BASIC CONFIGURATION FOR WINDOWS AUTHENTICATION ONLY FOR ACS FOR WINDOWS Please make sure you have performed post installation task for ACS before doing below configuration on ACS. http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/gu ide/windows/postin.html#wp1041202 After successfully configuring Local Security Policies ACS Services Enable NetBIOS. Ensure DNS operation Then proceed with following configuration on ACS end. 1. Go to ACS -> external user databases -> unknown user policy 2. 3. 4. select option Check the following external user databases Move the windows database to the right hand side. And check the option “The database in which the user profile is held.” Click on submit and then select option “Database Group Mappings” Then select Windows Database. Click on new configuration: Select your domain name and click on submit. Now click on the domain name : And the default group for the Windows users who belong to the defined Windows group set. Now come back to the first page on External user databases. Click Windows Database -> configure : Check option for “Verify that "Grant dialin permission to user" setting has been enabled from within the Windows User Manager for users configured for Windows User Database authentication.” If required and this option is optional. Select box next to unknown user policy -> and move the domain under domain list coloumn/box. Enable below options under MS-CHAP settings section. Enable password changes using MS-CHAP version1. Enable password changes using MS-CHAP version 2. Test authentication and see if it passes or fails. For more information please go through below links http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/us er/guide/UsrDb.html#wp353791 http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/us er/guide/UnknUsr.html#wpxref40759 Any error coming in failed attempt starting from External DB states issue with external database authentication it can be windows, LDAP, ODBC or something else. Common error messages: Auth type not supported by External DB Solution : http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K24308566 External DB account Restriction Solution : http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K19031787 ACS External DB is not operational This mostly happens in ACS solution engine when issues are with remote agent or if ACS for windows machine is not on the domain. External DB user invalid or bad password http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K65242111 The following messages are output when ACS does not have reachability to Active Directory. - "External DB user invalid or bad password" - "InternalError"