This document describes issues related to when the AAA client uses the
Cisco Secure Access Control Server (ACS) in order to authenticate users and the
ACS, in turn, refers to multiple external databases in order to authenticate
This document assumes that Cisco Secure ACS is installed and works
properly along with three Windows Domain Controller servers (named domain1,
domain2 and domain3) which have user databases.
The information in this document is based on the Cisco Secure ACS
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Technical Tips Conventions for more information on document
When a user tries to login through an AAA client (like the router, the
switch, or an access point, and so forth) and enters the wrong password only
once, the active directory account of the user locks out. The AAA client
authenticates through an ACS server that references the external Microsoft
The resolution for this behavior is how the Windows authentication is
configured on the ACS. If you choose External User Databases >
Database Configuration > Windows Database > Configure, you then
enter the Configure Domain List section which contains a list of the domains in
two columns. You do not want any domains listed in the
right-side column. These columns do not do what the GUI would have you believe
them to do.
For example, an ACS that is configured for three external domains
(databases) named domain1, domain2, and domain3 and authenticates the user
named user1. If the right column is populated, authentication is attempted in
user1 with blank domain
If step 1 fails, user1 with the domain1 domain is
If step 2 fails, user1 with the domain2 domain is tried.
If step 3 fails, user1 with the domain3 domain is tried.
The server that you authenticate on automatically forwards these
authentication attempts to its domain controller if they are not in its local
database. The result is that for any failed authentication for user1, we
authenticate four times against the various domains.
If your configuration is similar to what this document describes,
move the domains back to the left column in order to resolve this issue.