07-04-2007 03:59 AM - edited 03-10-2019 03:15 PM
Hi,
we are having currently a trouble with Cisco ACS which we have implemented, and I'll try to describe:
We have ACS Linked to AD Directory domains, where we have 2 domains, and proper group mappings.
We have then our Cisco Switches with following config,
aaa new-model
aaa authentication fail-message ^CCCC
Failled to Authenticate!
Please Contact IT Networks Group for further information.
^C
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization network default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common
But the issue is that with the users from one domain we can authenticate, but not from the other. The issue is basically that when we check on Passed Authentication, both authentications are passing, and showing "Authen OK", but on the switch side, there is a failure.
There can be something wrong with ACS?
Thanks
Jorge
Solved! Go to Solution.
07-04-2007 05:27 AM
Try to increase the timeout on IOS device by using tacacs-server timeout 10.
Do we have remote logging enabled on ACS server?
-Parminder
07-04-2007 04:12 AM
Hi Jorge,
There is a known bug with remote logging, in ACS authentication shows ok, however; client is not able to establish any session. Seems like exact same issue. If you have remote logging enabled on ACS, disable it and then try authentication. if authentication is working then you are hitting that bug.
Otherwise run the following debugs on the router which should tell us why authentication is failing,
debug aaa authentication
debug aaa authorization
debug tacacs
May be device is not reciveing authentication response back from the ACS.
HTH
-Parminder
07-04-2007 04:26 AM
where do I find this remote logging option?
Jorge
07-04-2007 04:28 AM
On ACS web interface go under "system configuration>>logging."
What is the exact version of ACS you are running?
-Parminder
07-04-2007 04:33 AM
ACS 3.3
07-04-2007 04:44 AM
if you have remote logging enabled and authentication is working fine after disabling remote logging you might be hitting CSCeg40355.
HTH
parminder
07-04-2007 04:53 AM
here is the log:
023738: Jul 4 12:51:20: AAA: parse name=tty1 idb type=-1 tty=-1
023739: Jul 4 12:51:20: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter
=0 port=1 channel=0
023740: Jul 4 12:51:20: AAA/MEMORY: create_user (0x2CB0178) user='NULL' ruser='
NULL' ds0=0 port='tty1' rem_addr='170.64.222.79' authen_type=ASCII service=LOGIN
priv=1 initial_task_id='0', vrf= (id=0)
023741: Jul 4 12:51:20: AAA/AUTHEN/START (3398875699): port='tty1' list='' acti
on=LOGIN service=LOGIN
023742: Jul 4 12:51:20: AAA/AUTHEN/START (3398875699): using "default" list
023743: Jul 4 12:51:20: AAA/AUTHEN/START (3398875699): Method=tacacs+ (tacacs+)
023744: Jul 4 12:51:20: TAC+: send AUTHEN/START packet ver=192 id=3398875699
023745: Jul 4 12:51:20: TAC+: ver=192 id=3398875699 received AUTHEN status = GE
TUSER
023746: Jul 4 12:51:20: AAA/AUTHEN (3398875699): status = GETUSER
023747: Jul 4 12:51:26: AAA/AUTHEN/CONT (3398875699): continue_login (user='(un
def)')
023748: Jul 4 12:51:26: AAA/AUTHEN (3398875699): status = GETUSER
023749: Jul 4 12:51:26: AAA/AUTHEN (3398875699): Method=tacacs+ (tacacs+)
023750: Jul 4 12:51:26: TAC+: send AUTHEN/CONT packet id=3398875699
023751: Jul 4 12:51:26: TAC+: ver=192 id=3398875699 received AUTHEN status = GE
TPASS
023752: Jul 4 12:51:26: AAA/AUTHEN (3398875699): status = GETPASS
023753: Jul 4 12:51:29: AAA/AUTHEN/CONT (3398875699): continue_login (user='q1j
orgsous2')
023754: Jul 4 12:51:29: AAA/AUTHEN (3398875699): status = GETPASS
023755: Jul 4 12:51:29: AAA/AUTHEN (3398875699): Method=tacacs+ (tacacs+)
023756: Jul 4 12:51:29: TAC+: send AUTHEN/CONT packet id=3398875699
023757: Jul 4 12:51:34: AAA/AUTHEN (3398875699): status = ERROR
023758: Jul 4 12:51:34: AAA/AUTHEN/START (3619397261): port='tty1' list='' acti
on=LOGIN service=LOGIN
023759: Jul 4 12:51:34: AAA/AUTHEN/START (3619397261): Restart
023760: Jul 4 12:51:34: AAA/AUTHEN/START (3619397261): Method=LOCAL
023761: Jul 4 12:51:34: AAA/AUTHEN (3619397261): User not found, end of method
list
023762: Jul 4 12:51:34: AAA/AUTHEN (3619397261): status = FAIL
023763: Jul 4 12:51:36: AAA/AUTHEN/ABORT: (3619397261) because Unknown.
023764: Jul 4 12:51:36: AAA/MEMORY: free_user_quiet (0x2CB0178) user='q1jorgsou
s2' ruser='NULL' port='tty1' rem_addr='170.64.222.79' authen_type=1 service=1 pr
iv=1
023765: Jul 4 12:51:36: AAA: parse name=tty1 idb type=-1 tty=-1
023766: Jul 4 12:51:36: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter
=0 port=1 channel=0
023767: Jul 4 12:51:36: AAA/MEMORY: create_user (0x2CB0178) user='NULL' ruser='
NULL' ds0=0 port='tty1' rem_addr='170.64.222.79' authen_type=ASCII service=LOGIN
priv=1 initial_task_id='0', vrf= (id=0)
023768: Jul 4 12:51:36: AAA/AUTHEN/START (1833734231): port='tty1' list='' acti
on=LOGIN service=LOGIN
023769: Jul 4 12:51:36: AAA/AUTHEN/START (1833734231): using "default" list
023770: Jul 4 12:51:36: AAA/AUTHEN/START (1833734231): Method=tacacs+ (tacacs+)
023771: Jul 4 12:51:36: TAC+: send AUTHEN/START packet ver=192 id=1833734231
023772: Jul 4 12:51:36: TAC+: ver=192 id=1833734231 received AUTHEN status = GE
TUSER
023773: Jul 4 12:51:36: AAA/AUTHEN (1833734231): status = GETUSER
023774: Jul 4 12:51:40: AAA/AUTHEN/CONT (1833734231): continue_login (user='(un
def)')
023775: Jul 4 12:51:40: AAA/AUTHEN (1833734231): status = GETUSER
023776: Jul 4 12:51:40: AAA/AUTHEN (1833734231): Method=tacacs+ (tacacs+)
023777: Jul 4 12:51:40: TAC+: send AUTHEN/CONT packet id=1833734231
023778: Jul 4 12:51:40: AAA/AUTHEN (1833734231): status = ERROR
023779: Jul 4 12:51:40: AAA/AUTHEN/START (4010904151): port='tty1' list='' acti
on=LOGIN service=LOGIN
023780: Jul 4 12:51:40: AAA/AUTHEN/START (4010904151): Restart
023781: Jul 4 12:51:40: AAA/AUTHEN/START (4010904151): Method=LOCAL
023782: Jul 4 12:51:40: AAA/AUTHEN (4010904151): status = GETPASS
07-04-2007 05:09 AM
In debugs it seems like tacacs is not responding /reachable which is why we are getting status=error. which means fall back to the next available method. If authentication is passing on ACS then it should not fallback on local method and we should get pass/fail status.
Another point is that I don't see any IP address for the tacacs server which is being used for the authentication. Are you sure that you see passed authentication logs on ACS???
-Parminder
07-04-2007 05:18 AM
here is it:
/07/2007 15:15:56 EDE0114 q1jorgsous2 .. .. Group 496 tty1 10.58.0.124 No Filters activated. NETWORK SWITCHES .. 170.64.222.79 Authen OK tawol055 1 .. AMER 10.58.0.124 .. .. No .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
07-04-2007 05:28 AM
What is the IOS version we are running?
07-04-2007 05:27 AM
Try to increase the timeout on IOS device by using tacacs-server timeout 10.
Do we have remote logging enabled on ACS server?
-Parminder
07-04-2007 05:37 AM
You made my day!
was a timeout issue!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: