier codes.
Regards,
~JG
09-12-2007 04:46 AM
ACS-->Ext db--->Unknow user policy---> Drag AD in the right box.
Regards,
~JG
09-12-2007 05:03 AM
i have already configured this, its still the same problem.
thanks
09-12-2007 05:08 AM
Please restart the services.
Unknown user policy is not configured.
=> External user database -> Unknown user policy -> Select "check the External user database" -> under "select database" = Windows database. After configuring it, restart the ACS services.
Regards,
09-12-2007 05:19 AM
thank you for your quick response, but i have tried this and i still have the same problem, the problem is not with AD authentication, the problem is afterwards with the enable password ACS4.0 is not recognizing that the enable password is stored localy for any AD user. allthough i have set it to local and set it to search for it internally.the same settings in ACS 3.3 is working fine.
Thank you
09-12-2007 05:27 AM
Check if this applies,
CSCsd86017 : ACS 4.0 separate TACACS enable password fails authentication
Affected : 4.0(1) build 27
Resolved : 4.1(1) Build 23 or higher
Regards,
Prem
09-12-2007 05:29 AM
when we use windows password for
enable authentication it works, but when we choose "use seprate password", enable authentication fails, if that the case, we are hitting a bug.
http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsd86017&Subm
it=Search
CSCsd86017
ACS 4.0 separate TACACS enable password fails authentication
First Found-in Version 4.0(1.27)
Symptom:
TACACS+ Enable Password fails if explictly set to "use separate
password" if using an external authentication source (such as Windows). User is able to log in fine, but when they issue the enable command, the user fails authentication and the failed attempts logs states:
"cs user unknown"
Same setup works fine if the enable password is set to be Windows password or "Use
CiscoSecure PAP password" (although it is worth noting that the latter is automatically blanked out and becomes effectively the Windows password).
This is a regression bug, these features worked correctly in 3.3.3 and earlier codes.
Regards,
~JG
09-12-2007 05:50 AM
yes thank you this is the issue, so it's a bug , thank you again for your quick response,
one more question regarding this issue, when you say : " Same setup works fine if the enable password is set to be Windows password"
so if i put enable password to be windows password,will it be the same as the login password i entered previously with the username ?
thank you
09-12-2007 06:03 AM
Yes it will.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide