This document describes issues related to when the AAA client uses the Cisco Secure Access Control Server (ACS) in order to authenticate users and the ACS, in turn, refers to multiple external databases in order to authenticate the users.
This document assumes that Cisco Secure ACS is installed and works properly along with three Windows Domain Controller servers (named domain1, domain2 and domain3) which have user databases.
The information in this document is based on the Cisco Secure ACS software.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
When a user tries to login through an AAA client (like the router, the switch, or an access point, and so forth) and enters the wrong password only once, the active directory account of the user locks out. The AAA client authenticates through an ACS server that references the external Microsoft Windows databases.
The resolution for this behavior is how the Windows authentication is configured on the ACS. If you choose External User Databases > Database Configuration > Windows Database > Configure, you then enter the Configure Domain List section which contains a list of the domains in two columns. You do not want any domains listed in the right-side column. These columns do not do what the GUI would have you believe them to do.
For example, an ACS that is configured for three external domains (databases) named domain1, domain2, and domain3 and authenticates the user named user1. If the right column is populated, authentication is attempted in this order:
user1 with blank domain
If step 1 fails, user1 with the domain1 domain is tried.
If step 2 fails, user1 with the domain2 domain is tried.
If step 3 fails, user1 with the domain3 domain is tried.
The server that you authenticate on automatically forwards these authentication attempts to its domain controller if they are not in its local database. The result is that for any failed authentication for user1, we authenticate four times against the various domains.
If your configuration is similar to what this document describes, move the domains back to the left column in order to resolve this issue.