Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 3.1 Windows 2000 Domain Problem


I have ACS 3.1 for W2k. I install the program in W2k Advance Server and config it to get Authentication from Active Directory. The authentications is work in case of exec but in case of remote logging through Cisco Access Server get error (CS user unknown) and cannot log using the W2k AD Users.

What recommendations for this error?

New Member

Re: ACS 3.1 Windows 2000 Domain Problem

the debug ppp authentication

2d03h: %LINK-3-UPDOWN: Interface Serial0:12, changed state to down

2d03h: %LINK-3-UPDOWN: Interface Async7, changed state to up

2d03h: As7 PPP: Treating connection as a dedicated line

2d03h: As7 PPP: Phase is AUTHENTICATING, by this end

2d03h: As7 CHAP: O CHALLENGE id 3 len 26 from "RAS"

2d03h: As7 CHAP: I RESPONSE id 3 len 30 from "test"

2d03h: As7 CHAP: Unable to validate Response. Username test: Authenticatio

n failure

2d03h: As7 CHAP: O FAILURE id 3 len 26 msg is "Authentication failure"

2d03h: %LINK-3-UPDOWN: Interface Serial0:10, changed state to down

2d03h: %LINK-5-CHANGED: Interface Async7, changed state to reset

2d03h: %LINK-3-UPDOWN: Interface Async7, changed state to down

the error in ACS log mesg is "CS CHAP password invalid"

New Member

Re: ACS 3.1 Windows 2000 Domain Problem

More Info

I have recently installed ACS v3.1. I can successfully authenticate users using chap, but when I add the aaa authentication ppp default group tacacs+ command to my Cisco (AS5300) (authen'ing using my W2K AD) and debug it says that authentication fails. I am running IOS 12.0(3)T1. It will however, successfully authenticate me when logging into a AAA client using the aaa authentication login default group tacacs+ local command, so it appears that the authentication process is working. Any suggestions on how to authenticate my dialup users(via ACS/AD Database)? Everything appears to be configured right on the router. My guess is something in ACS is not configured properly to pass the the authen. from the ACS to the NT Database(DC) for the dialup users. Any suggestions would be appreciated.

The ACS log error is (CS CHAP password invalid )

CreatePlease login to create content