Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
379
Views
0
Helpful
1
Replies

SACS1113- acs4.1- authencation problem

ccie_weili714
Level 1
Level 1

‎06-05-2007 11:02 PM - edited ‎03-10-2019 03:11 PM

two SACS1113 act as AAA server,the same config,one can authencate,the other can't . the aaa client's debug authencation information .

3_lou_3550# debug aaa authentication

AAA Authentication debugging is on

3_lou_3550#ter mo

3_lou_3550#ter monitor

3_lou_3550#

2w5d: AAA: parse name=tty2 idb type=-1 tty=-1

2w5d: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0

2w5d: AAA/MEMORY: create_user (0x1BE49F0) user='NULL' ruser='NULL' ds0=0 port='t

ty2' rem_addr='136.3.197.133' authen_type=ASCII service=LOGIN priv=1 initial_tas

k_id='0', vrf= (id=0)

2w5d: AAA/AUTHEN/START (1903815741): port='tty2' list='' action=LOGIN service=LO

GIN

2w5d: AAA/AUTHEN/START (1903815741): using "default" list

2w5d: AAA/AUTHEN/START (1903815741): Method=AAA-Server-Group (tacacs+)

2w5d: TAC+: send AUTHEN/START packet ver=192 id=1903815741

2w5d: AAA/AUTHEN (1903815741): status = ERROR

2w5d: AAA/AUTHEN/START (1903815741): Method=LOCAL

2w5d: AAA/AUTHEN (1903815741): status = GETUSER

2w5d: AAA/AUTHEN/CONT (1903815741): continue_login (user='(undef)')

2w5d: AAA/AUTHEN (1903815741): status = GETUSER

2w5d: AAA/AUTHEN/CONT (1903815741): Method=LOCAL

2w5d: AAA/AUTHEN (1903815741): status = GETPASS

2w5d: AAA/AUTHEN/CONT (1903815741): continue_login (user='xiaofei')

2w5d: AAA/AUTHEN (1903815741): status = GETPASS

2w5d: AAA/AUTHEN/CONT (1903815741): Method=LOCAL

2w5d: AAA/AUTHEN (1903815741): User not found

2w5d: AAA/AUTHEN (1903815741): status = FAIL

2w5d: AAA/AUTHEN/ABORT: (1903815741) because Unknown.

2w5d: AAA/MEMORY: free_user_quiet (0x1BE49F0) user='xiaofei' ruser='NULL' port='

tty2' rem_addr='136.3.197.133' authen_type=1 service=1 priv=1

2w5d: AAA: parse name=tty2 idb type=-1 tty=-1

2w5d: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0

2w5d: AAA/MEMORY: create_user (0x1E570D0) user='NULL' ruser='NULL' ds0=0 port='t

ty2' rem_addr='136.3.197.133' authen_type=ASCII service=LOGIN priv=1 initial_tas

k_id='0', vrf= (id=0)

2w5d: AAA/AUTHEN/START (3942972894): port='tty2' list='' action=LOGIN service=LO

GIN

2w5d: AAA/AUTHEN/START (3942972894): using "default" list

2w5d: AAA/AUTHEN/START (3942972894): Method=AAA-Server-Group (tacacs+)

2w5d: TAC+: send AUTHEN/START packet ver=192 id=3942972894

2w5d: AAA/AUTHEN (3942972894): status = ERROR

2w5d: AAA/AUTHEN/START (3942972894): Method=LOCAL

2w5d: AAA/AUTHEN (3942972894): status = GETUSER

3_lou_3550#no debug all

Labels:
0 Helpful
1 Reply 1

Premdeep Banga
Level 7
Level 7

‎06-06-2007 03:54 AM

Hi,

If you are sure all services on your second ACS server are running fine, which can be confirmed by consoling in and issuing command "show".

And this ACS SE is reachable. Then probably Proxy Distribution table settings are not correct. Try this,

On ACS hardware/appliance go to,

Reports and Activity > Appliance Status Page >

From "NIC Configuration", copy the IP address of the ACS SE.

Interface Configuration > Advanced Options > check "Distributed System Settings" > Submit.

Network Configuration > under "AAA Servers" > Search > type the IP address of the ACS hardware/appliance > Search.

Note down the "Name" against the Ip address of the ACS SE.

Now go to, Network Configuration > under "Proxy Distribution Table" > (Default) > make sure that the name that appeared against the Ip address of the ACS Hardware/appliance is in "Forward To" Column, If it is not, move it , and move all other entries under "AAA Servers" column and press "Submit + Restart"

Regards,

Prem

0 Helpful
Customers Also Viewed These Support Documents