LMS/ACS account keeps locking out

Unanswered Question
Mar 17th, 2010
User Badges:


Our LMS environment is integrated with ACS 4.1 for RSA authentication purposes.

We have a ACS account which is used by LMS to run administrative jobs on end devices.  Periodically this account will appear with 'CS Account expired' or 'CS PAssword invalid'.  This is a machine/system account so should never have an incorrect password.

Is there any circumstances why this account would lockout when connecting to end devices. This is not limited to the time of day or the types of devices or networks being accessed.

Has anyone come across this type of issue before ?

Many Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Joe Clarke Wed, 03/17/2010 - 17:51
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

If jobs are succeeding, you should not be getting account lock outs.  However, if there are failures in which the username gets entered, but the password is skipped, or made to be invalid, then that could certainly lock out accounts.  Specific instances of these failed jobs would need to be troubleshot (e.g. with a sniffer) to isolate the underlying cause.

dmistry21 Thu, 03/18/2010 - 11:18
User Badges:

It is a bit of a tricky one because the majority of jobs succeed and then the odd job may fail because of this credential issue and its not necessarily the same device as this may pass the next time.  Obviously logs on the devices won't give any further information either as authentication did not pass.

This almost makes me wonder whether its a timeout issue from when the credentials are entered to authenticating with the ACS server.  Just trying to understand how a machine account could get a password wrong as there is no human interaction involved.

Are there any audit logs\tools available in LMS that may provide further info on a failed instance or is the ACS logs the most info you can get other than putting a sniffer trace on ? With a sniffer trace, chances are the device would work the next time around.


This Discussion