Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1810
Views
0
Helpful
6
Replies

TACACS authentication fails for one of our network device

Go to solution
Santosh Shetty
Level 1
Level 1

‎01-06-2012 08:34 AM - edited ‎03-10-2019 06:41 PM

ACS 5.1 is failing to authenticate tacacs authentication to the ASA firewall, getting

Labels:
Preview file
10 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
camejia
Level 3
Level 3
In response to Santosh Shetty

‎01-06-2012 11:26 AM

That's what I suspected. You will have to deregister the secondary ACS from the Primary. Configure the appropriate Secondary ACS clock and timezone to match the AD Domain Controllers time. Both the clock change and the timezone change will restart the secondary ACS services for the changes to take effect.

After the appropriate time has been configured we should "Test Connection" against AD from the ACS GUI on the secondary. As soon as it succeds we can proceed and save changes and also register the secondary back to the primary.

This should address the issue.

Regards.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
camejia
Level 3
Level 3

‎01-06-2012 08:53 AM

Hello,

If you access the ACS 5.x CLI and execute "show application status acs" are all the services running?

Also, under the ACS 5.x GUI Users and Identity Stores > External Identity Stores > Active Directory which is the status of the ACS under Connectivity Status? Is it showing as Connected or Disconnected?

Regards.

0 Helpful

Go to solution
Santosh Shetty
Level 1
Level 1
In response to camejia

‎01-06-2012 10:29 AM

Carlos,

Thanks for the reply,

I verified all services are running and also AD status is connected.

All the device are able to authenticate using ACS except one which show up following error message in ACS log

       "24444 Active Directory Operation has failed because of an unspecified errro in the ACS"

0 Helpful

Go to solution
camejia
Level 3
Level 3
In response to Santosh Shetty

‎01-06-2012 10:35 AM

Hello Santosh,

I wanted to verify the following as well. How many ACS servers do you have on your network? Is it only one ACS server acting as standalone? Or do you have a Distributed Deployment with Secondary ACS Servers?

If you have multiple ACS servers, can you access the Failure log again and verify which ACS Instance is authenticating the ASA request? If it is a different ACS instance can you check the AD status on that one as well.

I will dig further on another options and I will be waiting for your response as well.

Regards.

0 Helpful

Go to solution
Santosh Shetty
Level 1
Level 1
In response to camejia

‎01-06-2012 11:09 AM

We have Distributed deployment, and i found one of the Secondary instance is not connecting to domain. It giving following message " connection test to domain failed         - clock skew error.  "

0 Helpful

Go to solution
camejia
Level 3
Level 3
In response to Santosh Shetty

‎01-06-2012 11:26 AM

That's what I suspected. You will have to deregister the secondary ACS from the Primary. Configure the appropriate Secondary ACS clock and timezone to match the AD Domain Controllers time. Both the clock change and the timezone change will restart the secondary ACS services for the changes to take effect.

After the appropriate time has been configured we should "Test Connection" against AD from the ACS GUI on the secondary. As soon as it succeds we can proceed and save changes and also register the secondary back to the primary.

This should address the issue.

Regards.

0 Helpful

Go to solution
Santosh Shetty
Level 1
Level 1
In response to camejia

‎01-08-2012 09:47 PM

Hi  Carlos,

Thanks for your help, everything working finally.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents