Issue with Cisco ACS and different Domains

Answered Question
Jul 4th, 2007

Hi,

we are having currently a trouble with Cisco ACS which we have implemented, and I'll try to describe:

We have ACS Linked to AD Directory domains, where we have 2 domains, and proper group mappings.

We have then our Cisco Switches with following config,

aaa new-model

aaa authentication fail-message ^CCCC

Failled to Authenticate!

Please Contact IT Networks Group for further information.

^C

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization network default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

aaa session-id common

But the issue is that with the users from one domain we can authenticate, but not from the other. The issue is basically that when we check on Passed Authentication, both authentications are passing, and showing "Authen OK", but on the switch side, there is a failure.

There can be something wrong with ACS?

Thanks

Jorge

I have this problem too.
0 votes
Correct Answer by parmsing about 9 years 5 months ago

Try to increase the timeout on IOS device by using tacacs-server timeout 10.

Do we have remote logging enabled on ACS server?

-Parminder

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
parmsing Wed, 07/04/2007 - 04:12

Hi Jorge,

There is a known bug with remote logging, in ACS authentication shows ok, however; client is not able to establish any session. Seems like exact same issue. If you have remote logging enabled on ACS, disable it and then try authentication. if authentication is working then you are hitting that bug.

Otherwise run the following debugs on the router which should tell us why authentication is failing,

debug aaa authentication

debug aaa authorization

debug tacacs

May be device is not reciveing authentication response back from the ACS.

HTH

-Parminder

parmsing Wed, 07/04/2007 - 04:28

On ACS web interface go under "system configuration>>logging."

What is the exact version of ACS you are running?

-Parminder

parmsing Wed, 07/04/2007 - 04:44

if you have remote logging enabled and authentication is working fine after disabling remote logging you might be hitting CSCeg40355.

HTH

parminder

jorge.s Wed, 07/04/2007 - 04:53

here is the log:

023738: Jul 4 12:51:20: AAA: parse name=tty1 idb type=-1 tty=-1

023739: Jul 4 12:51:20: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter

=0 port=1 channel=0

023740: Jul 4 12:51:20: AAA/MEMORY: create_user (0x2CB0178) user='NULL' ruser='

NULL' ds0=0 port='tty1' rem_addr='170.64.222.79' authen_type=ASCII service=LOGIN

priv=1 initial_task_id='0', vrf= (id=0)

023741: Jul 4 12:51:20: AAA/AUTHEN/START (3398875699): port='tty1' list='' acti

on=LOGIN service=LOGIN

023742: Jul 4 12:51:20: AAA/AUTHEN/START (3398875699): using "default" list

023743: Jul 4 12:51:20: AAA/AUTHEN/START (3398875699): Method=tacacs+ (tacacs+)

023744: Jul 4 12:51:20: TAC+: send AUTHEN/START packet ver=192 id=3398875699

023745: Jul 4 12:51:20: TAC+: ver=192 id=3398875699 received AUTHEN status = GE

TUSER

023746: Jul 4 12:51:20: AAA/AUTHEN (3398875699): status = GETUSER

023747: Jul 4 12:51:26: AAA/AUTHEN/CONT (3398875699): continue_login (user='(un

def)')

023748: Jul 4 12:51:26: AAA/AUTHEN (3398875699): status = GETUSER

023749: Jul 4 12:51:26: AAA/AUTHEN (3398875699): Method=tacacs+ (tacacs+)

023750: Jul 4 12:51:26: TAC+: send AUTHEN/CONT packet id=3398875699

023751: Jul 4 12:51:26: TAC+: ver=192 id=3398875699 received AUTHEN status = GE

TPASS

023752: Jul 4 12:51:26: AAA/AUTHEN (3398875699): status = GETPASS

023753: Jul 4 12:51:29: AAA/AUTHEN/CONT (3398875699): continue_login (user='q1j

orgsous2')

023754: Jul 4 12:51:29: AAA/AUTHEN (3398875699): status = GETPASS

023755: Jul 4 12:51:29: AAA/AUTHEN (3398875699): Method=tacacs+ (tacacs+)

023756: Jul 4 12:51:29: TAC+: send AUTHEN/CONT packet id=3398875699

023757: Jul 4 12:51:34: AAA/AUTHEN (3398875699): status = ERROR

023758: Jul 4 12:51:34: AAA/AUTHEN/START (3619397261): port='tty1' list='' acti

on=LOGIN service=LOGIN

023759: Jul 4 12:51:34: AAA/AUTHEN/START (3619397261): Restart

023760: Jul 4 12:51:34: AAA/AUTHEN/START (3619397261): Method=LOCAL

023761: Jul 4 12:51:34: AAA/AUTHEN (3619397261): User not found, end of method

list

023762: Jul 4 12:51:34: AAA/AUTHEN (3619397261): status = FAIL

023763: Jul 4 12:51:36: AAA/AUTHEN/ABORT: (3619397261) because Unknown.

023764: Jul 4 12:51:36: AAA/MEMORY: free_user_quiet (0x2CB0178) user='q1jorgsou

s2' ruser='NULL' port='tty1' rem_addr='170.64.222.79' authen_type=1 service=1 pr

iv=1

023765: Jul 4 12:51:36: AAA: parse name=tty1 idb type=-1 tty=-1

023766: Jul 4 12:51:36: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter

=0 port=1 channel=0

023767: Jul 4 12:51:36: AAA/MEMORY: create_user (0x2CB0178) user='NULL' ruser='

NULL' ds0=0 port='tty1' rem_addr='170.64.222.79' authen_type=ASCII service=LOGIN

priv=1 initial_task_id='0', vrf= (id=0)

023768: Jul 4 12:51:36: AAA/AUTHEN/START (1833734231): port='tty1' list='' acti

on=LOGIN service=LOGIN

023769: Jul 4 12:51:36: AAA/AUTHEN/START (1833734231): using "default" list

023770: Jul 4 12:51:36: AAA/AUTHEN/START (1833734231): Method=tacacs+ (tacacs+)

023771: Jul 4 12:51:36: TAC+: send AUTHEN/START packet ver=192 id=1833734231

023772: Jul 4 12:51:36: TAC+: ver=192 id=1833734231 received AUTHEN status = GE

TUSER

023773: Jul 4 12:51:36: AAA/AUTHEN (1833734231): status = GETUSER

023774: Jul 4 12:51:40: AAA/AUTHEN/CONT (1833734231): continue_login (user='(un

def)')

023775: Jul 4 12:51:40: AAA/AUTHEN (1833734231): status = GETUSER

023776: Jul 4 12:51:40: AAA/AUTHEN (1833734231): Method=tacacs+ (tacacs+)

023777: Jul 4 12:51:40: TAC+: send AUTHEN/CONT packet id=1833734231

023778: Jul 4 12:51:40: AAA/AUTHEN (1833734231): status = ERROR

023779: Jul 4 12:51:40: AAA/AUTHEN/START (4010904151): port='tty1' list='' acti

on=LOGIN service=LOGIN

023780: Jul 4 12:51:40: AAA/AUTHEN/START (4010904151): Restart

023781: Jul 4 12:51:40: AAA/AUTHEN/START (4010904151): Method=LOCAL

023782: Jul 4 12:51:40: AAA/AUTHEN (4010904151): status = GETPASS

parmsing Wed, 07/04/2007 - 05:09

In debugs it seems like tacacs is not responding /reachable which is why we are getting status=error. which means fall back to the next available method. If authentication is passing on ACS then it should not fallback on local method and we should get pass/fail status.

Another point is that I don't see any IP address for the tacacs server which is being used for the authentication. Are you sure that you see passed authentication logs on ACS???

-Parminder

jorge.s Wed, 07/04/2007 - 05:18

here is it:

/07/2007 15:15:56 EDE0114 q1jorgsous2 .. .. Group 496 tty1 10.58.0.124 No Filters activated. NETWORK SWITCHES .. 170.64.222.79 Authen OK tawol055 1 .. AMER 10.58.0.124 .. .. No .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..

Correct Answer
parmsing Wed, 07/04/2007 - 05:27

Try to increase the timeout on IOS device by using tacacs-server timeout 10.

Do we have remote logging enabled on ACS server?

-Parminder

Actions

This Discussion