Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
740
Views
5
Helpful
8
Replies

acs 4.0 AD with local enale password

Go to solution
josephium
Level 1
Level 1

‎09-12-2007 04:41 AM - edited ‎03-10-2019 03:23 PM

Hi,

i had the following scenario working in ACS 3.3:

ACS 3.3 tacacs server communicating with my Active Directory. so to login to a router you have to put user and pass of AD, and then the enable password is stored locally on acs3.3.this has been working great.

now in ACS 4.0 the same scenario results in error : CS user unknown.

the only way to make this happen it to authenticate without the AD, both the login on the router (user and pass) and then the enable be locally on ACS4.0

plz any workaround ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to josephium

‎09-12-2007 05:29 AM

when we use windows password for

enable authentication it works, but when we choose "use seprate password", enable authentication fails, if that the case, we are hitting a bug.

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsd86017&Subm

it=Search

CSCsd86017

ACS 4.0 separate TACACS enable password fails authentication

First Found-in Version 4.0(1.27)

Symptom:

TACACS+ Enable Password fails if explictly set to "use separate

password" if using an external authentication source (such as Windows). User is able to log in fine, but when they issue the enable command, the user fails authentication and the failed attempts logs states:

"cs user unknown"

Same setup works fine if the enable password is set to be Windows password or "Use

CiscoSecure PAP password" (although it is worth noting that the latter is automatically blanked out and becomes effectively the Windows password).

This is a regression bug, these features worked correctly in 3.3.3 and earlier codes.

Regards,

~JG

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎09-12-2007 04:46 AM

ACS-->Ext db--->Unknow user policy---> Drag AD in the right box.

Regards,

~JG

0 Helpful

Go to solution
josephium
Level 1
Level 1
In response to Jagdeep Gambhir

‎09-12-2007 05:03 AM

i have already configured this, its still the same problem.

thanks

0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to josephium

‎09-12-2007 05:08 AM

Please restart the services.

Unknown user policy is not configured.

=> External user database -> Unknown user policy -> Select "check the External user database" -> under "select database" = Windows database. After configuring it, restart the ACS services.

Regards,

0 Helpful

Go to solution
josephium
Level 1
Level 1
In response to Jagdeep Gambhir

‎09-12-2007 05:19 AM

thank you for your quick response, but i have tried this and i still have the same problem, the problem is not with AD authentication, the problem is afterwards with the enable password ACS4.0 is not recognizing that the enable password is stored localy for any AD user. allthough i have set it to local and set it to search for it internally.the same settings in ACS 3.3 is working fine.

Thank you

0 Helpful

Go to solution
Premdeep Banga
Level 7
Level 7
In response to josephium

‎09-12-2007 05:27 AM

Check if this applies,

CSCsd86017 : ACS 4.0 separate TACACS enable password fails authentication

Affected : 4.0(1) build 27

Resolved : 4.1(1) Build 23 or higher

Regards,

Prem

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to josephium

‎09-12-2007 05:29 AM

when we use windows password for

enable authentication it works, but when we choose "use seprate password", enable authentication fails, if that the case, we are hitting a bug.

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsd86017&Subm

it=Search

CSCsd86017

ACS 4.0 separate TACACS enable password fails authentication

First Found-in Version 4.0(1.27)

Symptom:

TACACS+ Enable Password fails if explictly set to "use separate

password" if using an external authentication source (such as Windows). User is able to log in fine, but when they issue the enable command, the user fails authentication and the failed attempts logs states:

"cs user unknown"

Same setup works fine if the enable password is set to be Windows password or "Use

CiscoSecure PAP password" (although it is worth noting that the latter is automatically blanked out and becomes effectively the Windows password).

This is a regression bug, these features worked correctly in 3.3.3 and earlier codes.

Regards,

~JG

0 Helpful

Go to solution
josephium
Level 1
Level 1
In response to Jagdeep Gambhir

‎09-12-2007 05:50 AM

yes thank you this is the issue, so it's a bug , thank you again for your quick response,

one more question regarding this issue, when you say : " Same setup works fine if the enable password is set to be Windows password"

so if i put enable password to be windows password,will it be the same as the login password i entered previously with the username ?

thank you

0 Helpful

Go to solution
Premdeep Banga
Level 7
Level 7
In response to josephium

‎09-12-2007 06:03 AM

Yes it will.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents