Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ACS can't find/authenticate internal user on 3550 switch

I'm doing some testing with ACS server on my windows box and I can't seem to get a barebone radius authentication to work with ACS internal users. I tested the same configuration with TACACS and it works fine, so there's something missing or misconfigured in my setup.

I have a cisco 3550 switch that I want users to login using their ACS username/password.

SW1

username cisco password 0 cisco

username admin password 0 admin

aaa new-model

aaa authentication login default group radius local

aaa authorization exec default group radius local

radius-server host 172.16.1.115 auth-port 1645 acct-port 1646 key password

radius-server source-ports 1645-1646

radius-server key password

Eventually it uses my local username/password in which I'm able to get in, but not sure why it says it can't find the user account.

Here are the debugs from my Cisco switch and attached are the screenshots of my ACS server.

User Access Verification

Username:
2d18h: AAA: parse name=tty0 idb type=-1 tty=-1
2d18h: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
2d18h: AAA/MEMORY: create_user (0x17478B0) user='NULL' ruser='NULL' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
2d18h: AAA/AUTHEN/START (1772888944): port='tty0' list='' action=LOGIN service=LOGIN
2d18h: AAA/AUTHEN/START (1772888944): using "default" list
2d18h: AAA/AUTHEN/START (1772888944): Method=radius (rad
Username: userius)
2d18h: AAA/AUTHEN (1772888944): status = GETUSER
Username: user2
Password:
2d18h: AAA/AUTHEN/CONT (1772888944): continue_login (user='(undef)')
2d18h: AAA/AUTHEN (1772888944): status = GETUSER
2d18h: AAA/AUTHEN (1772888944): Method=radius (radius)
2d18h: AAA/AUTHEN (1772888944): status = GETPASS

2d18h: AAA/AUTHEN/CONT (1772888944): continue_login (user='user2')
2d18h: AAA/AUTHEN (1772888944): status = GETPASS
2d18h: AAA/AUTHEN (1772888944): Method=radius (radius)
% Authentication failed.

2 REPLIES
New Member

Cisco ACS can't find/authenticate internal user on 3550 switch

In ACS try sending following attributes as part of authorization for uses who can telnet/ssh to the router/switch.

cisco-avpair = "shell:priv-lvl=15"

Thanks

New Member

Cisco ACS can't find/authenticate internal user on 3550 switch

Is that a command that I have to run. I'm using the ACS that runs on my Windows 2003 server. Not sure where that is in the GUI

567
Views
0
Helpful
2
Replies