ACS and ciscoworks

Unanswered Question
Oct 26th, 2007
User Badges:

Hi All,


I'm currently converting all our network devices over to AAA but I'm getting alot of errors in the "failed attempts" log on the ACS.


They are Authen failed "username" External DB user invalid or bad password with a caller-id of (ip address) of our ciscoworks server.


It seems to be happening when ciscoworks is doing its inventory late at night, but I'm unsure of how to stop it. We changed the local password on the network devices when we started to implement the ACS/AAA standard. I think its just a password miss match between the acs and the ciscoworks server(lms 2.5) but I don't know where it is.


We are running ACS 3.3.3(11) and map to a novell domain.


Any ideas on where to start with this? I might have forgot to mention some info, so just ask if you need more.


Craig

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
ebreniz Thu, 11/01/2007 - 11:48
User Badges:
  • Silver, 250 points or more

The error %AAA-5-USER_RESET: User [chars] failed attempts reset by [chars] means:The number of failed user authentication attempts has been reset to zero.


Recommended Action: Copy the error message exactly as it appears on the console or in the system log. Research and attempt to resolve the error using the Output Interpreter https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl. Also perform a search of the Bug Toolkit http://www.cisco.com/pcgi-bin/Support/Bugtool/home.pl. The error %AAA-5-USER_RESET: User [chars] failed attempts reset by [chars] means:The number of failed user authentication attempts has been reset to zero.


Recommended Action: Copy the error message exactly as it appears on the console or in the system log. Research and attempt to resolve the error using the Output Interpreter https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl. Also perform a search of the Bug Toolkit http://www.cisco.com/pcgi-bin/Support/Bugtool/home.pl.

David Stanford Thu, 11/01/2007 - 12:55
User Badges:
  • Cisco Employee,

Check the device attributes in the DCR of LMS. You could go to Device Center - Device Troubleshooting and do a Check Device Credentials and see if everything comes back with a status of ok

craig.eyre Wed, 11/14/2007 - 14:38
User Badges:

More info on subject above:


In my AAA config on my switches I intially took out the password command from the vty line since the AAA would takeover. I've noticed the failed login attempts on my ACS server for access to our Ciscoworks server ip address. From this, I assume that ciscoworks needs the same username and password as is configured on the vty lines on the switches or network device. Is this correct?


Do I need a password configured on the vty lines in order for ciscoworks to access the devices for various archives and sync stuff?



Thanks,



Craig

Here's what you need on your AAA server (assuming you have tacacs or radius then local as the order for AAA):


A username with password and enable password defined and access allowed to the devices you want to manage.


If you are using LMS 3.0 you can define both that aaa name/pw/epw combo along with the local u/pw/epw as secondard credentials.


To fully manage a device with Ciscoworks you need SNMP RO, RW; telnet or SSH access; AAA if configured; syslog and trap reciever pointed to your boxes.



You can get a CSV file from your system using the DCRCLI exp fn=filname.csv ft=csv that will list all the attributes by device in your CW server's Device Credential Repository... thats the information its using to attempt to access your devices.

Actions

This Discussion