acs not authenticating routers via telnet or ssh

Unanswered Question
May 4th, 2012
User Badges:


I have an ACS 4.0 server that i use to authenticate the routers and switches on the network.  Its been working fine for 4 years but over last two days i can only login to devices via the local password.  Routing between the server and the devices on the network seem fine and i can ping everything.  I have restarted the services on the ACS server and even rebooted the server but still no luck.

Nothing has changed on the routers & switches ie aaa new model etc is all still in place. 

Anyone seen this issue before?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
edondurguti Fri, 05/04/2012 - 08:19
User Badges:

well kinda hard to know what's going on.. but I'd start eliminating things..

Try  plugging a router/switch in the same switch where the ACS is plugged in, maybe there is an ACL somewhere that's stopping the ports or so.

ohareka70 Fri, 05/04/2012 - 08:33
User Badges:

Its a strange one - even the switch where the ACS is plugged in cant authenticate.  Maybe its an issue with the ACS software though i cant think whats changed (i dont think anything has).  Its also funny in that its not failing back to the local username and password.  Its as if it knows that the tacacs server is there and it also shows you as authenticated successfully on the ACS logs even though it fails on the device.

johnnylingo Sun, 05/06/2012 - 21:00
User Badges:
  • Bronze, 100 points or more

Is it failing for multiple users or just one?

What do the ACS event logs say?

ohareka70 Tue, 05/08/2012 - 01:45
User Badges:

Its failing for all users.  The ACS event logs are saying: CS password invalid

All connectivty from the network to and from the server is fine.  We thing we might need to rebuild the server.

maldehne Mon, 05/14/2012 - 00:16
User Badges:
  • Cisco Employee,

In a nutshell when you have to fallback to local users defined on the router given that the first option in the method list

is your ACS server means one thing:

no reply comming from ACS

This can be due to many reasons:

- ACS services are dead or not handling the request properly

You need to check CSTACACS and CSAUTH services on the ACS.

- The ACS is responding but the response never received on the AAA client.

In our case i can see that the ACS is saying invalid cs password which means that the ACS is rejecting the request and accordingly this reply should be sent back to the AAA client which should fail the authentication and never failover to the loca database on the AAA client.

In the meantime we need to have the following:

set the logging level to FUll on the ACS

Try to authenticate through that AAA client

Capture the username and the timestamp for the try

collect the and then send the TCS.log and auth.log

files that correlate to the timestamps of the try.


ohareka70 Wed, 06/06/2012 - 08:56
User Badges:

Eventually got to the bottom of this one.  Restored the database on the server and restarted all the services.



nkarthikeyan Wed, 06/06/2012 - 10:36
User Badges:
  • Gold, 750 points or more

After restoring also the result is same or working fine now???? because when you hav the aaa pointed to acs in the devices.... it will not fall back to local database unless and until the ACS server goes down/not reachable. Am bit confused here.

ohareka70 Thu, 06/07/2012 - 01:09
User Badges:

Its working fine.  The reason devices would not fall back to local database was because the ACS server was actually up and devices were still trying to authenticate.  But the server got itself into a bit of a muddle and needed rebooted with teh the Cisco ACS services restarted.


This Discussion