Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

acs 4.0 AD with local enale password

Hi,

i had the following scenario working in ACS 3.3:

ACS 3.3 tacacs server communicating with my Active Directory. so to login to a router you have to put user and pass of AD, and then the enable password is stored locally on acs3.3.this has been working great.

now in ACS 4.0 the same scenario results in error : CS user unknown.

the only way to make this happen it to authenticate without the AD, both the login on the router (user and pass) and then the enable be locally on ACS4.0

plz any workaround ?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: acs 4.0 AD with local enale password

when we use windows password for

enable authentication it works, but when we choose "use seprate password", enable authentication fails, if that the case, we are hitting a bug.

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsd86017&Subm

it=Search

CSCsd86017

ACS 4.0 separate TACACS enable password fails authentication

First Found-in Version 4.0(1.27)

Symptom:

TACACS+ Enable Password fails if explictly set to "use separate

password" if using an external authentication source (such as Windows). User is able to log in fine, but when they issue the enable command, the user fails authentication and the failed attempts logs states:

"cs user unknown"

Same setup works fine if the enable password is set to be Windows password or "Use

CiscoSecure PAP password" (although it is worth noting that the latter is automatically blanked out and becomes effectively the Windows password).

This is a regression bug, these features worked correctly in 3.3.3 and earlier codes.

Regards,

~JG

8 REPLIES

Re: acs 4.0 AD with local enale password

ACS-->Ext db--->Unknow user policy---> Drag AD in the right box.

Regards,

~JG

New Member

Re: acs 4.0 AD with local enale password

i have already configured this, its still the same problem.

thanks

Re: acs 4.0 AD with local enale password

Please restart the services.

Unknown user policy is not configured.

=> External user database -> Unknown user policy -> Select "check the External user database" -> under "select database" = Windows database. After configuring it, restart the ACS services.

Regards,

New Member

Re: acs 4.0 AD with local enale password

thank you for your quick response, but i have tried this and i still have the same problem, the problem is not with AD authentication, the problem is afterwards with the enable password ACS4.0 is not recognizing that the enable password is stored localy for any AD user. allthough i have set it to local and set it to search for it internally.the same settings in ACS 3.3 is working fine.

Thank you

Re: acs 4.0 AD with local enale password

Check if this applies,

CSCsd86017 : ACS 4.0 separate TACACS enable password fails authentication

Affected : 4.0(1) build 27

Resolved : 4.1(1) Build 23 or higher

Regards,

Prem

Re: acs 4.0 AD with local enale password

when we use windows password for

enable authentication it works, but when we choose "use seprate password", enable authentication fails, if that the case, we are hitting a bug.

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsd86017&Subm

it=Search

CSCsd86017

ACS 4.0 separate TACACS enable password fails authentication

First Found-in Version 4.0(1.27)

Symptom:

TACACS+ Enable Password fails if explictly set to "use separate

password" if using an external authentication source (such as Windows). User is able to log in fine, but when they issue the enable command, the user fails authentication and the failed attempts logs states:

"cs user unknown"

Same setup works fine if the enable password is set to be Windows password or "Use

CiscoSecure PAP password" (although it is worth noting that the latter is automatically blanked out and becomes effectively the Windows password).

This is a regression bug, these features worked correctly in 3.3.3 and earlier codes.

Regards,

~JG

New Member

Re: acs 4.0 AD with local enale password

yes thank you this is the issue, so it's a bug , thank you again for your quick response,

one more question regarding this issue, when you say : " Same setup works fine if the enable password is set to be Windows password"

so if i put enable password to be windows password,will it be the same as the login password i entered previously with the username ?

thank you

Re: acs 4.0 AD with local enale password

Yes it will.

155
Views
5
Helpful
8
Replies
CreatePlease to create content