ACS wont authenticate

Just Kennie · ‎10-30-2008

Please I just deployed ACS on my net work. I am using internal database,i have created the the accounts in the ACS, and specify the AAA client as my router.

I included same share key as i did on the router. Below is what i did on router..

tacac+ key (same as on ACS)

tacac+ host (ip add of ACS)

aaa new model

aaa authentication login JUST group tacac+ line.

line vty 0 4

aaa autheentication JUST.

-----

I created a user on ACS , but it wont authenticate on the router.

1.please tell me what and what need to be done.

2.Is AAA server needed for internal database user (though I configur it with the ip add of my DC ,am i write?)

Jagdeep Gambhir · ‎10-31-2008

Did you define source interface for tacacs authentication.

On router issue command,

ip tacacs source-interface fastethernet x/y , where interface would be the one mentioned in tacacs server.

Also check acs, if there is any shared key on NDG level. NDG over overrites aaa-client key.

If still issue is there get

debug tacacs

debug aaa authentication

Regards,

~JG

Richard Burts · ‎10-31-2008

In addition to the good suggestions from JG I would suggest looking at the failed attempts report on the ACS server. If the authentication attempts are getting to the server then there should be entries in the failed attempts report and the entry should help identify the reason for the failure (common causes in this kind of situation are unknown device (either the router is not defined as a client in ACS or the router is sending the request packet with a source address other than the one configured in ACS) or invalid key, or perhaps unknown user.

HTH

Rick

HTH

Rick

Just Kennie · ‎11-03-2008

I am saying a big thank you to you and every one.I am pleased to notify you that the ACS is working fine. I bliv this forum will help me on my way to CCIE