ACS 4.2 - Active Directory Password Caching

Unanswered Question


Currently, I have a Cisco ACS- on a Windows Server 2003 SP2, with a Cisco switch (3750 - TACACS).

I have mapped an Active Directory Group to an ACS Group.

I'm connecting on the 3750 with my AD login/pwd. It's working. Perfect.

I change my AD password. I try to connect on a server (to test if my password is replicated) and yes my password is replicated.

Now, I try to connect on the 3750. My new password works… but the OLD too.

OLD and NEW password work with my login.

What I have missed in the configuration? I have no local user in the Cisco ACS Local Database.

According to the Windows Team, the login that I use is in a group which is replicated instantly everywhere… and yes because the new password works… but why the OLD is working…? I try my OLD password on the previous server (or another server or a web portal which this group is linked), it doesn't work.

But for all devices (TACACS & RADIUS) in the Cisco ACS, the OLD password works.

Thanks in advance,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Jagdeep Gambhir Fri, 09/26/2008 - 21:10
User Badges:
  • Red, 2250 points or more

Passwords are not cached by ACS for dynamically created users. Please break the communication between ACS and AD and then try to connect.

That will let us know if the issue is with ACS or AD.



Do rate helpful posts

Jagdeep Gambhir Fri, 09/26/2008 - 21:28
User Badges:
  • Red, 2250 points or more

I have a scenario for you in active directory when two passwords may be valid:

Old passwords can also work on domain controllers that have not received replication yet from either the domain controller the password was changed on, or the PDC emulator in the domain.

Let's take a scenario where we have a 3 site, 3 domain controller (DC) active directory: Site1 with DC1, site2 with DC2 and site3 with DC3.

The ACS application resides in Site3 and is configured to use DC3 for authentication. We have a user "user1" with a password of "123".

User1 decides to call the helpdesk and changes his password to "456".

The helpdesk uses DC1 to make password changes because they are located in site1. For a period of time (based on replication, which defaults to 3 hours between sites) the 123 password and the 456 password will be


If the user1 user tries the "123" password it will work until DC3 receives the changed password from normal replication. If user1 tries to use 456, DC3 will flag this as a wrong password, and then check the PDC

emulator of the domain to see if it has received a newer password. The PDC emulator will validate the login, and then trigger an immediate replication with DC3.



Do rate helpful posts


This Discussion