ACS Authentication via Internal DB vs External DB

Unanswered Question
Dec 9th, 2009
User Badges:


I designing an FCAPS solution for my client and I have a few questions about authentication via interal DB vs external DB.

Can ACS be configured to do authentication via external DB first and fallback to the internal DB if the external DB is unavailable?

If I configure ACS for external authentication via Windows AD, can my devices (AAA client) still use TACACS+?  From what I read in the users guide to communication between Windows AD and ACS is RADIUS but I'm not sure if that means the communication between ACS and the devices has to be RADIUS as well.

Please advise.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kush.sri2001 Wed, 12/09/2009 - 20:25
User Badges:


When an authentication request comes to the ACS, first the ACS Internal Database is checked and if the user is not found in the Internal Database then the request is forwarded to the ACS "Unknown User Policy" and if you have configured your Active Directory to work with the ACS, the request would be sent to it.

If you are using the ACS 3.x/4.x, you can go to

You can configure the devices to use Radius/tacacs even if the User is authenticated through the Active Directory.

The ACS communicates to the Active Directory in the following manner:

When ACS authenticates to Windows it uses standard API calls to send the username/password
to the local member server that ACS is installed on.  That member server then forwards the
authentication request to the local domain controller.  The local domain controller checks
it's local SAM database and if the user does not exist there, it forwards requests to all
trusted domains until it gets a success

To check the different Databases supported, you can go to


slcornish Thu, 12/10/2009 - 07:21
User Badges:


Can ACS be configured to do authentication via external DB first and fallback to the internal DB if the external DB is unavailble?

Can ACS send and event/trap when an unknown user is discovered?


ansalaza Thu, 12/10/2009 - 08:59
User Badges:
  • Cisco Employee,

"Internal database lookup" can be configured first only when your network devices are authenticating using Radius Protocol. This is possible using an ACS feature called Network Access Profiles.

I would not considered at the Internal Database as a fallback of AD, ACS keeps  track of the existing AD users because the ACS or Remote Agent (Installed on a Windows AD Member Server) is part of the AD Domain.

The ACS creates a dynamic entry for each user, but still looks up the User's Password against the AD database.

Back to your original question, ACS does not talk to AD (Installed on a Windows AD Member Server) using Radius and your Network Devices can be configured to talk Radius or Tacacs to ACS.


This Discussion

Related Content