×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

TACACS authentication fails for one of our network device

Answered Question
Jan 6th, 2012
User Badges:

ACS 5.1 is failing to authenticate tacacs authentication to the ASA firewall, getting

Correct Answer by camejia about 5 years 7 months ago

That's what I suspected. You will have to deregister the secondary ACS from the Primary. Configure the appropriate Secondary ACS clock and timezone to match the AD Domain Controllers time. Both the clock change and the timezone change will restart the secondary ACS services for the changes to take effect.


After the appropriate time has been configured we should "Test Connection" against AD from the ACS GUI on the secondary. As soon as it succeds we can proceed and save changes and also register the secondary back to the primary.


This should address the issue.


Regards.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
camejia Fri, 01/06/2012 - 08:53
User Badges:
  • Silver, 250 points or more

Hello,


If you access the ACS 5.x CLI and execute "show application status acs" are all the services running?


Also, under the ACS 5.x GUI Users and Identity Stores > External Identity Stores > Active Directory which is the status of the ACS under Connectivity Status? Is it showing as Connected or Disconnected?


Regards.

Santosh Shetty Fri, 01/06/2012 - 10:29
User Badges:

Carlos,


Thanks for the reply,


I verified all services are running and also AD status is connected.




All the device are able to authenticate using ACS except one which show up following error message in ACS log


       "24444 Active Directory Operation has failed because of an unspecified errro in the ACS"

camejia Fri, 01/06/2012 - 10:35
User Badges:
  • Silver, 250 points or more

Hello Santosh,


I wanted to verify the following as well. How many ACS servers do you have on your network? Is it only one ACS server acting as standalone? Or do you have a Distributed Deployment with Secondary ACS Servers?


If you have multiple ACS servers, can you access the Failure log again and verify which ACS Instance is authenticating the ASA request? If it is a different ACS instance can you check the AD status on that one as well.


I will dig further on another options and I will be waiting for your response as well.


Regards.

Santosh Shetty Fri, 01/06/2012 - 11:09
User Badges:

We have Distributed deployment, and i found one of the Secondary instance is not connecting to domain. It giving following message " connection test to domain failed         - clock skew error.  "

Correct Answer
camejia Fri, 01/06/2012 - 11:26
User Badges:
  • Silver, 250 points or more

That's what I suspected. You will have to deregister the secondary ACS from the Primary. Configure the appropriate Secondary ACS clock and timezone to match the AD Domain Controllers time. Both the clock change and the timezone change will restart the secondary ACS services for the changes to take effect.


After the appropriate time has been configured we should "Test Connection" against AD from the ACS GUI on the secondary. As soon as it succeds we can proceed and save changes and also register the secondary back to the primary.


This should address the issue.


Regards.

Actions

This Discussion