This issue occurs due to the presence of Cisco bug ID CSCeb78279.
CiscoSecure ACS for Windows version 3.2 does not give consistent results when authenticating users who exist in the Windows Active Directory (AD) External Users Database.
If there are two Windows domains configured, only users in one domain are authenticated when only the username is specified. When CiscoSecure ACS for Windows is restarted, it sometimes works for users in only the first domain. On other occasions, it works only for users in the second domain.
As a workaround, download and upgrade the software to any of these versions: