Authentication Mode - Tacacs+ (fallback Mode)

Unanswered Question
Mar 4th, 2009
User Badges:

We have our Ciscoworks server set to authenticate to our ACS server (Non-ACS and Tacacs+). In other words, authenticate to ACS but do not register modules to ACS (controlled on the server). We had some network issues where we could not ping the ACS servers. When that happened I noticed that the Authentication mode is now "Tacacs+ (fallback Mode). How can I get that out of that mode and back into authentication "Tacacs+"

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Wed, 03/04/2009 - 15:51
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

It should automatically go back to TACACS+ mode. However, if you don't see this happening, then you can restart Daemon Manager. The restart will cause the authentication servlet to reconnect to the TACACS+ server (if it is reachable).

didentx01 Thu, 03/05/2009 - 04:57
User Badges:

Tried restarting daemon and it did not work. What else should I try?

yjdabear Thu, 03/05/2009 - 07:51
User Badges:
  • Gold, 750 points or more

What happens if you try to toggle between the two options under DCR - Server - Security - AAA Mode Setup - TACACS+ (click on the Change button)?


1. Allow all CiscoWorks local users to fallback to the CiscoWorks Local login.


3. Allow no fallbacks to the CiscoWorks Local login.


Joe Clarke Thu, 03/05/2009 - 10:38
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Who are you logging in as? If you're logging in as admin, and admin has no TACACS+ account, then you will be seen as logging in via fallback mode (if admin is allowed in your fallback list).

didentx01 Thu, 03/05/2009 - 14:41
User Badges:

I am logging in as myself. My account is in ACS.

Joe Clarke Thu, 03/05/2009 - 17:28
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Check the logs on ACS to see if LMS is making an authentication request. Make sure that you can telnet to TCP port 49 on the ACS server from the LMS server and get a successful connection.

didentx01 Fri, 03/06/2009 - 06:29
User Badges:

I am logging into Ciscoworks using my Tacacs account, but it still showing fallback mode. To make sure that it is authenticating to ACS, I have changed my password in Ciscoworks, and when I try to log into CW, with the new password, I am denied access. When I use my Tacacs password, I am able to log into Ciscoworks.

Joe Clarke Fri, 03/06/2009 - 08:39
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Is your user listed in the fallback user list for the TACACS+ login module?

didentx01 Fri, 03/06/2009 - 08:46
User Badges:

Yes, I selected all users to fallback. I just put up another post, since we tried toggling between fallback and not fallback, and now we cannot log into ciscoworks via the GUI. We tried other accounts and we cannot connect.

Joe Clarke Fri, 03/06/2009 - 08:48
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Something is not working between LMS and ACS. I strongly suspect either a communication problem, or a secret key mismatch. What, if anything, do you see in the ACS server logs?


If you are now locked out of LMS, you can run the NMSROOT/bin/ResetLoginModule.pl command to restore local authentication:


NMSROOT/bin/perl NMSROOT/bin/ResetLoginModule.pl

Actions

This Discussion