Issue with Cisco ACS and different Domains

Answered Question
Jul 4th, 2007
User Badges:

Hi,

we are having currently a trouble with Cisco ACS which we have implemented, and I'll try to describe:


We have ACS Linked to AD Directory domains, where we have 2 domains, and proper group mappings.

We have then our Cisco Switches with following config,


aaa new-model

aaa authentication fail-message ^CCCC

Failled to Authenticate!

Please Contact IT Networks Group for further information.

^C

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization network default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

aaa session-id common



But the issue is that with the users from one domain we can authenticate, but not from the other. The issue is basically that when we check on Passed Authentication, both authentications are passing, and showing "Authen OK", but on the switch side, there is a failure.


There can be something wrong with ACS?


Thanks

Jorge

Correct Answer by parmsing about 9 years 10 months ago

Try to increase the timeout on IOS device by using tacacs-server timeout 10.


Do we have remote logging enabled on ACS server?


-Parminder

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
parmsing Wed, 07/04/2007 - 04:12
User Badges:

Hi Jorge,


There is a known bug with remote logging, in ACS authentication shows ok, however; client is not able to establish any session. Seems like exact same issue. If you have remote logging enabled on ACS, disable it and then try authentication. if authentication is working then you are hitting that bug.


Otherwise run the following debugs on the router which should tell us why authentication is failing,


debug aaa authentication

debug aaa authorization

debug tacacs


May be device is not reciveing authentication response back from the ACS.


HTH

-Parminder

jorge.s Wed, 07/04/2007 - 04:26
User Badges:

where do I find this remote logging option?


Jorge

parmsing Wed, 07/04/2007 - 04:28
User Badges:

On ACS web interface go under "system configuration>>logging."


What is the exact version of ACS you are running?


-Parminder

parmsing Wed, 07/04/2007 - 04:44
User Badges:

if you have remote logging enabled and authentication is working fine after disabling remote logging you might be hitting CSCeg40355.


HTH

parminder

jorge.s Wed, 07/04/2007 - 04:53
User Badges:

here is the log:


023738: Jul 4 12:51:20: AAA: parse name=tty1 idb type=-1 tty=-1

023739: Jul 4 12:51:20: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter

=0 port=1 channel=0

023740: Jul 4 12:51:20: AAA/MEMORY: create_user (0x2CB0178) user='NULL' ruser='

NULL' ds0=0 port='tty1' rem_addr='170.64.222.79' authen_type=ASCII service=LOGIN

priv=1 initial_task_id='0', vrf= (id=0)

023741: Jul 4 12:51:20: AAA/AUTHEN/START (3398875699): port='tty1' list='' acti

on=LOGIN service=LOGIN

023742: Jul 4 12:51:20: AAA/AUTHEN/START (3398875699): using "default" list

023743: Jul 4 12:51:20: AAA/AUTHEN/START (3398875699): Method=tacacs+ (tacacs+)

023744: Jul 4 12:51:20: TAC+: send AUTHEN/START packet ver=192 id=3398875699

023745: Jul 4 12:51:20: TAC+: ver=192 id=3398875699 received AUTHEN status = GE

TUSER

023746: Jul 4 12:51:20: AAA/AUTHEN (3398875699): status = GETUSER

023747: Jul 4 12:51:26: AAA/AUTHEN/CONT (3398875699): continue_login (user='(un

def)')

023748: Jul 4 12:51:26: AAA/AUTHEN (3398875699): status = GETUSER

023749: Jul 4 12:51:26: AAA/AUTHEN (3398875699): Method=tacacs+ (tacacs+)

023750: Jul 4 12:51:26: TAC+: send AUTHEN/CONT packet id=3398875699

023751: Jul 4 12:51:26: TAC+: ver=192 id=3398875699 received AUTHEN status = GE

TPASS

023752: Jul 4 12:51:26: AAA/AUTHEN (3398875699): status = GETPASS

023753: Jul 4 12:51:29: AAA/AUTHEN/CONT (3398875699): continue_login (user='q1j

orgsous2')

023754: Jul 4 12:51:29: AAA/AUTHEN (3398875699): status = GETPASS

023755: Jul 4 12:51:29: AAA/AUTHEN (3398875699): Method=tacacs+ (tacacs+)

