Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ACS 4.2 Simulate AD failure - cannot login

Unanswered Question
Feb 3rd, 2012
User Badges:


We have an ACS 4.2 installation and we have users configured on the user setup, they authenicate using the windows database (AD).

We ran failure tests and simulated AD failure but disabling the firewall rule.

So the ACS server is up, AD is down. Tested user login to a switch and get the following error. External DB user invalid.

It looks like as the ACS does not get a response from AD it rejects the user login.

What we want it to do is in the event of AD failure is to be able to login to the switch with the username configured on the switch. (as if ACS server does not respond)

Any ideas how we achive this.

Date Time Message-Type User-Name Group-Name Caller-ID Network  Access Profile Name Authen-Failure-Code Author-Failure-Code Author-Data NAS-Port NAS-IP-Address Filter  Information PEAP/EAP-FAST-Clear-Name EAP  Type EAP  Type Name Reason Access  Device Network  Device Group
02/03/201214:09:13Authen failedtest.testNetwork192.168.1.1(Default)External DB user invalid or bad password....tty310.0.0.1..........SWITCH30Office
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cschubert Fri, 02/03/2012 - 07:43
User Badges:

I think you're looking at setting up the switch with something like this:

aaa authentication login default group radius local

So if remote authentication fails, then try the local authentication on the switch.

JIM T Mon, 02/06/2012 - 01:16
User Badges:

I have this already configured

aaa authentication login default group tacacs+ local

but its the ACS server that is replying with Authen failed so the switch to ACS server is not broken and will not failover to local. Its the ACS to AD thats broken.

We need to configure the ACS to tell the switch to use local because the AD connection is broken. I just do not know how to do this.

camejia Wed, 02/08/2012 - 15:43
User Badges:
  • Silver, 250 points or more


The switch will always try to authenticate AD credentials as the ACS is still up. The fallback for AAA on the IOS will be triggered only when the ACS (in this specific scenario) is down. At that point the switch will get a timeout and move to the "local" IOS database as fallback.

You can configure the AAA command with "local" in front of "group tacacs+" as follows:

aaa authentication login default local group tacacs+

The above command will allow you to authenticate on the switch with both Local IOS credentials and TACACS+ credentials.

For your simulated downtime the IOS will not fallback to the local credentials as the ACS is still able to reply with a Reject to the switch even when the AD is down.

The suggested command will allow you to access the IOS with Local or TACACS+ credentials.

Please rate if you find the provided information helpful.



This Discussion