Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

External Database error when validating local database users

We have been having an issue since we configured external database validation (Windows type)in our ACS 1111 appliances (2). As a summary, let me tell that we have basicly 2 kinds of users: local cisco database (mac addresses for wireless authentication) and external users (windows users) for vpn and administration purposes). We have not been able yet to find the exact cause of this misbehavior, but sometimes there comes a moment that both of our appliances start to log every local authentication against the external windows database (the entry in the failed attempts log says "EXTERNAL DATABASE RESTRICTION). In our platform, we have 2 appliances configured to use 2 external agent servers (for high availability) configured as indicated in the RA installatrion notes. As I said before, this situation happens suddenly and after several times, we have not been able to find a posible path or scheme to delimitate the situation. The only wok arround we have found is to disable external database use (in fact we have to delete the external database configuration) ans many time we need to re-define the remote agents within ACS. After this (I mean we enforce authentication to the local Cisco secure database), as soon as local authentication works again, we redefine the external databse access and it starts working as required until the next misbehavior (it could be days, weeks or months). We've had ACS versions 3.2.2, 3.2.3 and finally we are at 3.3.3. Any idea of what could be happening, and more importan, how do we solve it completely? Thanx in advance.


Re: External Database error when validating local database users


Its a hunch but I suspect that 4.0 may well work better. There were various "issues" introduced into 3.2 to 3.3 wrt RSA external authentication.

I remember fixing one where new pin mode would totally break ACS... athough it was so long ago I dont remember the DDTS no.

I think you should contact the TAC about this one.


CreatePlease login to create content