Unable to access ACS

Stacey Hummer · ‎01-26-2012

Good day,

We are having an issue with a couple of switches we have daisy chained off of each other. We have a 2960 8 port going to a 2950 24 port then to our core switch a 6507. The problem is we cannot authenticate to the ACS server attached to the 6507 from the 2960. We can however authenticate to the ACS from the 2950. We do have similar setups like this in different parts of our network that work. I have compared the configurations from theses switches and nothing stand out.

2960

G0/8 trunk allowed vlan 59,3300

switchport mode trunk

connect to

2950

G0/1 trunk allowed vlan 59,3300

switchport mode trunk

connect to

6507

Any help would be appreciated.

humv

Marvin Rhoads · ‎01-27-2012

In such cases I find it useful to see if the packets are actually arriving at the ACS server. If you're running ACS on Windows, it's pretty simple to load Wireshark, start a capture and watch for the packets coming in during a failed authentication attempt.

I'm assuming you verified the obvious like the device's management IP being correctly entered and the tacacs key matching.

Common issues include:

a. the device sourcing from other than the expected IP address and thus not matching its definition in ACS. This can be fixed by either changing the device definition on ACS or using "ip tacacs source-interface" command on the switch.

b. the packets not arriving at all from the source device. This is usually caused by a network configuration error.

You can also debug tacacs on the switch while you try to authenticate to your ACS server.