I have the following issue, user exists on both the ACS and token server authenication is set to external database with no unknown user policy as the user is known to the ACS! this fails authenication error message is CS user unknown... Now if the unknown user policy is set to the external database the authenication works fine this is on 3.3. I have checked for bugs to no avail.
Many thanks for your response, it is configured this way due the documentation below:
Known Users -Users explicitly added, either manually or automatically, into the CiscoSecureACS database.
These are users added through User Setup in the HTML interface, by the RDBMS Synchronization feature, by the Database Replication feature, or by the CSUtil.exe utility. For more information about CSUtil.exe, see "CSUtil Database Utility".
CiscoSecureACS attempts to authenticate a known user with the single database that the user is associated with. If the user database is the CiscoSecure user database and the user does not represent a Voice-over-IP (VoIP) user account, a password is required for the user. If the user database is an external user database or if the user represents a VoIP user account, CiscoSecureACS does not have to store a user password in the CiscoSecure user database.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...