ACS 4.2 - Radius stops authenticating - shared secret missing!?

Unanswered Question
Aug 9th, 2009
User Badges:

Have had a ACS 4.2 solution installed across 2 servers (master/slave), everything working fine with devices using it for both RADIUS and TACACS+ authentication. This week however, I have had an issue with a network group that use RADIUS as switches (Nortel) can no longer authenticate. On closer inspection, firstly the shared secret entry has disappeared, if re-enter and submit/apply it's still not there when you query the network interface configuration. I know that the basics of the ACS work, as other devices (PIX,ASA) that use TACACS+ are authenticating fine and that the problem is isolated to RADIUS as another network device (AS5300) has the same issue. This started to happen at the end of last week and I found the service CSRadius had stopped on the server, it was re-started and that solved the problem, however the problem has happened again and this time the relevant services are running.

The only change to the configuration has been additional subnets added to the network interface in question, maybe there's a limit to how many subnets one interface is allowed?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
darpotter Mon, 08/10/2009 - 04:10
User Badges:
  • Silver, 250 points or more

First easy test would be to back off the recent config changes and see if you can get back to a working setup.

Then you can add mods one at a time to isolate what breaks it.

Does sound like something is breaking the radius server. You'll probably need to set logging to max, make the error happen then create a and open a TAC case.

JDiTomaso Mon, 08/10/2009 - 05:48
User Badges:

A clear out has been done, with the network interface re-created, with everything working fine.Its one of those faults that has happened with no changes made to the ACS, nothing in the logs suggest there's a problem caused by a change. The DB replication to the secondary ACS is fine. I believe if this happens again, a TAC case will be logged.

Its just interesting to see the shared secret 'disappear' and I wondered if anyone else has had this happened to them and what was the cause.


This Discussion