Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

acs not authenticating routers via telnet or ssh

Hello,

I have an ACS 4.0 server that i use to authenticate the routers and switches on the network.  Its been working fine for 4 years but over last two days i can only login to devices via the local password.  Routing between the server and the devices on the network seem fine and i can ping everything.  I have restarted the services on the ACS server and even rebooted the server but still no luck.

Nothing has changed on the routers & switches ie aaa new model etc is all still in place. 

Anyone seen this issue before?

thanks

Kevin

Everyone's tags (5)
8 REPLIES
New Member

Re: acs not authenticating routers via telnet or ssh

well kinda hard to know what's going on.. but I'd start eliminating things..

Try  plugging a router/switch in the same switch where the ACS is plugged in, maybe there is an ACL somewhere that's stopping the ports or so.

New Member

acs not authenticating routers via telnet or ssh

Its a strange one - even the switch where the ACS is plugged in cant authenticate.  Maybe its an issue with the ACS software though i cant think whats changed (i dont think anything has).  Its also funny in that its not failing back to the local username and password.  Its as if it knows that the tacacs server is there and it also shows you as authenticated successfully on the ACS logs even though it fails on the device.

Bronze

acs not authenticating routers via telnet or ssh

Is it failing for multiple users or just one?

What do the ACS event logs say?

New Member

acs not authenticating routers via telnet or ssh

Its failing for all users.  The ACS event logs are saying: CS password invalid

All connectivty from the network to and from the server is fine.  We thing we might need to rebuild the server.

Cisco Employee

acs not authenticating routers via telnet or ssh

In a nutshell when you have to fallback to local users defined on the router given that the first option in the method list

is your ACS server means one thing:

no reply comming from ACS

This can be due to many reasons:

- ACS services are dead or not handling the request properly

You need to check CSTACACS and CSAUTH services on the ACS.

- The ACS is responding but the response never received on the AAA client.

In our case i can see that the ACS is saying invalid cs password which means that the ACS is rejecting the request and accordingly this reply should be sent back to the AAA client which should fail the authentication and never failover to the loca database on the AAA client.

In the meantime we need to have the following:

set the logging level to FUll on the ACS

Try to authenticate through that AAA client

Capture the username and the timestamp for the try

collect the package.cab and then send the TCS.log and auth.log

files that correlate to the timestamps of the try.

Regards

New Member

acs not authenticating routers via telnet or ssh

Eventually got to the bottom of this one.  Restored the database on the server and restarted all the services.

thanks

Kevin

acs not authenticating routers via telnet or ssh

After restoring also the result is same or working fine now???? because when you hav the aaa pointed to acs in the devices.... it will not fall back to local database unless and until the ACS server goes down/not reachable. Am bit confused here.

New Member

acs not authenticating routers via telnet or ssh

Its working fine.  The reason devices would not fall back to local database was because the ACS server was actually up and devices were still trying to authenticate.  But the server got itself into a bit of a muddle and needed rebooted with teh the Cisco ACS services restarted.

1552
Views
0
Helpful
8
Replies