023756: Jul 4 12:51:29: TAC+: send AUTHEN/CONT packet id=3398875699

023757: Jul 4 12:51:34: AAA/AUTHEN (3398875699): status = ERROR

023758: Jul 4 12:51:34: AAA/AUTHEN/START (3619397261): port='tty1' list='' acti

on=LOGIN service=LOGIN

023759: Jul 4 12:51:34: AAA/AUTHEN/START (3619397261): Restart

023760: Jul 4 12:51:34: AAA/AUTHEN/START (3619397261): Method=LOCAL

023761: Jul 4 12:51:34: AAA/AUTHEN (3619397261): User not found, end of method

list

023762: Jul 4 12:51:34: AAA/AUTHEN (3619397261): status = FAIL

023763: Jul 4 12:51:36: AAA/AUTHEN/ABORT: (3619397261) because Unknown.

023764: Jul 4 12:51:36: AAA/MEMORY: free_user_quiet (0x2CB0178) user='q1jorgsou

s2' ruser='NULL' port='tty1' rem_addr='170.64.222.79' authen_type=1 service=1 pr

iv=1

023765: Jul 4 12:51:36: AAA: parse name=tty1 idb type=-1 tty=-1

023766: Jul 4 12:51:36: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter

=0 port=1 channel=0

023767: Jul 4 12:51:36: AAA/MEMORY: create_user (0x2CB0178) user='NULL' ruser='

NULL' ds0=0 port='tty1' rem_addr='170.64.222.79' authen_type=ASCII service=LOGIN

priv=1 initial_task_id='0', vrf= (id=0)

023768: Jul 4 12:51:36: AAA/AUTHEN/START (1833734231): port='tty1' list='' acti

on=LOGIN service=LOGIN

023769: Jul 4 12:51:36: AAA/AUTHEN/START (1833734231): using "default" list

023770: Jul 4 12:51:36: AAA/AUTHEN/START (1833734231): Method=tacacs+ (tacacs+)

023771: Jul 4 12:51:36: TAC+: send AUTHEN/START packet ver=192 id=1833734231

023772: Jul 4 12:51:36: TAC+: ver=192 id=1833734231 received AUTHEN status = GE

TUSER

023773: Jul 4 12:51:36: AAA/AUTHEN (1833734231): status = GETUSER

023774: Jul 4 12:51:40: AAA/AUTHEN/CONT (1833734231): continue_login (user='(un

def)')

023775: Jul 4 12:51:40: AAA/AUTHEN (1833734231): status = GETUSER

023776: Jul 4 12:51:40: AAA/AUTHEN (1833734231): Method=tacacs+ (tacacs+)

023777: Jul 4 12:51:40: TAC+: send AUTHEN/CONT packet id=1833734231

023778: Jul 4 12:51:40: AAA/AUTHEN (1833734231): status = ERROR

023779: Jul 4 12:51:40: AAA/AUTHEN/START (4010904151): port='tty1' list='' acti

on=LOGIN service=LOGIN

023780: Jul 4 12:51:40: AAA/AUTHEN/START (4010904151): Restart

023781: Jul 4 12:51:40: AAA/AUTHEN/START (4010904151): Method=LOCAL

023782: Jul 4 12:51:40: AAA/AUTHEN (4010904151): status = GETPASS

parmsing Wed, 07/04/2007 - 05:09
User Badges:

In debugs it seems like tacacs is not responding /reachable which is why we are getting status=error. which means fall back to the next available method. If authentication is passing on ACS then it should not fallback on local method and we should get pass/fail status.


Another point is that I don't see any IP address for the tacacs server which is being used for the authentication. Are you sure that you see passed authentication logs on ACS???


-Parminder

jorge.s Wed, 07/04/2007 - 05:18
User Badges:

here is it:


/07/2007 15:15:56 EDE0114 q1jorgsous2 .. .. Group 496 tty1 10.58.0.124 No Filters activated. NETWORK SWITCHES .. 170.64.222.79 Authen OK tawol055 1 .. AMER 10.58.0.124 .. .. No .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..

Correct Answer
parmsing Wed, 07/04/2007 - 05:27
User Badges:

Try to increase the timeout on IOS device by using tacacs-server timeout 10.


Do we have remote logging enabled on ACS server?


-Parminder

Actions

This Discussion