RE: Problem with ACS
From: Todd, Douglas M. (DTODD@PARTNERS.ORG)
Date: Wed Apr 11 2007 - 16:28:48 ART
Ok -
I don't remember if this is happening on all routers or just this one. I also
assume that this device is production so debugging is out of the question. Can
you run a network trace on the acs server and see what you see?
DMT
________________________________
From: Luu Hoang Dung [mailto:lhd.ccdzi@gmail.com]
Sent: Wednesday, April 11, 2007 3:26 PM
To: Karl Brenner
Cc: Todd, Douglas M.; ccielab@groupstudy.com
Subject: Re: Problem with ACS
This is what I got when doing the show tacacs:
SW2950#sh tacacs
Server: 192.168.1.200/49: opens=0 closes=0 aborts=0 errors=2
packets in=0 packets out=0 timeout=0 connection_fails=0 expected
replies=0
no connection
On 4/12/07, Karl Brenner <karl.brenner@morenet.biz> wrote:
Have you looked into the 'Reports' -> 'Failed Authentications'
(might not be
exactly these names). You should see all denied authentication
attempts and
the reason for the denial there. You also need to set the router
up in the
network groups as others have suggested.
If you do a 'sh tacacs' on the router you should see if a tcp
session to the
server exists.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf Of
Todd, Douglas M.
Sent: 11 April 2007 18:32
To: Luu Hoang Dung; ccielab@groupstudy.com
Subject: RE: Problem with ACS
Just wondering:
Your acs logs should not be blank Unless you are not logging
anything. You
might
want to turn them on. If they are blank then it's like the
service is not
listening to requests or getting the request. Under reports and
activities
what
does the appliance status page state for the basic
configuration (tcp/udp
ports
open). Are the ports open?
Are you filtering any ip addresses in the acs client setup?
DMT
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of Luu Hoang Dung
> Sent: Wednesday, April 11, 2007 1:10 PM
> To: ccielab@groupstudy.com
> Subject: RE: Problem with ACS
>
> I tried to use the *ip tacacs source-interface ethernet0/0 *
>
> The result still is "authentication failed"
>
>
> ------------------------------
>
> *From:* Greg Wendel [mailto:gwendel@gmail.com
<mailto:gwendel@gmail.com> ]
> *Sent:* Wednesday, April 11, 2007 10:13 AM
> *To:* Marvin Greenlee
> *Cc:* CCDesire; Cisco certification
> *Subject:* Re: Problem with ACS
>
>
>
> I would guess your problem is that you are missing the ip
> tacacs source-interface command
>
> On 4/10/07, *Marvin Greenlee* < marvin@ipexpert.com> wrote:
>
> Are there other devices in the data path between your router
> and the ACS server?
>
> Do you get the same response (connection is refused) if you
> telnet from the router to the ACS server on TCP port 49 ?
>
> Are you getting this message when you try an authentication
> from the router locally (using the 'test aaa' command)?
>
> Do you only get the 'connection refused' when trying to
> connect to the router from somewhere else? If only when
> trying to connect to the router from somewhere else, is there
> any configured access-class/ACL blocking traffic to the
router?
>
> Are you able to authenticate to the ACS server from the
> router using RADIUS?
>
> Marvin Greenlee, CCIE #12237 (R&S, SP, Sec) Senior Technical
> Instructor - IPexpert, Inc.
> "When Will You Be an IP Expert?"
> marvin@ipexpert.com
> http://www.IPexpert.com <http://www.ipexpert.com/>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of CCDesire
> Sent: Tuesday, April 10, 2007 9:37 PM
> To: 'Cisco certification'
> Subject: Problem with ACS
>
> Dear group,
>
> I have the following error message every time I try to
> authenticate routers to the Tacacs+ Server in Cisco Secure
ACS:
>
> � Connection is refused by remote host�
>
>
>
> I tried different ways to fix this problem but still
unsuccessful.
>
> Router-to-be-authenticated can ping Server, all firewall on
> server are closed (ACS with W2K server).
>
> The hostname, the IP and the shared-key for the router is
> correctly configured.
>
>
>
> This is what I configured about authentication:
>
> Aaa new-model
>
> Aaa authen login default group tacacs local
>
>
>
> Tacacs-server host 206.222.152.1 single
>
> Tacacs-server key ventu
>
>
>
>
>
> Pls help me troubleshoot this problem.
>
>
>
>
> --
> Internal Virus Database is out-of-date.
> Checked by AVG Free Edition.
> Version: 7.5.446 / Virus Database: 268.18.17/731 - Release
> Date: 3/23/2007
> 3:27 PM
>
>
>
> --
> Internal Virus Database is out-of-date.
> Checked by AVG Free Edition.
> Version: 7.5.446 / Virus Database: 268.18.17/731 - Release
> Date: 3/23/2007
> 3:27 PM
>
> ______________________________________________________________
> _________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________
> _________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
> --
> Gregory Wendel
> Springfield VA, 22153
>
> --
> Internal Virus Database is out-of-date.
> Checked by AVG Free Edition.
> Version: 7.5.446 / Virus Database: 268.18.17/731 - Release
> Date: 3/23/2007
> 3:27 PM
>
> ______________________________________________________________
> _________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
The information transmitted in this electronic communication is
intended
only for the person or entity to whom it is addressed and may
contain
confidential and/or privileged material. Any review,
retransmission,
dissemination or other use of or taking of any action in
reliance upon this
information by persons or entities other than the intended
recipient is
prohibited. If you received this information in error, please
contact the
Compliance HelpLine at 800-856-1983 and properly dispose of this
information.
This archive was generated by hypermail 2.1.4
: Tue May 01 2007 - 08:28:35 ART