03-04-2009 12:34 PM
We have our Ciscoworks server set to authenticate to our ACS server (Non-ACS and Tacacs+). In other words, authenticate to ACS but do not register modules to ACS (controlled on the server). We had some network issues where we could not ping the ACS servers. When that happened I noticed that the Authentication mode is now "Tacacs+ (fallback Mode). How can I get that out of that mode and back into authentication "Tacacs+"
03-04-2009 03:51 PM
It should automatically go back to TACACS+ mode. However, if you don't see this happening, then you can restart Daemon Manager. The restart will cause the authentication servlet to reconnect to the TACACS+ server (if it is reachable).
03-05-2009 04:57 AM
Tried restarting daemon and it did not work. What else should I try?
03-05-2009 07:51 AM
What happens if you try to toggle between the two options under DCR - Server - Security - AAA Mode Setup - TACACS+ (click on the Change button)?
1. Allow all CiscoWorks local users to fallback to the CiscoWorks Local login.
3. Allow no fallbacks to the CiscoWorks Local login.
03-05-2009 07:59 AM
I will try that.
03-05-2009 10:38 AM
Who are you logging in as? If you're logging in as admin, and admin has no TACACS+ account, then you will be seen as logging in via fallback mode (if admin is allowed in your fallback list).
03-05-2009 02:41 PM
I am logging in as myself. My account is in ACS.
03-05-2009 05:28 PM
Check the logs on ACS to see if LMS is making an authentication request. Make sure that you can telnet to TCP port 49 on the ACS server from the LMS server and get a successful connection.
03-06-2009 06:29 AM
I am logging into Ciscoworks using my Tacacs account, but it still showing fallback mode. To make sure that it is authenticating to ACS, I have changed my password in Ciscoworks, and when I try to log into CW, with the new password, I am denied access. When I use my Tacacs password, I am able to log into Ciscoworks.
03-06-2009 08:39 AM
Is your user listed in the fallback user list for the TACACS+ login module?
03-06-2009 08:46 AM
Yes, I selected all users to fallback. I just put up another post, since we tried toggling between fallback and not fallback, and now we cannot log into ciscoworks via the GUI. We tried other accounts and we cannot connect.
03-06-2009 08:48 AM
Something is not working between LMS and ACS. I strongly suspect either a communication problem, or a secret key mismatch. What, if anything, do you see in the ACS server logs?
If you are now locked out of LMS, you can run the NMSROOT/bin/ResetLoginModule.pl command to restore local authentication:
NMSROOT/bin/perl NMSROOT/bin/ResetLoginModule.pl
03-06-2009 09:02 AM
thanks jclarke!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: