I have two ACS servers in my network server-A & Server-B with version 4.2. I am facing issue with one of my AAA client to login with AD credentials or local credentials configured.
Upon analysis I could find low disk space in secondary ACS server, server-B which is causing the issue. However as per my configuration AAA client should reach Server-A instead of server-B. When ever ihave low disk space issue with server-B I am unable to login my AAA client with AD credentials or local.
that's right, the authentication request should reach out to primary tacacs server 10.238.60.45 as it comes first in the sequence. Can you check "show tacacs" output.
Run the follow debugs and see what we get in debugs:
debug aaa authentication
We can also remove both the servers and re-add them again.
Regarding the low disk issue, please ensure that logging level on that server B is set to low under system configuration > services control. If that is set to high it will fill up the installation directory of the ACS and that can create issues with the disk space.
I would also suggest you to check the ACS installation directory and make sure there are no big log files accumlated. If there are any, I'd say either move those files to a different location or delete them.
A AAA server is a server program that handles user requests for access to computer resources, and for an enterprise, provides AAA services. The AAA server typically interacts with network access and gateway servers, and databases and directories that contain user information. The current standard by which devices or applications communicate with an AAA server is RADIUS.
ACS 5.3 functions as a AAA server for one or more network access devices (NADs). The NADs are clients of the ACS server. You must specify the IP address of ACS on each client NAD, to direct user access requests to ACS by using the RADIUS protocol.
RADIUS is universally used to secure the access of end-users to network resources. A RADIUS server can act as a proxy to other RADIUS servers or other kinds of authentication servers.
The NAD serves as the network gatekeeper and sends an Access-Request to ACS on behalf of the user. ACS verifies the username, password, and possibly other data by using either the internal identity store, or an externally configured LDAP or Windows Active Directory identity store.
ACS ultimately responds to the NAD with either an Access-Reject message or an Access-Accept message that contains a set of authorization attributes.
ACS 5.3 provides network transport over UDP and implements the RADIUS protocol, including RADIUS packet parsing and assembling, necessary data validation, and tracking of duplicate requests.
Some reasons for using UDP are:
• The processing time is only a few seconds.
• No special handling is required for rebooting or offline clients and servers.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...