Re: Problem with ACS
From: Greg Wendel (gwendel@gmail.com)
Date: Wed Apr 11 2007 - 14:45:57 ART
Can you get any information from the failure logs on the ACS server? We
usually use the Reports and Activities > failed attempts to get more
information.
On 4/11/07, Luu Hoang Dung <lhd.ccdzi@gmail.com> wrote:
>
> Hi Marvin and other guys,
>
> Firstly thank you for your concern.
>
> I have tried to check my process and the result are:
>
> 1 - There is only a transparent switch between the
> router-to-be-authenticated and the ACS server
>
> 2 - When I telnet to port 49 of the ACS server from my PC I got: " could
> not
> open connection to the host on port 49: Connect failed ".
>
> When I telnet to port 49 of the ACS server from my Routers I got:
>
> " Router2#telnet 192.168.1.200 49
>
> Trying 192.168.1.200, 49 ...
>
> % Connection refused by remote host ".
>
>
>
> 3 - I configure the router to authenticate locally like this:
>
> username cisco password 0 cisco
>
> aaa new-model
>
> !
>
> !
>
> aaa authentication login default local
>
>
>
> And the result is successful.
>
>
>
> 4- I tried to authenticate different routers and the error msg still the
> same and I got this for more :
>
> *Mar 1 00:17:48.315: TPLUS(00000004)/0/WRITE: write to 192.168.1.200failed
> with errno 134((ENOTCONN))
>
> *Mar 1 00:17:53.311: TPLUS(00000004)/0/WRITE/62E74248: timed out
>
>
>
> 5- There isn't any ACL anywhere
>
>
>
> What more can be wrong here ?
>
>
>
> -----Original Message-----
>
> From: Marvin Greenlee [mailto:marvin@ipexpert.com]
>
> Sent: Wednesday, April 11, 2007 9:08 AM
>
> To: 'CCDesire'; 'Cisco certification'
>
> Subject: RE: Problem with ACS
>
>
>
> Are there other devices in the data path between your router and the ACS
>
> server?
>
>
>
> Do you get the same response (connection is refused) if you telnet from
> the
>
> router to the ACS server on TCP port 49 ?
>
>
>
> Are you getting this message when you try an authentication from the
> router
>
> locally (using the 'test aaa' command)?
>
>
>
> Do you only get the 'connection refused' when trying to connect to the
>
> router from somewhere else? If only when trying to connect to the router
>
> from somewhere else, is there any configured access-class/ACL blocking
>
> traffic to the router?
>
>
>
> Are you able to authenticate to the ACS server from the router using
> RADIUS?
>
>
>
> Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
>
> Senior Technical Instructor - IPexpert, Inc.
>
> "When Will You Be an IP Expert?"
>
> marvin@ipexpert.com
>
> http://www.IPexpert.com
>
>
>
>
>
>
>
> -----Original Message-----
>
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>
> CCDesire
>
> Sent: Tuesday, April 10, 2007 9:37 PM
>
> To: 'Cisco certification'
>
> Subject: Problem with ACS
>
>
>
> Dear group,
>
>
>
> I have the following error message every time I try to authenticate
> routers
>
> to the Tacacs+ Server in Cisco Secure ACS:
>
>
>
> � Connection is refused by remote host�
>
>
>
>
>
>
>
> I tried different ways to fix this problem but still unsuccessful.
>
>
>
> Router-to-be-authenticated can ping Server, all firewall on server are
>
> closed (ACS with W2K server).
>
>
>
> The hostname, the IP and the shared-key for the router is correctly
>
> configured.
>
>
>
>
>
>
>
> This is what I configured about authentication:
>
>
>
> Aaa new-model
>
>
>
> Aaa authen login default group tacacs local
>
>
>
>
>
>
>
> Tacacs-server host 206.222.152.1 single
>
>
>
> Tacacs-server key ventu
>
>
>
>
>
>
>
>
>
>
>
> Pls help me troubleshoot this problem.
>
>
>
>
>
>
>
>
>
> --
>
> Internal Virus Database is out-of-date.
>
> Checked by AVG Free Edition.
>
> Version: 7.5.446 / Virus Database: 268.18.17/731 - Release Date: 3/23/2007
>
> 3:27 PM
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
--
Gregory Wendel
Springfield VA, 22153
This archive was generated by hypermail 2.1.4
: Tue May 01 2007 - 08:28:35 ART