Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2320
Views
0
Helpful
3
Replies

TACACS auth and RADIUS accounting with ACS

mwillford
Level 1
Level 1

‎12-29-2009 11:36 AM - edited ‎03-10-2019 04:51 PM

I am having RADIUS accounting issues with an ASA 5520 that uses TACACS for authentication. Both are hosted on the same ACS server. I can send RADIUS info to my Microsoft IAS box but get Syslog ID 113022 errors when trying to send to the ACS RADIUS. A packet capture shows the RADIUS accounting request getting to the ACS box (Windows Server 2003 R2) but syslog shows failedauth. Any ideas?

Labels:
0 Helpful
3 Replies 3

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎12-29-2009 09:39 PM

Hi,

Check out the below explantion and what is the configuration for aaa in asa has done and in ACS also .


Explanation   This message indicates that the adaptive security appliance has attempted an  authentication, authorization, or accounting request to the AAA server and did not receive a  response within the configured timeout window. The AAA server is marked as "failed" and has been  removed from service.

Recommended Action   Verify that the AAA server is online and is accessible from the adaptive  security appliance

Regards

Ganesh.H

0 Helpful

mwillford
Level 1
Level 1
In response to Ganesh Hariharan

‎12-30-2009 03:06 PM

Thank you for the response. I did verify the syslog explanation you gave below and the AAA server is online as TACACS message are getting to it. My configuration for the ASA for RADIUS is as follows

Server Group - RADIUS

Protocol - RADIUS

Accounting Mode - Simultaneous

Reactivation Mode - Timed

Max Failed attempts - 3

Two servers in the Server Group

ACS - Not working

Microsoft IAS - Working

I have tried removing the IAS server and changing the accounting mode to single and still getting auth failures.

ACS is configured as follows

Network Configuration

AAA Clients - ASA authenticate using TACACS+

AAA Servers - None listed. When I tried to add the ACS machine the error said the server already existed (In another Network Device Group)

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to mwillford

‎12-30-2009 10:13 PM

Hi,

Please check out the following things:-

1) Check out the ASA aaa client ip address is configured in ACS that is the trusted interface from where the ACS is reachable. Means if ACS is residing in Public zone interface so configure in ACS under aaa clients the public interface of ASA.

2) In ASA for radius server configuration, check out the authentication port is configured 1645 at both the end in ASA as well as in ACS under aaa client table.

3) and in ASA ACS server should come in online state, so the raidus port need to have communication betwee the two.

Hope this helps !!

Regards

Ganesh.H

0 Helpful
Customers Also Viewed These Support Documents