diff --git a/consul/acl_test.go b/consul/acl_test.go
index bbf3ec051..061550da5 100644
--- a/consul/acl_test.go
+++ b/consul/acl_test.go
@@ -6,6 +6,7 @@ import (
 	"os"
 	"testing"
 
+	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/consul/structs"
 	"github.com/hashicorp/consul/testutil"
 )
@@ -213,6 +214,292 @@ func TestACL_NonAuthority_Found(t *testing.T) {
 	}
 }
 
+func TestACL_DownPolicy_Deny(t *testing.T) {
+	dir1, s1 := testServerWithConfig(t, func(c *Config) {
+		c.ACLDatacenter = "dc1"
+		c.ACLDownPolicy = "deny"
+	})
+	defer os.RemoveAll(dir1)
+	defer s1.Shutdown()
+	client := rpcClient(t, s1)
+	defer client.Close()
+
+	dir2, s2 := testServerWithConfig(t, func(c *Config) {
+		c.ACLDatacenter = "dc1" // Enable ACLs!
+		c.ACLDownPolicy = "deny"
+		c.Bootstrap = false // Disable bootstrap
+	})
+	defer os.RemoveAll(dir2)
+	defer s2.Shutdown()
+
+	// Try to join
+	addr := fmt.Sprintf("127.0.0.1:%d",
+		s1.config.SerfLANConfig.MemberlistConfig.BindPort)
+	if _, err := s2.JoinLAN([]string{addr}); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	testutil.WaitForResult(func() (bool, error) {
+		p1, _ := s1.raftPeers.Peers()
+		return len(p1) == 2, errors.New(fmt.Sprintf("%v", p1))
+	}, func(err error) {
+		t.Fatalf("should have 2 peers: %v", err)
+	})
+	testutil.WaitForLeader(t, client.Call, "dc1")
+
+	// Create a new token
+	arg := structs.ACLRequest{
+		Datacenter: "dc1",
+		Op:         structs.ACLSet,
+		ACL: structs.ACL{
+			Name:  "User token",
+			Type:  structs.ACLTypeClient,
+			Rules: testACLPolicy,
+		},
+	}
+	var id string
+	if err := client.Call("ACL.Apply", &arg, &id); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// find the non-authoritative server
+	var nonAuth *Server
+	var auth *Server
+	if !s1.IsLeader() {
+		nonAuth = s1
+		auth = s2
+	} else {
+		nonAuth = s2
+		auth = s1
+	}
+
+	// Kill the authoritative server
+	auth.Shutdown()
+
+	// Token should resolve into a DenyAll
+	aclR, err := nonAuth.resolveToken(id)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if aclR != acl.DenyAll() {
+		t.Fatalf("bad acl: %#v", aclR)
+	}
+}
+
+func TestACL_DownPolicy_Allow(t *testing.T) {
+	dir1, s1 := testServerWithConfig(t, func(c *Config) {
+		c.ACLDatacenter = "dc1"
+		c.ACLDownPolicy = "allow"
+	})
+	defer os.RemoveAll(dir1)
+	defer s1.Shutdown()
+	client := rpcClient(t, s1)
+	defer client.Close()
+
+	dir2, s2 := testServerWithConfig(t, func(c *Config) {
+		c.ACLDatacenter = "dc1" // Enable ACLs!
+		c.ACLDownPolicy = "allow"
+		c.Bootstrap = false // Disable bootstrap
+	})
+	defer os.RemoveAll(dir2)
+	defer s2.Shutdown()
+
+	// Try to join
+	addr := fmt.Sprintf("127.0.0.1:%d",
+		s1.config.SerfLANConfig.MemberlistConfig.BindPort)
+	if _, err := s2.JoinLAN([]string{addr}); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	testutil.WaitForResult(func() (bool, error) {
+		p1, _ := s1.raftPeers.Peers()
+		return len(p1) == 2, errors.New(fmt.Sprintf("%v", p1))
+	}, func(err error) {
+		t.Fatalf("should have 2 peers: %v", err)
+	})
+	testutil.WaitForLeader(t, client.Call, "dc1")
+
+	// Create a new token
+	arg := structs.ACLRequest{
+		Datacenter: "dc1",
+		Op:         structs.ACLSet,
+		ACL: structs.ACL{
+			Name:  "User token",
+			Type:  structs.ACLTypeClient,
+			Rules: testACLPolicy,
+		},
+	}
+	var id string
+	if err := client.Call("ACL.Apply", &arg, &id); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// find the non-authoritative server
+	var nonAuth *Server
+	var auth *Server
+	if !s1.IsLeader() {
+		nonAuth = s1
+		auth = s2
+	} else {
+		nonAuth = s2
+		auth = s1
+	}
+
+	// Kill the authoritative server
+	auth.Shutdown()
+
+	// Token should resolve into a AllowAll
+	aclR, err := nonAuth.resolveToken(id)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if aclR != acl.AllowAll() {
+		t.Fatalf("bad acl: %#v", aclR)
+	}
+}
+
+func TestACL_DownPolicy_ExtendCache(t *testing.T) {
+	dir1, s1 := testServerWithConfig(t, func(c *Config) {
+		c.ACLDatacenter = "dc1"
+		c.ACLTTL = 0
+		c.ACLDownPolicy = "extend-cache"
+	})
+	defer os.RemoveAll(dir1)
+	defer s1.Shutdown()
+	client := rpcClient(t, s1)
+	defer client.Close()
+
+	dir2, s2 := testServerWithConfig(t, func(c *Config) {
+		c.ACLDatacenter = "dc1" // Enable ACLs!
