Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

TACACS authentication fails for one of our network device

ACS 5.1 is failing to authenticate tacacs authentication to the ASA firewall, getting

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

TACACS authentication fails for one of our network device

That's what I suspected. You will have to deregister the secondary ACS from the Primary. Configure the appropriate Secondary ACS clock and timezone to match the AD Domain Controllers time. Both the clock change and the timezone change will restart the secondary ACS services for the changes to take effect.

After the appropriate time has been configured we should "Test Connection" against AD from the ACS GUI on the secondary. As soon as it succeds we can proceed and save changes and also register the secondary back to the primary.

This should address the issue.

Regards.

6 REPLIES
Silver

TACACS authentication fails for one of our network device

Hello,

If you access the ACS 5.x CLI and execute "show application status acs" are all the services running?

Also, under the ACS 5.x GUI Users and Identity Stores > External Identity Stores > Active Directory which is the status of the ACS under Connectivity Status? Is it showing as Connected or Disconnected?

Regards.

Community Member

TACACS authentication fails for one of our network device

Carlos,

Thanks for the reply,

I verified all services are running and also AD status is connected.

All the device are able to authenticate using ACS except one which show up following error message in ACS log

       "24444 Active Directory Operation has failed because of an unspecified errro in the ACS"

Silver

TACACS authentication fails for one of our network device

Hello Santosh,

I wanted to verify the following as well. How many ACS servers do you have on your network? Is it only one ACS server acting as standalone? Or do you have a Distributed Deployment with Secondary ACS Servers?

If you have multiple ACS servers, can you access the Failure log again and verify which ACS Instance is authenticating the ASA request? If it is a different ACS instance can you check the AD status on that one as well.

I will dig further on another options and I will be waiting for your response as well.

Regards.

Community Member

TACACS authentication fails for one of our network device

We have Distributed deployment, and i found one of the Secondary instance is not connecting to domain. It giving following message " connection test to domain failed         - clock skew error.  "

Silver

TACACS authentication fails for one of our network device

That's what I suspected. You will have to deregister the secondary ACS from the Primary. Configure the appropriate Secondary ACS clock and timezone to match the AD Domain Controllers time. Both the clock change and the timezone change will restart the secondary ACS services for the changes to take effect.

After the appropriate time has been configured we should "Test Connection" against AD from the ACS GUI on the secondary. As soon as it succeds we can proceed and save changes and also register the secondary back to the primary.

This should address the issue.

Regards.

Community Member

TACACS authentication fails for one of our network device

Hi  Carlos,

Thanks for your help, everything working finally.

1290
Views
0
Helpful
6
Replies
CreatePlease to create content