Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS and ciscoworks

Hi All,

I'm currently converting all our network devices over to AAA but I'm getting alot of errors in the "failed attempts" log on the ACS.

They are Authen failed "username" External DB user invalid or bad password with a caller-id of (ip address) of our ciscoworks server.

It seems to be happening when ciscoworks is doing its inventory late at night, but I'm unsure of how to stop it. We changed the local password on the network devices when we started to implement the ACS/AAA standard. I think its just a password miss match between the acs and the ciscoworks server(lms 2.5) but I don't know where it is.

We are running ACS 3.3.3(11) and map to a novell domain.

Any ideas on where to start with this? I might have forgot to mention some info, so just ask if you need more.

Craig

4 REPLIES
Silver

Re: ACS and ciscoworks

The error %AAA-5-USER_RESET: User [chars] failed attempts reset by [chars] means:The number of failed user authentication attempts has been reset to zero.

Recommended Action: Copy the error message exactly as it appears on the console or in the system log. Research and attempt to resolve the error using the Output Interpreter https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl. Also perform a search of the Bug Toolkit http://www.cisco.com/pcgi-bin/Support/Bugtool/home.pl. The error %AAA-5-USER_RESET: User [chars] failed attempts reset by [chars] means:The number of failed user authentication attempts has been reset to zero.

Recommended Action: Copy the error message exactly as it appears on the console or in the system log. Research and attempt to resolve the error using the Output Interpreter https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl. Also perform a search of the Bug Toolkit http://www.cisco.com/pcgi-bin/Support/Bugtool/home.pl.

Cisco Employee

Re: ACS and ciscoworks

Check the device attributes in the DCR of LMS. You could go to Device Center - Device Troubleshooting and do a Check Device Credentials and see if everything comes back with a status of ok

New Member

Re: ACS and ciscoworks

More info on subject above:

In my AAA config on my switches I intially took out the password command from the vty line since the AAA would takeover. I've noticed the failed login attempts on my ACS server for access to our Ciscoworks server ip address. From this, I assume that ciscoworks needs the same username and password as is configured on the vty lines on the switches or network device. Is this correct?

Do I need a password configured on the vty lines in order for ciscoworks to access the devices for various archives and sync stuff?

Thanks,

Craig

Silver

Re: ACS and ciscoworks

Here's what you need on your AAA server (assuming you have tacacs or radius then local as the order for AAA):

A username with password and enable password defined and access allowed to the devices you want to manage.

If you are using LMS 3.0 you can define both that aaa name/pw/epw combo along with the local u/pw/epw as secondard credentials.

To fully manage a device with Ciscoworks you need SNMP RO, RW; telnet or SSH access; AAA if configured; syslog and trap reciever pointed to your boxes.

You can get a CSV file from your system using the DCRCLI exp fn=filname.csv ft=csv that will list all the attributes by device in your CW server's Device Credential Repository... thats the information its using to attempt to access your devices.

162
Views
4
Helpful
4
Replies