cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
682
Views
0
Helpful
2
Replies

Authentication to Active Directory from Cisco IOS

simonvyrdal
Level 1
Level 1

SCENARIO:

2 Cisco Secure ACS are configured to authenticate user logon to Active Directory.

The TACACS servers are configured in IOS

tacacs-server host 10.30.18.24

tacacs-server host 10.30.18.25

PROBLEM:

When the primary tacacs server 10.30.18.24 failed to validate user logon, we were logged out from the router. Then I tried to switch the order of the the TACACS servers in the router config i.e.

tacacs-server host 10.30.18.25

tacacs-server host 10.30.18.24

and the we were granted access. Can anyone explain why 10.30.18.25 did not take over user validation in the first place ?

Regards

Simon

1 Accepted Solution

Accepted Solutions

Premdeep Banga
Level 7
Level 7

Hi Simon,

Then reason for that is, there are some conditions that must be satisfied, before device tries to contact the second server in the config.

if you turn on,

debug aaa authentication

then you'll get 3 kind of responses.

- PASS

- FAIL

- ERROR

PASS -> Needs no explaination

FAIL -> Authentication server was available but server rejected the request for the user due to some reason.

ERROR -> There was no response from Authentication server. Probably its not reachable.

ERROR is the only condition when it will try to contact the next server defined in your configuration.

So this is could be the probable reason why it never went for .25 when .25 was second and .24 was first, because .24 was still reachable and returned FAIL for the authenticating user.

Regards,

Prem

View solution in original post

2 Replies 2

Premdeep Banga
Level 7
Level 7

Hi Simon,

Then reason for that is, there are some conditions that must be satisfied, before device tries to contact the second server in the config.

if you turn on,

debug aaa authentication

then you'll get 3 kind of responses.

- PASS

- FAIL

- ERROR

PASS -> Needs no explaination

FAIL -> Authentication server was available but server rejected the request for the user due to some reason.

ERROR -> There was no response from Authentication server. Probably its not reachable.

ERROR is the only condition when it will try to contact the next server defined in your configuration.

So this is could be the probable reason why it never went for .25 when .25 was second and .24 was first, because .24 was still reachable and returned FAIL for the authenticating user.

Regards,

Prem

Thanks Prem for this useful answer.

Regards,

Simon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: