Cisco ACS v4.1 Assistance

Unanswered Question
Aug 13th, 2008


We have been using our ACS appliance to authenticate logging into our Cisco gear. We have been using tacacs+ and it has worked fine but I am trying to set it up using radius. I basically changed on the configs on my test switch to radius wherever it read tacacs+ and changed out ACS to use the radius protocol. Now, I am unable to log into the test switch I set up when I was able to before using tacacs+.

aaa authentication dot1x default group radius

aaa authentication login default group radius local-case

aaa authorization exec default group radius local

aaa authorization commands 15 default group radius local

aaa accounting commands 15 default start-stop group radius

radius-server directed-request

radius-server host 172.16.x.x auth-port 1645 acct-port 1646 key xxxxxx

When I check the logs on the ACS, it reads "ACS user known"

Let me know if you need anything else.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Farrukh Haroon Wed, 08/13/2008 - 10:48

When you use the 'test aaa ...' on the switch command what do you get?

From which SVI are you sourcing your connection? Perhaps it would be better to put ip radius source-interface vlan x



bbinion80 Wed, 08/13/2008 - 11:16

Well I wasn't aware of a "test aaa" command but I will try it and see what it says. Int Vlan 21 is the SVI with the IP address assigned to it. I did attempt the "ip radius..." command but still no luck.

Farrukh Haroon Wed, 08/13/2008 - 11:23

Ok please run the test command and then give the exact output you see in the ACS 'Failed' (or even Passed) attempts log.

You changed the device from Tacacs to Radius in the 'Network Setup' in ACS?



bbinion80 Wed, 08/13/2008 - 11:59

I ran the test command and it just came back "user rejected"

I did change the device from tacacs+ to radius (cisco ios/pix 6.0) on our ACS.

Farrukh Haroon Wed, 08/13/2008 - 12:08

So are you sure you are entering the correct username/password? Are you using some other advanced features like NAR/NAP etc.?

A following debug output would also help:

debug radius

debug aaa authen

debug aaa author



bbinion80 Wed, 08/13/2008 - 12:24

I am sure I am using the correct username/password.

Yes, we are using NAP. That cold be causing an issue as well. I know it is set to "Allow any Protocol type."

Farrukh Haroon Wed, 08/13/2008 - 12:25

Yes it has to be something fancy for sure. Please look at the failed attempt log in ACS. It will show you which NAP/NAR policy denied it.

To test you can create new group/user without any NAP/NAR and check your radius. Then 'build' from there step-by-step.



bbinion80 Wed, 08/13/2008 - 12:41

Thank you so much Farrukh, it was something not configured correctly with the NAP. Under authentication, I had to move the Windows Database from Available Database to Selected Database. After that i was able to login. Thanks again for your assistance.

Farrukh Haroon Wed, 08/13/2008 - 18:40

No problems at all. Glad its working now :)

Please rate if helpful.




This Discussion