Re: Problem with ACS

From: Sean.Zimmerman@clubcorp.com
Date: Wed Apr 11 2007 - 16:36:12 ART

• Next message: Gustavo Novais: "RE: Problem with ACS"
• Previous message: Todd, Douglas M.: "RE: Problem with ACS"
• Maybe in reply to: CCDesire: "Problem with ACS"
• Next in thread: Gustavo Novais: "RE: Problem with ACS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

First of all, did you restart the ACS server after configuring the
"SW2950" entry? Restart it if you haven't.
Look in the failed attempts log on the ACS. You may see unknown host
messages.
The server will reset connection attempts from IP addresses that aren't
configured as TACACS clients. This gives the impression that it's not
listening on TCP 49.

"Luu Hoang Dung" <lhd.ccdzi@gmail.com>
04/11/2007 01:56 PM

To
"Sean.Zimmerman@clubcorp.com" <Sean.Zimmerman@clubcorp.com>
cc
"Cisco certification" <ccielab@groupstudy.com>, nobody@groupstudy.com
Subject
Re: Problem with ACS

I've got the following error message when reconfigure aaa authentication
17:33:43: TAC+: Opening TCP/IP to 192.168.1.200/49 timeout=5
17:33:43: TAC+: TCP/IP open to 192.168.1.200/49 failed -- Connection
refused by remote host

This is my config:
hostname SW2950
!
aaa new-model
aaa authentication login default group tacacs+ none
ip tacacs source-interface Vlan1
tacacs-server host 192.168.1.200 single-connection
tacacs-server key cisco

Configuration entry on Cisco Secure ACS server
SW2950 192.168.1.104 TACACS+ (Cisco IOS)
AAA Client IP Address: 192.168.1.104
Key: Cisco

By the way: how can I open the TCP port 49, it seems like ACS uses this
port to do the authentication for the router access.

On 4/12/07, Sean.Zimmerman@clubcorp.com <Sean.Zimmerman@clubcorp.com >
wrote:

Are you getting the message from your telnet client or when you try to
telnet or on the router? If you're getting it from the router, I'd check
the failed attempts log on the ACS server. The router may be connecting
with a different source IP address than the one you configured in ACS,
which will cause the server to reset the connection.

"CCDesire" <lhd.ccdzi@gmail.com>
Sent by: nobody@groupstudy.com
04/10/2007 08:37 PM

Please respond to
"CCDesire" <lhd.ccdzi@gmail.com>

To
"'Cisco certification'" <ccielab@groupstudy.com >
cc

Subject
Problem with ACS

Dear group,

I have the following error message every time I try to authenticate
routers
to the Tacacs+ Server in Cisco Secure ACS:

 Connection is refused by remote host

I tried different ways to fix this problem but still unsuccessful.

Router-to-be-authenticated can ping Server, all firewall on server are
closed (ACS with W2K server).

The hostname, the IP and the shared-key for the router is correctly
configured.

This is what I configured about authentication:

Aaa new-model

Aaa authen login default group tacacs local

Tacacs-server host 206.222.152.1 single

Tacacs-server key ventu

Pls help me troubleshoot this problem.

--
Internal Virus Database is out-of-date.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 268.18.17/731 - Release Date: 3/23/2007
3:27 PM
--
Internal Virus Database is out-of-date.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 268.18.17/731 - Release Date: 3/23/2007
3:27 PM

• Next message: Gustavo Novais: "RE: Problem with ACS"
• Previous message: Todd, Douglas M.: "RE: Problem with ACS"
• Maybe in reply to: CCDesire: "Problem with ACS"
• Next in thread: Gustavo Novais: "RE: Problem with ACS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART