Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Authentication to Active Directory from Cisco IOS

SCENARIO:

2 Cisco Secure ACS are configured to authenticate user logon to Active Directory.

The TACACS servers are configured in IOS

tacacs-server host 10.30.18.24

tacacs-server host 10.30.18.25

PROBLEM:

When the primary tacacs server 10.30.18.24 failed to validate user logon, we were logged out from the router. Then I tried to switch the order of the the TACACS servers in the router config i.e.

tacacs-server host 10.30.18.25

tacacs-server host 10.30.18.24

and the we were granted access. Can anyone explain why 10.30.18.25 did not take over user validation in the first place ?

Regards

Simon

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Authentication to Active Directory from Cisco IOS

Hi Simon,

Then reason for that is, there are some conditions that must be satisfied, before device tries to contact the second server in the config.

if you turn on,

debug aaa authentication

then you'll get 3 kind of responses.

- PASS

- FAIL

- ERROR

PASS -> Needs no explaination

FAIL -> Authentication server was available but server rejected the request for the user due to some reason.

ERROR -> There was no response from Authentication server. Probably its not reachable.

ERROR is the only condition when it will try to contact the next server defined in your configuration.

So this is could be the probable reason why it never went for .25 when .25 was second and .24 was first, because .24 was still reachable and returned FAIL for the authenticating user.

Regards,

Prem

2 REPLIES

Re: Authentication to Active Directory from Cisco IOS

Hi Simon,

Then reason for that is, there are some conditions that must be satisfied, before device tries to contact the second server in the config.

if you turn on,

debug aaa authentication

then you'll get 3 kind of responses.

- PASS

- FAIL

- ERROR

PASS -> Needs no explaination

FAIL -> Authentication server was available but server rejected the request for the user due to some reason.

ERROR -> There was no response from Authentication server. Probably its not reachable.

ERROR is the only condition when it will try to contact the next server defined in your configuration.

So this is could be the probable reason why it never went for .25 when .25 was second and .24 was first, because .24 was still reachable and returned FAIL for the authenticating user.

Regards,

Prem

New Member

Re: Authentication to Active Directory from Cisco IOS

Thanks Prem for this useful answer.

Regards,

Simon

278
Views
0
Helpful
2
Replies