cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
843
Views
5
Helpful
11
Replies

Issue with Cisco ACS and different Domains

jorge.s
Level 1
Level 1

Hi,

we are having currently a trouble with Cisco ACS which we have implemented, and I'll try to describe:

We have ACS Linked to AD Directory domains, where we have 2 domains, and proper group mappings.

We have then our Cisco Switches with following config,

aaa new-model

aaa authentication fail-message ^CCCC

Failled to Authenticate!

Please Contact IT Networks Group for further information.

^C

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization network default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

aaa session-id common

But the issue is that with the users from one domain we can authenticate, but not from the other. The issue is basically that when we check on Passed Authentication, both authentications are passing, and showing "Authen OK", but on the switch side, there is a failure.

There can be something wrong with ACS?

Thanks

Jorge

1 Accepted Solution

Accepted Solutions

Try to increase the timeout on IOS device by using tacacs-server timeout 10.

Do we have remote logging enabled on ACS server?

-Parminder

View solution in original post

11 Replies 11

parmsing
Cisco Employee
Cisco Employee

Hi Jorge,

There is a known bug with remote logging, in ACS authentication shows ok, however; client is not able to establish any session. Seems like exact same issue. If you have remote logging enabled on ACS, disable it and then try authentication. if authentication is working then you are hitting that bug.

Otherwise run the following debugs on the router which should tell us why authentication is failing,

debug aaa authentication

debug aaa authorization

debug tacacs

May be device is not reciveing authentication response back from the ACS.

HTH

-Parminder

where do I find this remote logging option?

Jorge

On ACS web interface go under "system configuration>>logging."

What is the exact version of ACS you are running?

-Parminder

ACS 3.3

if you have remote logging enabled and authentication is working fine after disabling remote logging you might be hitting CSCeg40355.

HTH

parminder

here is the log:

023738: Jul 4 12:51:20: AAA: parse name=tty1 idb type=-1 tty=-1

023739: Jul 4 12:51:20: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter

=0 port=1 channel=0

023740: Jul 4 12:51:20: AAA/MEMORY: create_user (0x2CB0178) user='NULL' ruser='

NULL' ds0=0 port='tty1' rem_addr='170.64.222.79' authen_type=ASCII service=LOGIN

priv=1 initial_task_id='0', vrf= (id=0)

023741: Jul 4 12:51:20: AAA/AUTHEN/START (3398875699): port='tty1' list='' acti

on=LOGIN service=LOGIN

023742: Jul 4 12:51:20: AAA/AUTHEN/START (3398875699): using "default" list

023743: Jul 4 12:51:20: AAA/AUTHEN/START (3398875699): Method=tacacs+ (tacacs+)

023744: Jul 4 12:51:20: TAC+: send AUTHEN/START packet ver=192 id=3398875699

023745: Jul 4 12:51:20: TAC+: ver=192 id=3398875699 received AUTHEN status = GE

TUSER

023746: Jul 4 12:51:20: AAA/AUTHEN (3398875699): status = GETUSER

023747: Jul 4 12:51:26: AAA/AUTHEN/CONT (3398875699): continue_login (user='(un

def)')

023748: Jul 4 12:51:26: AAA/AUTHEN (3398875699): status = GETUSER

023749: Jul 4 12:51:26: AAA/AUTHEN (3398875699): Method=tacacs+ (tacacs+)

023750: Jul 4 12:51:26: TAC+: send AUTHEN/CONT packet id=3398875699

023751: Jul 4 12:51:26: TAC+: ver=192 id=3398875699 received AUTHEN status = GE

TPASS

023752: Jul 4 12:51:26: AAA/AUTHEN (3398875699): status = GETPASS

023753: Jul 4 12:51:29: AAA/AUTHEN/CONT (3398875699): continue_login (user='q1j

orgsous2')

023754: Jul 4 12:51:29: AAA/AUTHEN (3398875699): status = GETPASS

023755: Jul 4 12:51:29: AAA/AUTHEN (3398875699): Method=tacacs+ (tacacs+)

023756: Jul 4 12:51:29: TAC+: send AUTHEN/CONT packet id=3398875699

023757: Jul 4 12:51:34: AAA/AUTHEN (3398875699): status = ERROR

023758: Jul 4 12:51:34: AAA/AUTHEN/START (3619397261): port='tty1' list='' acti

on=LOGIN service=LOGIN

023759: Jul 4 12:51:34: AAA/AUTHEN/START (3619397261): Restart

023760: Jul 4 12:51:34: AAA/AUTHEN/START (3619397261): Method=LOCAL

023761: Jul 4 12:51:34: AAA/AUTHEN (3619397261): User not found, end of method

list

023762: Jul 4 12:51:34: AAA/AUTHEN (3619397261): status = FAIL

023763: Jul 4 12:51:36: AAA/AUTHEN/ABORT: (3619397261) because Unknown.

023764: Jul 4 12:51:36: AAA/MEMORY: free_user_quiet (0x2CB0178) user='q1jorgsou

s2' ruser='NULL' port='tty1' rem_addr='170.64.222.79' authen_type=1 service=1 pr

iv=1

023765: Jul 4 12:51:36: AAA: parse name=tty1 idb type=-1 tty=-1

023766: Jul 4 12:51:36: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter

=0 port=1 channel=0

023767: Jul 4 12:51:36: AAA/MEMORY: create_user (0x2CB0178) user='NULL' ruser='

NULL' ds0=0 port='tty1' rem_addr='170.64.222.79' authen_type=ASCII service=LOGIN

priv=1 initial_task_id='0', vrf= (id=0)

023768: Jul 4 12:51:36: AAA/AUTHEN/START (1833734231): port='tty1' list='' acti

on=LOGIN service=LOGIN

023769: Jul 4 12:51:36: AAA/AUTHEN/START (1833734231): using "default" list

023770: Jul 4 12:51:36: AAA/AUTHEN/START (1833734231): Method=tacacs+ (tacacs+)

023771: Jul 4 12:51:36: TAC+: send AUTHEN/START packet ver=192 id=1833734231

023772: Jul 4 12:51:36: TAC+: ver=192 id=1833734231 received AUTHEN status = GE

TUSER

023773: Jul 4 12:51:36: AAA/AUTHEN (1833734231): status = GETUSER

023774: Jul 4 12:51:40: AAA/AUTHEN/CONT (1833734231): continue_login (user='(un

def)')

023775: Jul 4 12:51:40: AAA/AUTHEN (1833734231): status = GETUSER

023776: Jul 4 12:51:40: AAA/AUTHEN (1833734231): Method=tacacs+ (tacacs+)

023777: Jul 4 12:51:40: TAC+: send AUTHEN/CONT packet id=1833734231

023778: Jul 4 12:51:40: AAA/AUTHEN (1833734231): status = ERROR

023779: Jul 4 12:51:40: AAA/AUTHEN/START (4010904151): port='tty1' list='' acti

on=LOGIN service=LOGIN

023780: Jul 4 12:51:40: AAA/AUTHEN/START (4010904151): Restart

023781: Jul 4 12:51:40: AAA/AUTHEN/START (4010904151): Method=LOCAL

023782: Jul 4 12:51:40: AAA/AUTHEN (4010904151): status = GETPASS

In debugs it seems like tacacs is not responding /reachable which is why we are getting status=error. which means fall back to the next available method. If authentication is passing on ACS then it should not fallback on local method and we should get pass/fail status.

Another point is that I don't see any IP address for the tacacs server which is being used for the authentication. Are you sure that you see passed authentication logs on ACS???

-Parminder

here is it:

/07/2007 15:15:56 EDE0114 q1jorgsous2 .. .. Group 496 tty1 10.58.0.124 No Filters activated. NETWORK SWITCHES .. 170.64.222.79 Authen OK tawol055 1 .. AMER 10.58.0.124 .. .. No .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..

What is the IOS version we are running?

Try to increase the timeout on IOS device by using tacacs-server timeout 10.

Do we have remote logging enabled on ACS server?

-Parminder

You made my day!

was a timeout issue!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: