Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member


HI all,

Currently I have a windows  ACS 4.2 version configured with External database authentication "Microsoft Active Directory" and replication from the primary ACS to the Secundary ACS.

The problem we have is that sometimes the PRIMARY ACS lose conectivity whit the Active Directory and doesn´t autenticate clients. At this point the PRIMARY ACS continue responding to the CLIENTS with and unsuccefull authentication, so clients never goint to send the requiretments to the SECONDARY ACS.


There`s any kind of solution like Shutting ACS services when the Active directory doesn`t respond ?

Could be posible configure any kind of Windows database Failover for the ACS ?

ON ACS exist the LDAP database Failover documented .

I hope someone can help me


Everyone's tags (1)
Cisco Employee



There is noting like windows database failover but you can select other database or domain if user not found or typed invalid username/password in windows database.

Unknown User Policy—If the unknown user policy contains additional external databases and the Windows database is not the last database on the Selected Databases list, you might enable this option. For example, If a user does not exist in the Windows database, or has typed an incorrect password, the error 1326(bad username or password) is returned. ACS treats this error as a wrong password error and does not default to another external database. You should enable this option when additional external databases appear after the Windows database in the Selected Databases list. When enabled, ACS searches for the unknown user in the other external databases.

Configure Domain List—ACS tries to authenticate to any domain listed in Available Domains. If your Windows users do not specify their domain when dialing up, ACS relies on Windows to try to locate the appropriate user account. However, Windows may not be able to authenticate a user properly if the same username exists in more than one trusted domain. We recommend that you ask users to enter their domains when dialing in. If this is not practical, you can define a Domain List. If ACS fails to authenticate a user because the account exists in more than one domain and a Domain List exists, ACS will then retry authentication for each domain in the list. The list order is significant: domains that appear earlier in the list will be tried first. Because of the delay (typically two seconds) for each domain that fails authentication, you should set your AAA client timeout accordingly.

For more information, please visit the below listed link:



Do rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**