Can`t authenticate users on ACS v4.2

Unanswered Question
Jul 24th, 2009


i have aironet AP`s in the infrastructure, Cisco ACS 1113 (ACS v4.2) and clients are authenticated by radius against windows database.

All was working good. But after power crash was ACS engine down for 4 days and windows servers was down one day.

After these no authentication is occured. In failed attempts logs i see a message: "Unknown NAS Error" with this information:

Network access profile name - (unknown), NAS IP Address - (IP address of ACS appliance)

Next i found solution from cisco:

Step 1 Verify that the AAA client is configured under the Network Configuration section.

yes it is:

AAA Client Hostname | AAA Client IP Address | Authenticate Using

WiFi | | RADIUS (Cisco Aironet)

Step 2 If you have RADIUS/TACACS+ source-interface command configured on the AAA client, ensure that the client on ACS is configured by using the IP address of the specified interface.

On aironet is configured:

ip radius source-interface BVI1

interface BVI1

 ip address

 no ip route-cache

Any suggestions where can be a problem?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Roman Rodichev Fri, 07/24/2009 - 10:43

I've seen a few times in 4.1/4.2 where if you hard shutdown a server and don't let ACS services to stop, next time the server is running it will go berzerk and stop accepting AAA request. Behavior is the same as you described. The best way to fix this problem is to backup the database, uninstall ACS, reinstall ACS, import the database.

Installing ACS on top of existing installation with existing database doesn't always fix this problem.



Lucien Avramov Fri, 07/24/2009 - 13:28

Before trying previous suggestion make sure of the following:

- If the ACS has configured the NAS client with TACACS and the NAS client

has configured the ACS server with RADIUS (as example).

- If the ACS has configured the NAS client with a wrong IP address.

Make sure you are up to date in term of ACS patches

If you have a failover ACS, make sure that the Unknown NAS message is not related to the IP of the other ACS server which will indicate that there is a replication error.


This Discussion