+		c.ACLTTL = 0
+		c.ACLDownPolicy = "extend-cache"
+		c.Bootstrap = false // Disable bootstrap
+	})
+	defer os.RemoveAll(dir2)
+	defer s2.Shutdown()
+
+	// Try to join
+	addr := fmt.Sprintf("127.0.0.1:%d",
+		s1.config.SerfLANConfig.MemberlistConfig.BindPort)
+	if _, err := s2.JoinLAN([]string{addr}); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	testutil.WaitForResult(func() (bool, error) {
+		p1, _ := s1.raftPeers.Peers()
+		return len(p1) == 2, errors.New(fmt.Sprintf("%v", p1))
+	}, func(err error) {
+		t.Fatalf("should have 2 peers: %v", err)
+	})
+	testutil.WaitForLeader(t, client.Call, "dc1")
+
+	// Create a new token
+	arg := structs.ACLRequest{
+		Datacenter: "dc1",
+		Op:         structs.ACLSet,
+		ACL: structs.ACL{
+			Name:  "User token",
+			Type:  structs.ACLTypeClient,
+			Rules: testACLPolicy,
+		},
+	}
+	var id string
+	if err := client.Call("ACL.Apply", &arg, &id); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// find the non-authoritative server
+	var nonAuth *Server
+	var auth *Server
+	if !s1.IsLeader() {
+		nonAuth = s1
+		auth = s2
+	} else {
+		nonAuth = s2
+		auth = s1
+	}
+
+	// Warm the caches
+	aclR, err := nonAuth.resolveToken(id)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if aclR == nil {
+		t.Fatalf("bad acl: %#v", aclR)
+	}
+
+	// Kill the authoritative server
+	auth.Shutdown()
+
+	// Token should resolve into cached copy
+	aclR2, err := nonAuth.resolveToken(id)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if aclR2 != aclR {
+		t.Fatalf("bad acl: %#v", aclR)
+	}
+}
+
+func TestACL_MultiDC_Found(t *testing.T) {
+	dir1, s1 := testServerWithConfig(t, func(c *Config) {
+		c.ACLDatacenter = "dc1"
+	})
+	defer os.RemoveAll(dir1)
+	defer s1.Shutdown()
+	client := rpcClient(t, s1)
+	defer client.Close()
+
+	dir2, s2 := testServerWithConfig(t, func(c *Config) {
+		c.Datacenter = "dc2"
+		c.ACLDatacenter = "dc1" // Enable ACLs!
+	})
+	defer os.RemoveAll(dir2)
+	defer s2.Shutdown()
+
+	// Try to join
+	addr := fmt.Sprintf("127.0.0.1:%d",
+		s1.config.SerfWANConfig.MemberlistConfig.BindPort)
+	if _, err := s2.JoinWAN([]string{addr}); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	testutil.WaitForLeader(t, client.Call, "dc1")
+	testutil.WaitForLeader(t, client.Call, "dc2")
+
+	// Create a new token
+	arg := structs.ACLRequest{
+		Datacenter: "dc1",
+		Op:         structs.ACLSet,
+		ACL: structs.ACL{
+			Name:  "User token",
+			Type:  structs.ACLTypeClient,
+			Rules: testACLPolicy,
+		},
+	}
+	var id string
+	if err := client.Call("ACL.Apply", &arg, &id); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Token should resolve
+	acl, err := s2.resolveToken(id)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if acl == nil {
+		t.Fatalf("missing acl")
+	}
+
+	// Check the policy
+	if acl.KeyRead("bar") {
+		t.Fatalf("unexpected read")
+	}
+	if !acl.KeyRead("foo/test") {
+		t.Fatalf("unexpected failed read")
+	}
+}
+
 var testACLPolicy = `
 key "" {
 	policy = "deny"