Authentication to Active Directory from Cisco IOS

Answered Question
Jun 20th, 2007
User Badges:

SCENARIO:

2 Cisco Secure ACS are configured to authenticate user logon to Active Directory.

The TACACS servers are configured in IOS

tacacs-server host 10.30.18.24

tacacs-server host 10.30.18.25

PROBLEM:

When the primary tacacs server 10.30.18.24 failed to validate user logon, we were logged out from the router. Then I tried to switch the order of the the TACACS servers in the router config i.e.

tacacs-server host 10.30.18.25

tacacs-server host 10.30.18.24

and the we were granted access. Can anyone explain why 10.30.18.25 did not take over user validation in the first place ?


Regards

Simon

Correct Answer by Premdeep Banga about 9 years 11 months ago

Hi Simon,


Then reason for that is, there are some conditions that must be satisfied, before device tries to contact the second server in the config.


if you turn on,


debug aaa authentication


then you'll get 3 kind of responses.

- PASS

- FAIL

- ERROR


PASS -> Needs no explaination

FAIL -> Authentication server was available but server rejected the request for the user due to some reason.

ERROR -> There was no response from Authentication server. Probably its not reachable.


ERROR is the only condition when it will try to contact the next server defined in your configuration.


So this is could be the probable reason why it never went for .25 when .25 was second and .24 was first, because .24 was still reachable and returned FAIL for the authenticating user.


Regards,

Prem

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Premdeep Banga Thu, 06/21/2007 - 03:49
User Badges:
  • Gold, 750 points or more

Hi Simon,


Then reason for that is, there are some conditions that must be satisfied, before device tries to contact the second server in the config.


if you turn on,


debug aaa authentication


then you'll get 3 kind of responses.

- PASS

- FAIL

- ERROR


PASS -> Needs no explaination

FAIL -> Authentication server was available but server rejected the request for the user due to some reason.

ERROR -> There was no response from Authentication server. Probably its not reachable.


ERROR is the only condition when it will try to contact the next server defined in your configuration.


So this is could be the probable reason why it never went for .25 when .25 was second and .24 was first, because .24 was still reachable and returned FAIL for the authenticating user.


Regards,

Prem

Actions

This Discussion