Re: Problem with ACS

From: Luu Hoang Dung (lhd.ccdzi@gmail.com)
Date: Wed Apr 11 2007 - 15:56:39 ART

• Next message: Craig Tompkins: "Re: HSRP - Default Gateway"
• Previous message: Karl Brenner: "RE: Problem with ACS"
• Maybe in reply to: CCDesire: "Problem with ACS"
• Next in thread: Luu Hoang Dung: "Re: Problem with ACS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I've got the following error message when reconfigure aaa authentication
17:33:43: TAC+: Opening TCP/IP to 192.168.1.200/49 timeout=5
17:33:43: TAC+: TCP/IP open to 192.168.1.200/49 failed -- Connection refused
by remote host

This is my config:
hostname SW2950
!
aaa new-model
aaa authentication login default group tacacs+ none
ip tacacs source-interface Vlan1
tacacs-server host 192.168.1.200 single-connection
tacacs-server key cisco

Configuration entry on Cisco Secure ACS server
SW2950 192.168.1.104 TACACS+ (Cisco IOS)
AAA Client IP Address: 192.168.1.104
Key: Cisco

By the way: how can I open the TCP port 49, it seems like ACS uses this port
to do the authentication for the router access.

On 4/12/07, Sean.Zimmerman@clubcorp.com <Sean.Zimmerman@clubcorp.com> wrote:
>
>
> Are you getting the message from your telnet client or when you try to
> telnet or on the router? If you're getting it from the router, I'd check
the
> failed attempts log on the ACS server. The router may be connecting with a
> different source IP address than the one you configured in ACS, which will
> cause the server to reset the connection.
>
>
> *"CCDesire" <lhd.ccdzi@gmail.com>*
> Sent by: nobody@groupstudy.com
>
> 04/10/2007 08:37 PM Please respond to
> "CCDesire" <lhd.ccdzi@gmail.com>
>
> To
> "'Cisco certification'" <ccielab@groupstudy.com> cc
>
> Subject
> Problem with ACS
>
>
>
>
>
>
> Dear group,
>
> I have the following error message every time I try to authenticate
> routers
> to the Tacacs+ Server in Cisco Secure ACS:
>
>  Connection is refused by remote host
>
>
>
> I tried different ways to fix this problem but still unsuccessful.
>
> Router-to-be-authenticated can ping Server, all firewall on server are
> closed (ACS with W2K server).
>
> The hostname, the IP and the shared-key for the router is correctly
> configured.
>
>
>
> This is what I configured about authentication:
>
> Aaa new-model
>
> Aaa authen login default group tacacs local
>
>
>
> Tacacs-server host 206.222.152.1 single
>
> Tacacs-server key ventu
>
>
>
>
>
> Pls help me troubleshoot this problem.
>
>
>
>
> --
> Internal Virus Database is out-of-date.
> Checked by AVG Free Edition.
> Version: 7.5.446 / Virus Database: 268.18.17/731 - Release Date: 3/23/2007
> 3:27 PM
>
>
>
> --
> Internal Virus Database is out-of-date.
> Checked by AVG Free Edition.
> Version: 7.5.446 / Virus Database: 268.18.17/731 - Release Date: 3/23/2007
> 3:27 PM
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Craig Tompkins: "Re: HSRP - Default Gateway"
• Previous message: Karl Brenner: "RE: Problem with ACS"
• Maybe in reply to: CCDesire: "Problem with ACS"
• Next in thread: Luu Hoang Dung: "Re: Problem with ACS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART