ACS; Auth against AD fails (resolved by upgrade to 5.1)

Unanswered Question
Nov 22nd, 2009

Hi all

Recently install ACS and setup ACS for device Administration using TACACS+.

Everything works as expected; ACS intergrated correctly with end points, local users can auth onto end point correctly though AAA.

Debug on end points shows successful AAA comms to ACS.

Now I'm at the point to remove all local users in ACS and intergrate ACS with AD.

I setup the external store AD section with the correct domain name and added the AD user (the AD service account had domain admin rights)

I clicked 'test connectivity' button and got a successful connection first go.

I setup the AD section to link to 2 AD groups.

Now I run into a brick wall.

I cannot seem to authenticate an AD user for AAA access onto a router or switch using telnet.

I check the logs and noticed that it says 'unknown user' and the store its using says 'internal store'

I have set the identity store sequence to be AD first then local but ACS still does not seem to check against the external store.

I'm not sure if I should be setting up ACS to AD group mappings, if this will have any effect, like it did in 4.2

I'm also unsure as to how the rule set should be changed in my access policies; e.g. do I need to click the customize button and add in a new policy element. And then rewrite the rules to exclude local groups and include AD groups, so as to get ACS to perform user lookup against the external AD store.

If anyone can point be the the right direction, would be greatly appreciated.. or

if someone could please point me towards a step guide as to how to correctly setup ACS to intergrate into AD for tacacs device admin this would also help.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jatin Katyal Thu, 11/26/2009 - 06:25

Hi koeppend,

Did you notice the tacacs authentication logs in AAA protocol logs > tacacs authentication? Do you see "internal error in ACS/AD"? You need to apply patch 9 (5-0-0-21-9.tar.gpg ), there is some issue with and AD authentication.

You can download the patch from below listed link:

Go to > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software > click on 


Go to the CLI mode of this ACS

–Create a repository (it’s basically defining FTP server)
AAA/admin(config)# repository FTP ---> (could be any name)
AAA/admin(config-Repository)# urlftp://
AAA/admin(config-Repository)# user password plain
AAA/admin(config-Repository)# exit

After that place the patch on the ftp server.

AAA/admin# acs patch install repository ftp from here it will stop the services, apply the patch and start the services again.

We can check the version status using AAA51/admin# show application version acs

You can also go through the read me file.



jrabinow Thu, 11/26/2009 - 06:44

I am not familiar with any issue resolved in patch 9 related to TACACS+ authentication with AD

One thing to check to be 100% sure

You need to make sure that you changed the identity source that is the result for the identity policy to be the identity sequence you defined

If you are using the predefiend device admin service, this can be changed at the following link:

Access Policies > Access Services > Default Device Admin > Identity

Press the "Select" button and select the identity sequence as the identity source to handle the autthentication requests

Otherwise the best way to trouble shoot is to go to:

Monitoring & Reports > Reports > Catalog > AAA Protocol > TACACS+ Authentication

Selecting the details icon can give a step-by-step detail of the request processing

as was mentioned previously

koeppend Thu, 11/26/2009 - 20:10

Thanks but I have resolved the problem by upgrading the appliance to 5.1

There is a bug in the code that prevents a user from see the 'Identity Source' selection box from the section

Access Policies > Access Services > (Device admin policy name) > Identity

(See attached picture)

Apon upgrading the Appliance, and extra selection box was now visible, allowing my to choose either internal stores, external stores or my Identity Store Sequence policy.

Tested and now works well with AD.



jrabinow Fri, 11/27/2009 - 01:41


Glad it worked out and are now on 5.1. I assume you are using FF 3.0. This was not supported in ACS 5.0 (and cause the problem you described) and is supported in 5.1

koeppend Sat, 11/28/2009 - 20:52


Your probably correct, although I was swapping between FF and Safari (mac).

I did notice that certain windows would crash using FF and would use Safari for item dragging from one selection box to another.

I swapped and changed browsers so much that I cannot recall 100% if I did or did not see that selection box in Safari.

I did have a colleague with me working on this problem and upgrade,.... he only uses safari and does not have FF installed (on his mac) and he thinks that it wasn't available for him either. ......we cannot confirm it now that we have upgraded.

thanks for your support




This Discussion