01-06-2012 08:34 AM - edited 03-10-2019 06:41 PM
ACS 5.1 is failing to authenticate tacacs authentication to the ASA firewall, getting
Solved! Go to Solution.
01-06-2012 11:26 AM
That's what I suspected. You will have to deregister the secondary ACS from the Primary. Configure the appropriate Secondary ACS clock and timezone to match the AD Domain Controllers time. Both the clock change and the timezone change will restart the secondary ACS services for the changes to take effect.
After the appropriate time has been configured we should "Test Connection" against AD from the ACS GUI on the secondary. As soon as it succeds we can proceed and save changes and also register the secondary back to the primary.
This should address the issue.
Regards.
01-06-2012 08:53 AM
Hello,
If you access the ACS 5.x CLI and execute "show application status acs" are all the services running?
Also, under the ACS 5.x GUI Users and Identity Stores > External Identity Stores > Active Directory which is the status of the ACS under Connectivity Status? Is it showing as Connected or Disconnected?
Regards.
01-06-2012 10:29 AM
Carlos,
Thanks for the reply,
I verified all services are running and also AD status is connected.
All the device are able to authenticate using ACS except one which show up following error message in ACS log
"24444 Active Directory Operation has failed because of an unspecified errro in the ACS"
01-06-2012 10:35 AM
Hello Santosh,
I wanted to verify the following as well. How many ACS servers do you have on your network? Is it only one ACS server acting as standalone? Or do you have a Distributed Deployment with Secondary ACS Servers?
If you have multiple ACS servers, can you access the Failure log again and verify which ACS Instance is authenticating the ASA request? If it is a different ACS instance can you check the AD status on that one as well.
I will dig further on another options and I will be waiting for your response as well.
Regards.
01-06-2012 11:09 AM
We have Distributed deployment, and i found one of the Secondary instance is not connecting to domain. It giving following message " connection test to domain failed - clock skew error. "
01-06-2012 11:26 AM
That's what I suspected. You will have to deregister the secondary ACS from the Primary. Configure the appropriate Secondary ACS clock and timezone to match the AD Domain Controllers time. Both the clock change and the timezone change will restart the secondary ACS services for the changes to take effect.
After the appropriate time has been configured we should "Test Connection" against AD from the ACS GUI on the secondary. As soon as it succeds we can proceed and save changes and also register the secondary back to the primary.
This should address the issue.
Regards.
01-08-2012 09:47 PM
Hi Carlos,
Thanks for your help, everything working finally.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide