Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS 5.2 Active Directory

Firstly, thanks for taking the time to read my post / question.

I'm currently in the process of setting up an ACS 5.2 device and authenticating wired clients via their AD credentials (Single Sign On option in Win 7). The question I have is, what happens to the set-up if the AD servers become unavailable?

I can use the command

authentication event server dead action authorize vlan XXX

To help mitigate any issues should the ACS servers fail however if the AD server goes down is the authentication treated as a failure?

I've tested every other eventuality on my test setup however this is one that I can't test and can't seem to find any documentation about.

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACS 5.2 Active Directory

Hi,

One of the wonderful features of ACS 5.x is that you can define what to do when the AD is unavailable!!

Please take a look at the screenshot.

When AD is unavailable, the process will fail and you can specify what to do with the authentication: Reject, Drop or Continue.

"Continue" will work as a passed authentication.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

4 REPLIES
Cisco Employee

Re: ACS 5.2 Active Directory

Hi Jason,

first you can have several Domain Controllers in your AD, so that limits the down possibility.

What ACS decides the authentication is, is configurable, If AD is your only database in the policy you can decide in the advanced options if you consider "user not found" as reject or not, if you consider "process failed" as drop or reject etc ...

Accses policies-> your policy-> identity-> advanced options.

If you set drop on ACs, it will become a "no-response" on the switch.

Hope this helps,

Nicolas

===

Don't forget to rate answers that you find useful

Cisco Employee

Re: ACS 5.2 Active Directory

Hi,

One of the wonderful features of ACS 5.x is that you can define what to do when the AD is unavailable!!

Please take a look at the screenshot.

When AD is unavailable, the process will fail and you can specify what to do with the authentication: Reject, Drop or Continue.

"Continue" will work as a passed authentication.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

New Member

Re: ACS 5.2 Active Directory

Tiago,

Many thanks for your reply, come to think of it, I do remember seeing those options when settings things up.

Regards

New Member

ACS 5.2 Active Directory

Hi Tiago

I'm using PEAP MSCHAP for user authentication, as I can resolve the authentication if the AD is down

Regards

fixie rider
1610
Views
9
Helpful
4
Replies
CreatePlease to create content