SACS1113- acs4.1- authencation problem

Unanswered Question
Jun 5th, 2007

two SACS1113 act as AAA server,the same config,one can authencate,the other can't . the aaa client's debug authencation information .

3_lou_3550# debug aaa authentication

AAA Authentication debugging is on

3_lou_3550#ter mo

3_lou_3550#ter monitor

3_lou_3550#

2w5d: AAA: parse name=tty2 idb type=-1 tty=-1

2w5d: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0

2w5d: AAA/MEMORY: create_user (0x1BE49F0) user='NULL' ruser='NULL' ds0=0 port='t

ty2' rem_addr='136.3.197.133' authen_type=ASCII service=LOGIN priv=1 initial_tas

k_id='0', vrf= (id=0)

2w5d: AAA/AUTHEN/START (1903815741): port='tty2' list='' action=LOGIN service=LO

GIN

2w5d: AAA/AUTHEN/START (1903815741): using "default" list

2w5d: AAA/AUTHEN/START (1903815741): Method=AAA-Server-Group (tacacs+)

2w5d: TAC+: send AUTHEN/START packet ver=192 id=1903815741

2w5d: AAA/AUTHEN (1903815741): status = ERROR

2w5d: AAA/AUTHEN/START (1903815741): Method=LOCAL

2w5d: AAA/AUTHEN (1903815741): status = GETUSER

2w5d: AAA/AUTHEN/CONT (1903815741): continue_login (user='(undef)')

2w5d: AAA/AUTHEN (1903815741): status = GETUSER

2w5d: AAA/AUTHEN/CONT (1903815741): Method=LOCAL

2w5d: AAA/AUTHEN (1903815741): status = GETPASS

2w5d: AAA/AUTHEN/CONT (1903815741): continue_login (user='xiaofei')

2w5d: AAA/AUTHEN (1903815741): status = GETPASS

2w5d: AAA/AUTHEN/CONT (1903815741): Method=LOCAL

2w5d: AAA/AUTHEN (1903815741): User not found

2w5d: AAA/AUTHEN (1903815741): status = FAIL

2w5d: AAA/AUTHEN/ABORT: (1903815741) because Unknown.

2w5d: AAA/MEMORY: free_user_quiet (0x1BE49F0) user='xiaofei' ruser='NULL' port='

tty2' rem_addr='136.3.197.133' authen_type=1 service=1 priv=1

2w5d: AAA: parse name=tty2 idb type=-1 tty=-1

2w5d: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0

2w5d: AAA/MEMORY: create_user (0x1E570D0) user='NULL' ruser='NULL' ds0=0 port='t

ty2' rem_addr='136.3.197.133' authen_type=ASCII service=LOGIN priv=1 initial_tas

k_id='0', vrf= (id=0)

2w5d: AAA/AUTHEN/START (3942972894): port='tty2' list='' action=LOGIN service=LO

GIN

2w5d: AAA/AUTHEN/START (3942972894): using "default" list

2w5d: AAA/AUTHEN/START (3942972894): Method=AAA-Server-Group (tacacs+)

2w5d: TAC+: send AUTHEN/START packet ver=192 id=3942972894

2w5d: AAA/AUTHEN (3942972894): status = ERROR

2w5d: AAA/AUTHEN/START (3942972894): Method=LOCAL

2w5d: AAA/AUTHEN (3942972894): status = GETUSER

3_lou_3550#no debug all

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Premdeep Banga Wed, 06/06/2007 - 03:54

Hi,

If you are sure all services on your second ACS server are running fine, which can be confirmed by consoling in and issuing command "show".

And this ACS SE is reachable. Then probably Proxy Distribution table settings are not correct. Try this,

On ACS hardware/appliance go to,

Reports and Activity > Appliance Status Page >

From "NIC Configuration", copy the IP address of the ACS SE.

Interface Configuration > Advanced Options > check "Distributed System Settings" > Submit.

Network Configuration > under "AAA Servers" > Search > type the IP address of the ACS hardware/appliance > Search.

Note down the "Name" against the Ip address of the ACS SE.

Now go to, Network Configuration > under "Proxy Distribution Table" > (Default) > make sure that the name that appeared against the Ip address of the ACS Hardware/appliance is in "Forward To" Column, If it is not, move it , and move all other entries under "AAA Servers" column and press "Submit + Restart"

Regards,

Prem

Actions

This Discussion