Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
566
Views
4
Helpful
9
Replies

Cisco ACS v4.1 Assistance

bbinion80
Level 1
Level 1

‎08-13-2008 10:31 AM - edited ‎03-10-2019 04:01 PM

Greetings,

We have been using our ACS appliance to authenticate logging into our Cisco gear. We have been using tacacs+ and it has worked fine but I am trying to set it up using radius. I basically changed on the configs on my test switch to radius wherever it read tacacs+ and changed out ACS to use the radius protocol. Now, I am unable to log into the test switch I set up when I was able to before using tacacs+.

aaa authentication dot1x default group radius

aaa authentication login default group radius local-case

aaa authorization exec default group radius local

aaa authorization commands 15 default group radius local

aaa accounting commands 15 default start-stop group radius

radius-server directed-request

radius-server host 172.16.x.x auth-port 1645 acct-port 1646 key xxxxxx

When I check the logs on the ACS, it reads "ACS user known"

Let me know if you need anything else.

Thanks

Labels:
0 Helpful
9 Replies 9

Farrukh Haroon
VIP Alumni
VIP Alumni

‎08-13-2008 10:48 AM

When you use the 'test aaa ...' on the switch command what do you get?

From which SVI are you sourcing your connection? Perhaps it would be better to put ip radius source-interface vlan x

Regards

Farrukh

0 Helpful

bbinion80
Level 1
Level 1
In response to Farrukh Haroon

‎08-13-2008 11:16 AM

Well I wasn't aware of a "test aaa" command but I will try it and see what it says. Int Vlan 21 is the SVI with the IP address assigned to it. I did attempt the "ip radius..." command but still no luck.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to bbinion80

‎08-13-2008 11:23 AM

Ok please run the test command and then give the exact output you see in the ACS 'Failed' (or even Passed) attempts log.

You changed the device from Tacacs to Radius in the 'Network Setup' in ACS?

Regards

Farrukh

0 Helpful

bbinion80
Level 1
Level 1
In response to Farrukh Haroon

‎08-13-2008 11:59 AM

I ran the test command and it just came back "user rejected"

I did change the device from tacacs+ to radius (cisco ios/pix 6.0) on our ACS.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to bbinion80

‎08-13-2008 12:08 PM

So are you sure you are entering the correct username/password? Are you using some other advanced features like NAR/NAP etc.?

A following debug output would also help:

debug radius

debug aaa authen

debug aaa author

Regards

Farrukh

0 Helpful

bbinion80
Level 1
Level 1
In response to Farrukh Haroon

‎08-13-2008 12:24 PM

I am sure I am using the correct username/password.

Yes, we are using NAP. That cold be causing an issue as well. I know it is set to "Allow any Protocol type."

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to bbinion80

‎08-13-2008 12:25 PM

Yes it has to be something fancy for sure. Please look at the failed attempt log in ACS. It will show you which NAP/NAR policy denied it.

To test you can create new group/user without any NAP/NAR and check your radius. Then 'build' from there step-by-step.

Regards

Farrukh

0 Helpful

bbinion80
Level 1
Level 1
In response to Farrukh Haroon

‎08-13-2008 12:41 PM

Thank you so much Farrukh, it was something not configured correctly with the NAP. Under authentication, I had to move the Windows Database from Available Database to Selected Database. After that i was able to login. Thanks again for your assistance.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to bbinion80

‎08-13-2008 06:40 PM

No problems at all. Glad its working now :)

Please rate if helpful.

Regards

Farrukh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents