ACS v4.1 isn't authenticating

hyousry78 · ‎05-14-2007

Dear,

I am trying to setup our new ACS server 4.1 but it isn't working . can any one help out?

here is the output of the debug:

.May 14 13:31:57.166: TPLUS(000000E2)/0/READ/82D3520C: timed out

.May 14 13:31:57.166: TPLUS: Authentication start packet created for 226(test)

.May 14 13:31:57.166: TPLUS(000000E2)/0/READ/82D3520C: timed out, clean up

.May 14 13:31:57.166: TPLUS(000000E2)/0/82D3520C: Processing the reply packet

.May 14 13:31:59.177: AAA/AUTHEN/LOGIN (000000E2): Pick method list 'default'

.May 14 13:31:59.177: TPLUS: Queuing AAA Authentication request 226 for processi

ng

.May 14 13:31:59.177: TPLUS: processing authentication start request id 226

.May 14 13:31:59.181: TPLUS: Authentication start packet created for 226()

.May 14 13:31:59.181: TPLUS: Using server 10.230.250.180

.May 14 13:31:59.185: TPLUS(000000E2)/0/NB_WAIT/830DF408: Started 15 sec timeout

.May 14 13:31:59.189: TPLUS(000000E2)/0/NB_WAIT: socket event 2

.May 14 13:31:59.189: TPLUS(000000E2)/0/NB_WAIT: wrote entire 38 bytes request

.May 14 13:31:59.189: TPLUS(000000E2)/0/READ: socket event 1

.May 14 13:31:59.193: TPLUS(000000E2)/0/READ: Would block while reading

.May 14 13:31:59.193: TPLUS(000000E2)/0/READ: socket event 1

.May 14 13:31:59.193: TPLUS(000000E2)/0/READ: read entire 12 header bytes (expec

t 16 bytes data)

.May 14 13:31:59.193: TPLUS(000000E2)/0/READ: socket event 1

.May 14 13:31:59.197: TPLUS(000000E2)/0/READ: read entire 28 bytes response

.May 14 13:31:59.197: TPLUS(000000E2)/0/830DF408: Processing the reply packet

.May 14 13:31:59.197: TPLUS: Received authen response status GET_USER (7)

Jagdeep Gambhir · ‎05-14-2007

Do you get any hits in acs failed attempts ? Make sure that there is no mismatch in shared secret key

Also the issue could be with ip tacacs source interface.

The switch should use IP address as source address for tacacs which is defined in acs --->aaa clients.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124tcr/tsec_r/sec_i2ht.htm#wp1227581

Regards,

Richard Burts · ‎05-15-2007

Hesham

It looks to me like the debug stopped too soon. The last line posted was:

.May 14 13:31:59.197: TPLUS: Received authen response status GET_USER (7)

which appears to indicate that the router has communicated with the server and has been requested to get the userID. This is part of normal processing.

I realize that the debug started with an indication of a timeout and that there may be a problem. But we do not see the context or the processing of the transaction that timed out. The amount and particular part of the debug posted is not enough to help us see the problem. Perhaps a posting with more of the debug would be helpful.

HTH

Rick

HTH

Rick

hyousry78 · ‎05-15-2007

Here you go:

I wish this can help

May 15 16:53:12.302: TPLUS(00000111)/0/READ/8300FB44: timed out

May 15 16:53:12.302: TPLUS: Authentication start packet created for 273(vodafone

)

May 15 16:53:12.302: TPLUS(00000111)/0/READ/8300FB44: timed out, clean up

May 15 16:53:12.302: TPLUS(00000111)/0/8300FB44: Processing the reply packet

May 15 16:53:14.305: AAA/AUTHEN/LOGIN (00000111): Pick method list 'default'

May 15 16:53:14.305: TPLUS: Queuing AAA Authentication request 273 for processin

g

May 15 16:53:14.305: TPLUS: processing authentication start request id 273

May 15 16:53:14.309: TPLUS: Authentication start packet created for 273()

May 15 16:53:14.309: TPLUS: Using server 10.230.250.180

May 15 16:53:14.313: TPLUS(00000111)/0/NB_WAIT/8300FB44: Started 15 sec timeout

May 15 16:53:14.317: TPLUS(00000111)/0/NB_WAIT: socket event 2

May 15 16:53:14.317: TPLUS(00000111)/0/NB_WAIT: wrote entire 38 bytes request

May 15 16:53:14.317: TPLUS(00000111)/0/READ: socket event 1

May 15 16:53:14.317: TPLUS(00000111)/0/READ: Would block while reading

May 15 16:53:14.321: TPLUS(00000111)/0/READ: socket event 1

May 15 16:53:14.321: TPLUS(00000111)/0/READ: read entire 12 header bytes (expect

16 bytes data)

May 15 16:53:14.321: TPLUS(00000111)/0/READ: socket event 1

May 15 16:53:14.321: TPLUS(00000111)/0/READ: read entire 28 bytes response

May 15 16:53:14.321: TPLUS(00000111)/0/8300FB44: Processing the reply packet

May 15 16:53:14.325: TPLUS: Received authen response status GET_USER (7)

May 15 16:53:20.904: TPLUS: Queuing AAA Authentication request 273 for processin

g

May 15 16:53:20.904: TPLUS: processing authentication continue request id 273

May 15 16:53:20.904: TPLUS: Authentication continue packet generated for 273

May 15 16:53:20.904: TPLUS(00000111)/0/WRITE/8300FB44: Started 15 sec timeout

May 15 16:53:20.904: TPLUS(00000111)/0/WRITE: write to 10.230.250.180 failed wit

h errno 13()

May 15 16:53:20.908: TPLUS: Authentication start packet created for 273(vodafone

It is also starting with timeout i really don't know, i think i have something wrong with the configuration of this box, can you help me out?

Richard Burts · ‎05-16-2007

Hesham

The additional debug information is helpful, though it does not get me to the point of finding the solution to the problem. Probably the most important part of this output is this line:

May 15 16:53:20.904: TPLUS(00000111)/0/WRITE: write to 10.230.250.180 failed with errno 13()

I am not clear what error number 13 represents, but it does clearly show that there is some difficulty between your route and the server.

Are there any log messages on the server which would help to identify what the problem is?

If you would post the config (or at least all the parts for aaa and for tacacs server, then I would look at them and see if I see a problem.

HTH

Rick

HTH

Rick

Jagdeep Gambhir · ‎05-17-2007

Hi ,

Please try this,

Enter the no tacacs-server host in global configuration command followed by the tacacs-server host global configuration command.

Hope that helps !

Regards,