Re: Problem with ACS

From: Luu Hoang Dung (lhd.ccdzi@gmail.com)
Date: Wed Apr 11 2007 - 16:26:01 ART

• Next message: Todd, Douglas M.: "RE: Problem with ACS"
• Previous message: John Gibson: "Re: RE: Reporting NDA violations"
• Maybe in reply to: CCDesire: "Problem with ACS"
• Next in thread: Todd, Douglas M.: "RE: Problem with ACS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This is what I got when doing the show tacacs:

SW2950#sh tacacs

Server: 192.168.1.200/49: opens=0 closes=0 aborts=0 errors=2
        packets in=0 packets out=0 timeout=0 connection_fails=0 expected
replies=0
        no connection

On 4/12/07, Karl Brenner <karl.brenner@morenet.biz> wrote:
>
> Have you looked into the 'Reports' -> 'Failed Authentications' (might not
> be
> exactly these names). You should see all denied authentication attempts
> and
> the reason for the denial there. You also need to set the router up in the
> network groups as others have suggested.
>
> If you do a 'sh tacacs' on the router you should see if a tcp session to
> the
> server exists.
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Todd, Douglas M.
> Sent: 11 April 2007 18:32
> To: Luu Hoang Dung; ccielab@groupstudy.com
> Subject: RE: Problem with ACS
>
> Just wondering:
>
> Your acs logs should not be blank Unless you are not logging anything. You
> might
> want to turn them on. If they are blank then it's like the service is not
> listening to requests or getting the request. Under reports and activities
> what
> does the appliance status page state for the basic configuration (tcp/udp
> ports
> open). Are the ports open?
>
> Are you filtering any ip addresses in the acs client setup?
>
> DMT
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > Behalf Of Luu Hoang Dung
> > Sent: Wednesday, April 11, 2007 1:10 PM
> > To: ccielab@groupstudy.com
> > Subject: RE: Problem with ACS
> >
> > I tried to use the *ip tacacs source-interface ethernet0/0 *
> >
> > The result still is "authentication failed"
> >
> >
> > ------------------------------
> >
> > *From:* Greg Wendel [mailto:gwendel@gmail.com]
> > *Sent:* Wednesday, April 11, 2007 10:13 AM
> > *To:* Marvin Greenlee
> > *Cc:* CCDesire; Cisco certification
> > *Subject:* Re: Problem with ACS
> >
> >
> >
> > I would guess your problem is that you are missing the ip
> > tacacs source-interface command
> >
> > On 4/10/07, *Marvin Greenlee* < marvin@ipexpert.com> wrote:
> >
> > Are there other devices in the data path between your router
> > and the ACS server?
> >
> > Do you get the same response (connection is refused) if you
> > telnet from the router to the ACS server on TCP port 49 ?
> >
> > Are you getting this message when you try an authentication
> > from the router locally (using the 'test aaa' command)?
> >
> > Do you only get the 'connection refused' when trying to
> > connect to the router from somewhere else? If only when
> > trying to connect to the router from somewhere else, is there
> > any configured access-class/ACL blocking traffic to the router?
> >
> > Are you able to authenticate to the ACS server from the
> > router using RADIUS?
> >
> > Marvin Greenlee, CCIE #12237 (R&S, SP, Sec) Senior Technical
> > Instructor - IPexpert, Inc.
> > "When Will You Be an IP Expert?"
> > marvin@ipexpert.com
> > http://www.IPexpert.com <http://www.ipexpert.com/>
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > Behalf Of CCDesire
> > Sent: Tuesday, April 10, 2007 9:37 PM
> > To: 'Cisco certification'
> > Subject: Problem with ACS
> >
> > Dear group,
> >
> > I have the following error message every time I try to
> > authenticate routers to the Tacacs+ Server in Cisco Secure ACS:
> >
> >  Connection is refused by remote host
> >
> >
> >
> > I tried different ways to fix this problem but still unsuccessful.
> >
> > Router-to-be-authenticated can ping Server, all firewall on
> > server are closed (ACS with W2K server).
> >
> > The hostname, the IP and the shared-key for the router is
> > correctly configured.
> >
> >
> >
> > This is what I configured about authentication:
> >
> > Aaa new-model
> >
> > Aaa authen login default group tacacs local
> >
> >
> >
> > Tacacs-server host 206.222.152.1 single
> >
> > Tacacs-server key ventu
> >
> >
> >
> >
> >
> > Pls help me troubleshoot this problem.
> >
> >
> >
> >
> > --
> > Internal Virus Database is out-of-date.
> > Checked by AVG Free Edition.
> > Version: 7.5.446 / Virus Database: 268.18.17/731 - Release
> > Date: 3/23/2007
> > 3:27 PM
> >
> >
> >
> > --
> > Internal Virus Database is out-of-date.
> > Checked by AVG Free Edition.
> > Version: 7.5.446 / Virus Database: 268.18.17/731 - Release
> > Date: 3/23/2007
> > 3:27 PM
> >
> > ______________________________________________________________
> > _________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > ______________________________________________________________
> > _________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> > --
> > Gregory Wendel
> > Springfield VA, 22153
> >
> > --
> > Internal Virus Database is out-of-date.
> > Checked by AVG Free Edition.
> > Version: 7.5.446 / Virus Database: 268.18.17/731 - Release
> > Date: 3/23/2007
> > 3:27 PM
> >
> > ______________________________________________________________
> > _________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>
>
>
> The information transmitted in this electronic communication is intended
> only for the person or entity to whom it is addressed and may contain
> confidential and/or privileged material. Any review, retransmission,
> dissemination or other use of or taking of any action in reliance upon
> this
> information by persons or entities other than the intended recipient is
> prohibited. If you received this information in error, please contact the
> Compliance HelpLine at 800-856-1983 and properly dispose of this
> information.
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Todd, Douglas M.: "RE: Problem with ACS"
• Previous message: John Gibson: "Re: RE: Reporting NDA violations"
• Maybe in reply to: CCDesire: "Problem with ACS"
• Next in thread: Todd, Douglas M.: "RE: Problem with ACS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART