06-05-2007 11:02 PM - edited 03-10-2019 03:11 PM
two SACS1113 act as AAA server,the same config,one can authencate,the other can't . the aaa client's debug authencation information .
3_lou_3550# debug aaa authentication
AAA Authentication debugging is on
3_lou_3550#ter mo
3_lou_3550#ter monitor
3_lou_3550#
2w5d: AAA: parse name=tty2 idb type=-1 tty=-1
2w5d: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
2w5d: AAA/MEMORY: create_user (0x1BE49F0) user='NULL' ruser='NULL' ds0=0 port='t
ty2' rem_addr='136.3.197.133' authen_type=ASCII service=LOGIN priv=1 initial_tas
k_id='0', vrf= (id=0)
2w5d: AAA/AUTHEN/START (1903815741): port='tty2' list='' action=LOGIN service=LO
GIN
2w5d: AAA/AUTHEN/START (1903815741): using "default" list
2w5d: AAA/AUTHEN/START (1903815741): Method=AAA-Server-Group (tacacs+)
2w5d: TAC+: send AUTHEN/START packet ver=192 id=1903815741
2w5d: AAA/AUTHEN (1903815741): status = ERROR
2w5d: AAA/AUTHEN/START (1903815741): Method=LOCAL
2w5d: AAA/AUTHEN (1903815741): status = GETUSER
2w5d: AAA/AUTHEN/CONT (1903815741): continue_login (user='(undef)')
2w5d: AAA/AUTHEN (1903815741): status = GETUSER
2w5d: AAA/AUTHEN/CONT (1903815741): Method=LOCAL
2w5d: AAA/AUTHEN (1903815741): status = GETPASS
2w5d: AAA/AUTHEN/CONT (1903815741): continue_login (user='xiaofei')
2w5d: AAA/AUTHEN (1903815741): status = GETPASS
2w5d: AAA/AUTHEN/CONT (1903815741): Method=LOCAL
2w5d: AAA/AUTHEN (1903815741): User not found
2w5d: AAA/AUTHEN (1903815741): status = FAIL
2w5d: AAA/AUTHEN/ABORT: (1903815741) because Unknown.
2w5d: AAA/MEMORY: free_user_quiet (0x1BE49F0) user='xiaofei' ruser='NULL' port='
tty2' rem_addr='136.3.197.133' authen_type=1 service=1 priv=1
2w5d: AAA: parse name=tty2 idb type=-1 tty=-1
2w5d: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
2w5d: AAA/MEMORY: create_user (0x1E570D0) user='NULL' ruser='NULL' ds0=0 port='t
ty2' rem_addr='136.3.197.133' authen_type=ASCII service=LOGIN priv=1 initial_tas
k_id='0', vrf= (id=0)
2w5d: AAA/AUTHEN/START (3942972894): port='tty2' list='' action=LOGIN service=LO
GIN
2w5d: AAA/AUTHEN/START (3942972894): using "default" list
2w5d: AAA/AUTHEN/START (3942972894): Method=AAA-Server-Group (tacacs+)
2w5d: TAC+: send AUTHEN/START packet ver=192 id=3942972894
2w5d: AAA/AUTHEN (3942972894): status = ERROR
2w5d: AAA/AUTHEN/START (3942972894): Method=LOCAL
2w5d: AAA/AUTHEN (3942972894): status = GETUSER
3_lou_3550#no debug all
06-06-2007 03:54 AM
Hi,
If you are sure all services on your second ACS server are running fine, which can be confirmed by consoling in and issuing command "show".
And this ACS SE is reachable. Then probably Proxy Distribution table settings are not correct. Try this,
On ACS hardware/appliance go to,
Reports and Activity > Appliance Status Page >
From "NIC Configuration", copy the IP address of the ACS SE.
Interface Configuration > Advanced Options > check "Distributed System Settings" > Submit.
Network Configuration > under "AAA Servers" > Search > type the IP address of the ACS hardware/appliance > Search.
Note down the "Name" against the Ip address of the ACS SE.
Now go to, Network Configuration > under "Proxy Distribution Table" > (Default) > make sure that the name that appeared against the Ip address of the ACS Hardware/appliance is in "Forward To" Column, If it is not, move it , and move all other entries under "AAA Servers" column and press "Submit + Restart"
Regards,
Prem
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide