TACACS auth and RADIUS accounting with ACS

Unanswered Question
Dec 29th, 2009
User Badges:

I am having RADIUS accounting issues with an ASA 5520 that uses TACACS for authentication. Both are hosted on the same ACS server. I can send RADIUS info to my Microsoft IAS box but get Syslog ID 113022 errors when trying to send to the ACS RADIUS. A packet capture shows the RADIUS accounting request getting to the ACS box (Windows Server 2003 R2) but syslog shows failedauth. Any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ganesh Hariharan Tue, 12/29/2009 - 21:39
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016


Check out the below explantion and what is the configuration for aaa in asa has done and in ACS also .

Explanation   This message indicates that the adaptive security appliance has attempted an  authentication, authorization, or accounting request to the AAA server and did not receive a  response within the configured timeout window. The AAA server is marked as "failed" and has been  removed from service.

Recommended Action   Verify that the AAA server is online and is accessible from the adaptive  security appliance



mwillford Wed, 12/30/2009 - 15:06
User Badges:

Thank you for the response. I did verify the syslog explanation you gave below and the AAA server is online as TACACS message are getting to it. My configuration for the ASA for RADIUS is as follows

Server Group - RADIUS

Protocol - RADIUS

Accounting Mode - Simultaneous

Reactivation Mode - Timed

Max Failed attempts - 3

Two servers in the Server Group

ACS - Not working

Microsoft IAS - Working

I have tried removing the IAS server and changing the accounting mode to single and still getting auth failures.

ACS is configured as follows

Network Configuration

AAA Clients - ASA authenticate using TACACS+

AAA Servers - None listed. When I tried to add the ACS machine the error said the server already existed (In another Network Device Group)

Ganesh Hariharan Wed, 12/30/2009 - 22:13
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016


Please check out the following things:-

1) Check out the ASA aaa client ip address is configured in ACS that is the trusted interface from where the ACS is reachable. Means if ACS is residing in Public zone interface so configure in ACS under aaa clients the public interface of ASA.

2) In ASA for radius server configuration, check out the authentication port is configured 1645 at both the end in ASA as well as in ACS under aaa client table.

3) and in ASA ACS server should come in online state, so the raidus port need to have communication betwee the two.

Hope this helps !!




This Discussion