cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2355
Views
0
Helpful
8
Replies

acs not authenticating routers via telnet or ssh

ohareka70
Level 3
Level 3

Hello,

I have an ACS 4.0 server that i use to authenticate the routers and switches on the network.  Its been working fine for 4 years but over last two days i can only login to devices via the local password.  Routing between the server and the devices on the network seem fine and i can ping everything.  I have restarted the services on the ACS server and even rebooted the server but still no luck.

Nothing has changed on the routers & switches ie aaa new model etc is all still in place. 

Anyone seen this issue before?

thanks

Kevin

8 Replies 8

edondurguti
Level 4
Level 4

well kinda hard to know what's going on.. but I'd start eliminating things..

Try  plugging a router/switch in the same switch where the ACS is plugged in, maybe there is an ACL somewhere that's stopping the ports or so.

Its a strange one - even the switch where the ACS is plugged in cant authenticate.  Maybe its an issue with the ACS software though i cant think whats changed (i dont think anything has).  Its also funny in that its not failing back to the local username and password.  Its as if it knows that the tacacs server is there and it also shows you as authenticated successfully on the ACS logs even though it fails on the device.

Is it failing for multiple users or just one?

What do the ACS event logs say?

Its failing for all users.  The ACS event logs are saying: CS password invalid

All connectivty from the network to and from the server is fine.  We thing we might need to rebuild the server.

In a nutshell when you have to fallback to local users defined on the router given that the first option in the method list

is your ACS server means one thing:

no reply comming from ACS

This can be due to many reasons:

- ACS services are dead or not handling the request properly

You need to check CSTACACS and CSAUTH services on the ACS.

- The ACS is responding but the response never received on the AAA client.

In our case i can see that the ACS is saying invalid cs password which means that the ACS is rejecting the request and accordingly this reply should be sent back to the AAA client which should fail the authentication and never failover to the loca database on the AAA client.

In the meantime we need to have the following:

set the logging level to FUll on the ACS

Try to authenticate through that AAA client

Capture the username and the timestamp for the try

collect the package.cab and then send the TCS.log and auth.log

files that correlate to the timestamps of the try.

Regards

Eventually got to the bottom of this one.  Restored the database on the server and restarted all the services.

thanks

Kevin

After restoring also the result is same or working fine now???? because when you hav the aaa pointed to acs in the devices.... it will not fall back to local database unless and until the ACS server goes down/not reachable. Am bit confused here.

Its working fine.  The reason devices would not fall back to local database was because the ACS server was actually up and devices were still trying to authenticate.  But the server got itself into a bit of a muddle and needed rebooted with teh the Cisco ACS services restarted.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: