Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
837
Views
0
Helpful
3
Replies

LMS/ACS account keeps locking out

dmistry21
Level 1
Level 1

‎03-17-2010 04:28 AM

Hi

Our LMS environment is integrated with ACS 4.1 for RSA authentication purposes.

We have a ACS account which is used by LMS to run administrative jobs on end devices.  Periodically this account will appear with 'CS Account expired' or 'CS PAssword invalid'.  This is a machine/system account so should never have an incorrect password.

Is there any circumstances why this account would lockout when connecting to end devices. This is not limited to the time of day or the types of devices or networks being accessed.

Has anyone come across this type of issue before ?

Many Thanks

Labels:
0 Helpful
3 Replies 3

Joe Clarke
Cisco Employee
Cisco Employee

‎03-17-2010 05:51 PM

If jobs are succeeding, you should not be getting account lock outs.  However, if there are failures in which the username gets entered, but the password is skipped, or made to be invalid, then that could certainly lock out accounts.  Specific instances of these failed jobs would need to be troubleshot (e.g. with a sniffer) to isolate the underlying cause.

0 Helpful

dmistry21
Level 1
Level 1
In response to Joe Clarke

‎03-18-2010 11:18 AM

It is a bit of a tricky one because the majority of jobs succeed and then the odd job may fail because of this credential issue and its not necessarily the same device as this may pass the next time.  Obviously logs on the devices won't give any further information either as authentication did not pass.

This almost makes me wonder whether its a timeout issue from when the credentials are entered to authenticating with the ACS server.  Just trying to understand how a machine account could get a password wrong as there is no human interaction involved.

Are there any audit logs\tools available in LMS that may provide further info on a failed instance or is the ACS logs the most info you can get other than putting a sniffer trace on ? With a sniffer trace, chances are the device would work the next time around.

0 Helpful

Martin Ermel
VIP Alumni
VIP Alumni
In response to dmistry21

‎03-18-2010 11:53 AM

I observed a strange behaviour with an ACS account for LMS in the past:

https://supportforums.cisco.com/message/654793#654793

and 2 weeks ago the customer has had the same or similar problem again. This time I have not done any troubleshooting and just restarted LMS to solve the problem.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents