Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS external database issue


I have the following issue, user exists on both the ACS and token server authenication is set to external database with no unknown user policy as the user is known to the ACS! this fails authenication error message is CS user unknown... Now if the unknown user policy is set to the external database the authenication works fine this is on 3.3. I have checked for bugs to no avail.

Any assistance would be good...

Thanks MJ


Re: ACS external database issue

If you have user configured in acs with no unknown user policy , then acs is only going to check its internal database.

So this is a expected behavior

If you have unknown user policy set up then acs will check its external database.

It seems you have only user set up in ACS and for password you have pointed to external database.

So acs knows the user but not the password. To check the password of user, it need to forward request to external database.

And that part is configured in unknown user policy.



DO rate helpful posts

New Member

Re: ACS external database issue


Many thanks for your response, it is configured this way due the documentation below:

Known Users -Users explicitly added, either manually or automatically, into the CiscoSecureACS database.

These are users added through User Setup in the HTML interface, by the RDBMS Synchronization feature, by the Database Replication feature, or by the CSUtil.exe utility. For more information about CSUtil.exe, see "CSUtil Database Utility".

CiscoSecureACS attempts to authenticate a known user with the single database that the user is associated with. If the user database is the CiscoSecure user database and the user does not represent a Voice-over-IP (VoIP) user account, a password is required for the user. If the user database is an external user database or if the user represents a VoIP user account, CiscoSecureACS does not have to store a user password in the CiscoSecure user database.

This is from the following link....

Many thanks MJ