From: Elias Udechime (euchime@xxxxxxxxx)
Date: Fri Oct 12 2001 - 12:05:33 GMT-3
Cisco is changing the CiscoSecure ACS to ACCESS
REGISTRAR. They are the same, just more robust and
more sessions.
Are you running TACACS(+) or RADIUS?
If you are having problems with your CiscoSecure ACS
system, check these items first:
1. Make sure you are using the correct version of the
Cisco IOS software for your version of the
CiscoSecure ACS and the protocol you are using.
2. Make sure you are using a web browser that is
supported for your version of the CiscoSecure ACS. See
the release notes or the readme.txt file for a list of
supported web browsers.
3. Make sure attribute values assigned to user
profiles do not conflict with those assigned to their
group profile.
4. If you are using the RADIUS protocol, any changes
to the dictionary for one profile will affect all
groups and users who are assigned that dictionary. To
see if your dictionary has been changed, compare the
dictionary attributes you see listed on the web-based
interface line-by-line with those listed in the
chapter "RADIUS Attribute-Value Pairs and Dictionary
Management." If they differ, your dictionary has been
changed. You can also use this technique to find out
which dictionary has been assigned to a profile.
5. Confirm that CiscoSecure ACS installed without
generating any errors.
6. Use a text editor, such as vi, to view the
$BASEDIR/logfiles/cs_install.log.
7. Confirm that CiscoSecure ACS starts successfully.
Here is authentication Error Message and Meaning. May
be UNKNOWN NAS is UNKNOWN USER instead.
Use a text editor such as vi, to examine the
$BASEDIR/logfiles/cs_startup.log.
Note any errors and correct them where possible.
Authentication - User not found
User not found in the database.
Authentication - Bad type
Bad authentication type (login, sendpass, and so on).
Authentication - No username specified
No username found in the database.
Authentication - Unexpected data
Authentication - Unexpected reserved data
Bad data in the authentication packet.
Authentication - Incorrect password
Password incorrect.
Authentication - Aborted sequence
Authentication sequence aborted by the NAS.
Authentication - File handling error
Authentication encountered a file handling problem
with the NAS.
Authentication - Unknown password type
Bad password type.
Authentication - User not in file
User not found in the database.
Authentication - Error in external function
An error occurred outside the AAA server.
Authentication - Bad service
Invalid service encountered in the PPP1, shell, or
other component.
Authentication - Bad action
The server performed an invalid function.
Authentication - Bad password
Garbled password.
Authentication - SENDPASS successful
Authentication - SENDPASS failed
Authentication - LOGIN successful
Authentication - ENABLE successful
Authentication - CHPASS successful
Authentication - SENDAUTH successful
Authentication - SENDAUTH failed
Various types of authentication success/failure
messages.
Authentication - Too many tries
User exceeded the allowable number of attempts to
enter the correct password.
Authentication - Can't change password
Authentication - Change password failed
An attempt to change a password failed.
Check out this link also
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23rg/
troubles.htm#27271
Elias
--- Dennis Bailey <amazingplace@prodigy.net> wrote:
> I am wondering if anyone has been able to use
> CiscoSecure ACS (NT/2000
> version) for controling
> access to router console and vty lines. I am
> currently running ACS 2.5 and
> am using it for authentication of dialup and vpn
> remote access users. I
> have been trying to figure out how to use it to
> control access to my routers
> but seem to get to a point where authentication
> fails and the message in the
> failed attemps log is "unknown NAS"
>
> Is it necessary to define every device in cisco
> secure for this to work? Is
> there a default NAS config. I
> know I must be missing something simple, I can get
> it to work fine when I
> configure it for terminal access on one of my remote
> access routers (which
> are defined as NAS in cisco secure) but nothing
> else.
>
> Any ideas, links, examples, abuse....whatever you
> feel is appropriate..except
> one day lab stuff :-)
>
> Thanks,
> Dennis
> **Please
> read:http://www.groupstudy.com/list/posting.html
>
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:18 GMT-3