ACS v4.1 isn't authenticating

Unanswered Question
May 14th, 2007
User Badges:

Dear,

I am trying to setup our new ACS server 4.1 but it isn't working . can any one help out?

here is the output of the debug:

.May 14 13:31:57.166: TPLUS(000000E2)/0/READ/82D3520C: timed out

.May 14 13:31:57.166: TPLUS: Authentication start packet created for 226(test)

.May 14 13:31:57.166: TPLUS(000000E2)/0/READ/82D3520C: timed out, clean up

.May 14 13:31:57.166: TPLUS(000000E2)/0/82D3520C: Processing the reply packet

.May 14 13:31:59.177: AAA/AUTHEN/LOGIN (000000E2): Pick method list 'default'

.May 14 13:31:59.177: TPLUS: Queuing AAA Authentication request 226 for processi

ng

.May 14 13:31:59.177: TPLUS: processing authentication start request id 226

.May 14 13:31:59.181: TPLUS: Authentication start packet created for 226()

.May 14 13:31:59.181: TPLUS: Using server 10.230.250.180

.May 14 13:31:59.185: TPLUS(000000E2)/0/NB_WAIT/830DF408: Started 15 sec timeout

.May 14 13:31:59.189: TPLUS(000000E2)/0/NB_WAIT: socket event 2

.May 14 13:31:59.189: TPLUS(000000E2)/0/NB_WAIT: wrote entire 38 bytes request

.May 14 13:31:59.189: TPLUS(000000E2)/0/READ: socket event 1

.May 14 13:31:59.193: TPLUS(000000E2)/0/READ: Would block while reading

.May 14 13:31:59.193: TPLUS(000000E2)/0/READ: socket event 1

.May 14 13:31:59.193: TPLUS(000000E2)/0/READ: read entire 12 header bytes (expec

t 16 bytes data)

.May 14 13:31:59.193: TPLUS(000000E2)/0/READ: socket event 1

.May 14 13:31:59.197: TPLUS(000000E2)/0/READ: read entire 28 bytes response

.May 14 13:31:59.197: TPLUS(000000E2)/0/830DF408: Processing the reply packet

.May 14 13:31:59.197: TPLUS: Received authen response status GET_USER (7)



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Mon, 05/14/2007 - 05:25
User Badges:
  • Red, 2250 points or more

Do you get any hits in acs failed attempts ? Make sure that there is no mismatch in shared secret key


Also the issue could be with ip tacacs source interface.


The switch should use IP address as source address for tacacs which is defined in acs --->aaa clients.



http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124tcr/tsec_r/sec_i2ht.htm#wp1227581


Regards,




Richard Burts Tue, 05/15/2007 - 04:13
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hesham


It looks to me like the debug stopped too soon. The last line posted was:

.May 14 13:31:59.197: TPLUS: Received authen response status GET_USER (7)

which appears to indicate that the router has communicated with the server and has been requested to get the userID. This is part of normal processing.


I realize that the debug started with an indication of a timeout and that there may be a problem. But we do not see the context or the processing of the transaction that timed out. The amount and particular part of the debug posted is not enough to help us see the problem. Perhaps a posting with more of the debug would be helpful.


HTH


Rick

hyousry78 Tue, 05/15/2007 - 05:54
User Badges:

Here you go:


I wish this can help


May 15 16:53:12.302: TPLUS(00000111)/0/READ/8300FB44: timed out

May 15 16:53:12.302: TPLUS: Authentication start packet created for 273(vodafone

)

May 15 16:53:12.302: TPLUS(00000111)/0/READ/8300FB44: timed out, clean up

May 15 16:53:12.302: TPLUS(00000111)/0/8300FB44: Processing the reply packet

May 15 16:53:14.305: AAA/AUTHEN/LOGIN (00000111): Pick method list 'default'

May 15 16:53:14.305: TPLUS: Queuing AAA Authentication request 273 for processin

g

May 15 16:53:14.305: TPLUS: processing authentication start request id 273

May 15 16:53:14.309: TPLUS: Authentication start packet created for 273()

May 15 16:53:14.309: TPLUS: Using server 10.230.250.180

May 15 16:53:14.313: TPLUS(00000111)/0/NB_WAIT/8300FB44: Started 15 sec timeout

May 15 16:53:14.317: TPLUS(00000111)/0/NB_WAIT: socket event 2

May 15 16:53:14.317: TPLUS(00000111)/0/NB_WAIT: wrote entire 38 bytes request

May 15 16:53:14.317: TPLUS(00000111)/0/READ: socket event 1

May 15 16:53:14.317: TPLUS(00000111)/0/READ: Would block while reading

May 15 16:53:14.321: TPLUS(00000111)/0/READ: socket event 1

May 15 16:53:14.321: TPLUS(00000111)/0/READ: read entire 12 header bytes (expect

16 bytes data)

May 15 16:53:14.321: TPLUS(00000111)/0/READ: socket event 1

May 15 16:53:14.321: TPLUS(00000111)/0/READ: read entire 28 bytes response

May 15 16:53:14.321: TPLUS(00000111)/0/8300FB44: Processing the reply packet

May 15 16:53:14.325: TPLUS: Received authen response status GET_USER (7)

May 15 16:53:20.904: TPLUS: Queuing AAA Authentication request 273 for processin

g

May 15 16:53:20.904: TPLUS: processing authentication continue request id 273

May 15 16:53:20.904: TPLUS: Authentication continue packet generated for 273

May 15 16:53:20.904: TPLUS(00000111)/0/WRITE/8300FB44: Started 15 sec timeout

May 15 16:53:20.904: TPLUS(00000111)/0/WRITE: write to 10.230.250.180 failed wit

h errno 13()

May 15 16:53:20.908: TPLUS: Authentication start packet created for 273(vodafone



It is also starting with timeout i really don't know, i think i have something wrong with the configuration of this box, can you help me out?


Richard Burts Wed, 05/16/2007 - 17:43
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hesham


The additional debug information is helpful, though it does not get me to the point of finding the solution to the problem. Probably the most important part of this output is this line:

May 15 16:53:20.904: TPLUS(00000111)/0/WRITE: write to 10.230.250.180 failed with errno 13()

I am not clear what error number 13 represents, but it does clearly show that there is some difficulty between your route and the server.


Are there any log messages on the server which would help to identify what the problem is?


If you would post the config (or at least all the parts for aaa and for tacacs server, then I would look at them and see if I see a problem.


HTH


Rick

Jagdeep Gambhir Thu, 05/17/2007 - 04:40
User Badges:
  • Red, 2250 points or more

Hi ,

Please try this,


Enter the no tacacs-server host in global configuration command followed by the tacacs-server host global configuration command.


Hope that helps !


Regards,

Actions

This Discussion