I have an ACS 4.0 server that i use to authenticate the routers and switches on the network. Its been working fine for 4 years but over last two days i can only login to devices via the local password. Routing between the server and the devices on the network seem fine and i can ping everything. I have restarted the services on the ACS server and even rebooted the server but still no luck.
Nothing has changed on the routers & switches ie aaa new model etc is all still in place.
Its a strange one - even the switch where the ACS is plugged in cant authenticate. Maybe its an issue with the ACS software though i cant think whats changed (i dont think anything has). Its also funny in that its not failing back to the local username and password. Its as if it knows that the tacacs server is there and it also shows you as authenticated successfully on the ACS logs even though it fails on the device.
In a nutshell when you have to fallback to local users defined on the router given that the first option in the method list
is your ACS server means one thing:
no reply comming from ACS
This can be due to many reasons:
- ACS services are dead or not handling the request properly
You need to check CSTACACS and CSAUTH services on the ACS.
- The ACS is responding but the response never received on the AAA client.
In our case i can see that the ACS is saying invalid cs password which means that the ACS is rejecting the request and accordingly this reply should be sent back to the AAA client which should fail the authentication and never failover to the loca database on the AAA client.
In the meantime we need to have the following:
set the logging level to FUll on the ACS
Try to authenticate through that AAA client
Capture the username and the timestamp for the try
collect the package.cab and then send the TCS.log and auth.log
files that correlate to the timestamps of the try.
After restoring also the result is same or working fine now???? because when you hav the aaa pointed to acs in the devices.... it will not fall back to local database unless and until the ACS server goes down/not reachable. Am bit confused here.
Its working fine. The reason devices would not fall back to local database was because the ACS server was actually up and devices were still trying to authenticate. But the server got itself into a bit of a muddle and needed rebooted with teh the Cisco ACS services restarted.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...