ACS 3.0(2) - Authenticating users from Active Directory and NT4 Domains
We are running ACS 3.02 on an Active Directory Domain Controller. Most users are still in NT4 but some are migrated to AD (SIDHistory migration) and as such have their NT4 account of the same name, disabled. ACS has both domains configured in the domain list.
User accounts in AD get locked out after one bad password when authenticating against a NAS -- the domain policies are three attempts. This happens when the NT account of the same name is disabled.
It appears like ACS looks at both domains, finds the same user name in the NT domain (which is disabled intentionally) and then locks out the AD account.
Interestingly, if the User account in NT is "expired" this does not happen.
AD domain - "Domain A" and "User A" - everything is enabled
NT domain - "Domain B" and "User A" - the user account is disabled
User A attempts auth against a NAS, and supplies the wrong password only once. User A in Domain A then gets locked out. If User A in Domain B is not disabled, the one bad password attempt does not lock out User A in Domain A.
Re: ACS 3.0(2) - Authenticating users from Active Directory and
What you are seeing is expected behavior on the version of ACS you are running. Your interpretation is quite accurate that it searches all the domain if you provide the wrong password until it finds the user succeeds. You may try to send the domain_name\user_name and test it again with wrong password, you may not see this behavior. If I am not completely off, this behavior is changed in acs version 3.2.
Helps meet PCI* compliance.
Threat protection built into ISR and ISRv branch routers and CSR
Complements ISR Integrated Security
Lightweight IPS solution with low TCO (Total Cost of Ownership) and automated signature updates
Supports VRF (16.6)
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...