Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

LMS/ACS account keeps locking out


Our LMS environment is integrated with ACS 4.1 for RSA authentication purposes.

We have a ACS account which is used by LMS to run administrative jobs on end devices.  Periodically this account will appear with 'CS Account expired' or 'CS PAssword invalid'.  This is a machine/system account so should never have an incorrect password.

Is there any circumstances why this account would lockout when connecting to end devices. This is not limited to the time of day or the types of devices or networks being accessed.

Has anyone come across this type of issue before ?

Many Thanks

Cisco Employee

Re: LMS/ACS account keeps locking out

If jobs are succeeding, you should not be getting account lock outs.  However, if there are failures in which the username gets entered, but the password is skipped, or made to be invalid, then that could certainly lock out accounts.  Specific instances of these failed jobs would need to be troubleshot (e.g. with a sniffer) to isolate the underlying cause.

New Member

Re: LMS/ACS account keeps locking out

It is a bit of a tricky one because the majority of jobs succeed and then the odd job may fail because of this credential issue and its not necessarily the same device as this may pass the next time.  Obviously logs on the devices won't give any further information either as authentication did not pass.

This almost makes me wonder whether its a timeout issue from when the credentials are entered to authenticating with the ACS server.  Just trying to understand how a machine account could get a password wrong as there is no human interaction involved.

Are there any audit logs\tools available in LMS that may provide further info on a failed instance or is the ACS logs the most info you can get other than putting a sniffer trace on ? With a sniffer trace, chances are the device would work the next time around.

Re: LMS/ACS account keeps locking out

I observed a strange behaviour with an ACS account for LMS in the past:

and 2 weeks ago the customer has had the same or similar problem again. This time I have not done any troubleshooting and just restarted LMS to solve the problem.