Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TACACS auth and RADIUS accounting with ACS

I am having RADIUS accounting issues with an ASA 5520 that uses TACACS for authentication. Both are hosted on the same ACS server. I can send RADIUS info to my Microsoft IAS box but get Syslog ID 113022 errors when trying to send to the ACS RADIUS. A packet capture shows the RADIUS accounting request getting to the ACS box (Windows Server 2003 R2) but syslog shows failedauth. Any ideas?

3 REPLIES

Re: TACACS auth and RADIUS accounting with ACS

Hi,

Check out the below explantion and what is the configuration for aaa in asa has done and in ACS also .


Explanation   This message indicates that the adaptive security appliance has attempted an  authentication, authorization, or accounting request to the AAA server and did not receive a  response within the configured timeout window. The AAA server is marked as "failed" and has been  removed from service.

Recommended Action   Verify that the AAA server is online and is accessible from the adaptive  security appliance

Regards

Ganesh.H

New Member

Re: TACACS auth and RADIUS accounting with ACS

Thank you for the response. I did verify the syslog explanation you gave below and the AAA server is online as TACACS message are getting to it. My configuration for the ASA for RADIUS is as follows

Server Group - RADIUS

Protocol - RADIUS

Accounting Mode - Simultaneous

Reactivation Mode - Timed

Max Failed attempts - 3

Two servers in the Server Group

ACS - Not working

Microsoft IAS - Working

I have tried removing the IAS server and changing the accounting mode to single and still getting auth failures.

ACS is configured as follows

Network Configuration

AAA Clients - ASA authenticate using TACACS+

AAA Servers - None listed. When I tried to add the ACS machine the error said the server already existed (In another Network Device Group)

Re: TACACS auth and RADIUS accounting with ACS

Hi,

Please check out the following things:-

1) Check out the ASA aaa client ip address is configured in ACS that is the trusted interface from where the ACS is reachable. Means if ACS is residing in Public zone interface so configure in ACS under aaa clients the public interface of ASA.

2) In ASA for radius server configuration, check out the authentication port is configured 1645 at both the end in ASA as well as in ACS under aaa client table.

3) and in ASA ACS server should come in online state, so the raidus port need to have communication betwee the two.

Hope this helps !!

Regards

Ganesh.H

1895
Views
0
Helpful
3
Replies