Re: Problem with ACS
From: Hewie (whewetson@gmail.com)
Date: Wed Apr 11 2007 - 14:22:57 ART
Hi Luu,
run 'netstat -an | more' from the command prompt on your ACS server to see
if it is listening on TCP 49, your output should look like this
Proto Local Address Foreign Address State
TCP 0.0.0.0:49 0.0.0.0:0 LISTENING
Are you sure you dont have the windows firewall enabled on you server?
Hewie
On 4/11/07, Luu Hoang Dung <lhd.ccdzi@gmail.com> wrote:
>
> Hi Marvin and other guys,
>
> Firstly thank you for your concern.
>
> I have tried to check my process and the result are:
>
> 1 - There is only a transparent switch between the
> router-to-be-authenticated and the ACS server
>
> 2 - When I telnet to port 49 of the ACS server from my PC I got: " could
> not
> open connection to the host on port 49: Connect failed ".
>
> When I telnet to port 49 of the ACS server from my Routers I got:
>
> " Router2#telnet 192.168.1.200 49
>
> Trying 192.168.1.200, 49 ...
>
> % Connection refused by remote host ".
>
>
>
> 3 - I configure the router to authenticate locally like this:
>
> username cisco password 0 cisco
>
> aaa new-model
>
> !
>
> !
>
> aaa authentication login default local
>
>
>
> And the result is successful.
>
>
>
> 4- I tried to authenticate different routers and the error msg still the
> same and I got this for more :
>
> *Mar 1 00:17:48.315: TPLUS(00000004)/0/WRITE: write to 192.168.1.200failed
> with errno 134((ENOTCONN))
>
> *Mar 1 00:17:53.311: TPLUS(00000004)/0/WRITE/62E74248: timed out
>
>
>
> 5- There isn't any ACL anywhere
>
>
>
> What more can be wrong here ?
>
>
>
> -----Original Message-----
>
> From: Marvin Greenlee [mailto:marvin@ipexpert.com]
>
> Sent: Wednesday, April 11, 2007 9:08 AM
>
> To: 'CCDesire'; 'Cisco certification'
>
> Subject: RE: Problem with ACS
>
>
>
> Are there other devices in the data path between your router and the ACS
>
> server?
>
>
>
> Do you get the same response (connection is refused) if you telnet from
> the
>
> router to the ACS server on TCP port 49 ?
>
>
>
> Are you getting this message when you try an authentication from the
> router
>
> locally (using the 'test aaa' command)?
>
>
>
> Do you only get the 'connection refused' when trying to connect to the
>
> router from somewhere else? If only when trying to connect to the router
>
> from somewhere else, is there any configured access-class/ACL blocking
>
> traffic to the router?
>
>
>
> Are you able to authenticate to the ACS server from the router using
> RADIUS?
>
>
>
> Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
>
> Senior Technical Instructor - IPexpert, Inc.
>
> "When Will You Be an IP Expert?"
>
> marvin@ipexpert.com
>
> http://www.IPexpert.com
>
>
>
>
>
>
>
> -----Original Message-----
>
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>
> CCDesire
>
> Sent: Tuesday, April 10, 2007 9:37 PM
>
> To: 'Cisco certification'
>
> Subject: Problem with ACS
>
>
>
> Dear group,
>
>
>
> I have the following error message every time I try to authenticate
> routers
>
> to the Tacacs+ Server in Cisco Secure ACS:
>
>
>
> � Connection is refused by remote host�
>
>
>
>
>
>
>
> I tried different ways to fix this problem but still unsuccessful.
>
>
>
> Router-to-be-authenticated can ping Server, all firewall on server are
>
> closed (ACS with W2K server).
>
>
>
> The hostname, the IP and the shared-key for the router is correctly
>
> configured.
>
>
>
>
>
>
>
> This is what I configured about authentication:
>
>
>
> Aaa new-model
>
>
>
> Aaa authen login default group tacacs local
>
>
>
>
>
>
>
> Tacacs-server host 206.222.152.1 single
>
>
>
> Tacacs-server key ventu
>
>
>
>
>
>
>
>
>
>
>
> Pls help me troubleshoot this problem.
>
>
>
>
>
>
>
>
>
> --
>
> Internal Virus Database is out-of-date.
>
> Checked by AVG Free Edition.
>
> Version: 7.5.446 / Virus Database: 268.18.17/731 - Release Date: 3/23/2007
>
> 3:27 PM
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4
: Tue May 01 2007 - 08:28:35 ART