Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
849
Views
0
Helpful
4
Replies

Secondary ACS is not authenticating for Dynamic users

Go to solution
abison.varghese
Level 1
Level 1

‎11-30-2009 11:51 PM - edited ‎03-10-2019 04:49 PM

Hi all,

I have two ACS server for windows with 4.2 version. My problem is that if the primary ACS server is down, the dynamic users from the windows database in not able to authenticate with secondary ACS server. Please note that if a user added to the ACS , this user can authenticate with windows database. Only the dynamic mapping is not happening with second ACS server.

A fast response will be appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ansalaza
Level 1
Level 1

‎12-01-2009 10:24 AM

Does the Unknown User Policy points to the Windows Database in both cases? Are Dynamic Users enabled under the Unknown User Policy?

Are these ACS for Windows Servers or ACS SE with a Remote Agent installed on a AD member Server?


If those are Remote Agents, check the External Database > Windows Configuration > Remote Agent Selection. Is the same Remote Agent selected on both ACS Servers?

Please be aware that if you switch the order of RA it would delete all your Group Mappings.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ansalaza
Level 1
Level 1

‎12-01-2009 10:24 AM

Does the Unknown User Policy points to the Windows Database in both cases? Are Dynamic Users enabled under the Unknown User Policy?

Are these ACS for Windows Servers or ACS SE with a Remote Agent installed on a AD member Server?


If those are Remote Agents, check the External Database > Windows Configuration > Remote Agent Selection. Is the same Remote Agent selected on both ACS Servers?

Please be aware that if you switch the order of RA it would delete all your Group Mappings.

0 Helpful

Go to solution
ansalaza
Level 1
Level 1
In response to ansalaza

‎12-01-2009 10:27 AM

I missed your note: ACS server for windows with 4.2 version.

Is the Secondary ACS Server installed on the same domain as the Primary Server?

Dynamic users are not replicated...authentications should create the new Dynamic User on the Secondary Server.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAdv.html#wp756078

Are the ACS Services configured with a Domain Admin account under "Log On As"?

It is important to comply with ACS Post-Installation Tasks:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/windows/postin.html#wp1041304

0 Helpful

Go to solution
abison.varghese
Level 1
Level 1
In response to ansalaza

‎12-01-2009 10:08 PM

Hi ansalaza,

Thanks for your response. Let me answer your queries.

1. Both ACS servers are is the same domain

2. It is configured as domain account under "Log On As"

I will check the unknown user policy in the secondary ACS and will update you. Please note that I could authenticate the AD users with secondary ACS if the user is statically added to the ACS database. Only dynamic users from AD is not authenticating and giving the error "unknown username" in the failed attempts logs.

0 Helpful

Go to solution
abison.varghese
Level 1
Level 1
In response to ansalaza

‎12-02-2009 12:21 AM

Hi Ansalaza,

Excellent, You have pointed out. I have done the changes in the unknown user policy and it is working.

Thank you once again.

Regards

Abison

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents