RE: Problem with ACS
From: Gustavo Novais (gustavo.novais@novabase.pt)
Date: Wed Apr 11 2007 - 16:42:31 ART
Hi,
Can't you connect through console and do a debug tacacs, on a router
that is not heavily utilized?
If you happen to be experiencing timeout on tacacs auth, try to restart
CSTacacs on the ACS.
If you go to services.msc (you said it was a windows box), what is the
status of CSTacacs?
Is this happening only to one router, or to all of your infrastructure?
Also check under system configuration-logging, that you are in fact
logging failed attempts.
Re-check your windows firewall status or any other firewall you may have
installed (like CVPN Client)
HTH
Gustavo Novais
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Karl Brenner
Sent: quarta-feira, 11 de Abril de 2007 19:50
To: 'Todd, Douglas M.'; 'Luu Hoang Dung'; ccielab@groupstudy.com
Subject: RE: Problem with ACS
Have you looked into the 'Reports' -> 'Failed Authentications' (might
not be
exactly these names). You should see all denied authentication attempts
and
the reason for the denial there. You also need to set the router up in
the
network groups as others have suggested.
If you do a 'sh tacacs' on the router you should see if a tcp session to
the
server exists.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Todd, Douglas M.
Sent: 11 April 2007 18:32
To: Luu Hoang Dung; ccielab@groupstudy.com
Subject: RE: Problem with ACS
Just wondering:
Your acs logs should not be blank Unless you are not logging anything.
You
might
want to turn them on. If they are blank then it's like the service is
not
listening to requests or getting the request. Under reports and
activities
what
does the appliance status page state for the basic configuration
(tcp/udp
ports
open). Are the ports open?
Are you filtering any ip addresses in the acs client setup?
DMT
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of Luu Hoang Dung
> Sent: Wednesday, April 11, 2007 1:10 PM
> To: ccielab@groupstudy.com
> Subject: RE: Problem with ACS
>
> I tried to use the *ip tacacs source-interface ethernet0/0 *
>
> The result still is "authentication failed"
>
>
> ------------------------------
>
> *From:* Greg Wendel [mailto:gwendel@gmail.com]
> *Sent:* Wednesday, April 11, 2007 10:13 AM
> *To:* Marvin Greenlee
> *Cc:* CCDesire; Cisco certification
> *Subject:* Re: Problem with ACS
>
>
>
> I would guess your problem is that you are missing the ip
> tacacs source-interface command
>
> On 4/10/07, *Marvin Greenlee* < marvin@ipexpert.com> wrote:
>
> Are there other devices in the data path between your router
> and the ACS server?
>
> Do you get the same response (connection is refused) if you
> telnet from the router to the ACS server on TCP port 49 ?
>
> Are you getting this message when you try an authentication
> from the router locally (using the 'test aaa' command)?
>
> Do you only get the 'connection refused' when trying to
> connect to the router from somewhere else? If only when
> trying to connect to the router from somewhere else, is there
> any configured access-class/ACL blocking traffic to the router?
>
> Are you able to authenticate to the ACS server from the
> router using RADIUS?
>
> Marvin Greenlee, CCIE #12237 (R&S, SP, Sec) Senior Technical
> Instructor - IPexpert, Inc.
> "When Will You Be an IP Expert?"
> marvin@ipexpert.com
> http://www.IPexpert.com <http://www.ipexpert.com/>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of CCDesire
> Sent: Tuesday, April 10, 2007 9:37 PM
> To: 'Cisco certification'
> Subject: Problem with ACS
>
> Dear group,
>
> I have the following error message every time I try to
> authenticate routers to the Tacacs+ Server in Cisco Secure ACS:
>
> � Connection is refused by remote host�
>
>
>
> I tried different ways to fix this problem but still unsuccessful.
>
> Router-to-be-authenticated can ping Server, all firewall on
> server are closed (ACS with W2K server).
>
> The hostname, the IP and the shared-key for the router is
> correctly configured.
>
>
>
> This is what I configured about authentication:
>
> Aaa new-model
>
> Aaa authen login default group tacacs local
>
>
>
> Tacacs-server host 206.222.152.1 single
>
> Tacacs-server key ventu
>
>
>
>
>
> Pls help me troubleshoot this problem.
>
>
>
>
> --
> Internal Virus Database is out-of-date.
> Checked by AVG Free Edition.
> Version: 7.5.446 / Virus Database: 268.18.17/731 - Release
> Date: 3/23/2007
> 3:27 PM
>
>
>
> --
> Internal Virus Database is out-of-date.
> Checked by AVG Free Edition.
> Version: 7.5.446 / Virus Database: 268.18.17/731 - Release
> Date: 3/23/2007
> 3:27 PM
>
> ______________________________________________________________
> _________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________
> _________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
> --
> Gregory Wendel
> Springfield VA, 22153
>
> --
> Internal Virus Database is out-of-date.
> Checked by AVG Free Edition.
> Version: 7.5.446 / Virus Database: 268.18.17/731 - Release
> Date: 3/23/2007
> 3:27 PM
>
> ______________________________________________________________
> _________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
The information transmitted in this electronic communication is intended
only for the person or entity to whom it is addressed and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination or other use of or taking of any action in reliance upon
this
information by persons or entities other than the intended recipient is
prohibited. If you received this information in error, please contact
the
Compliance HelpLine at 800-856-1983 and properly dispose of this
information.
This archive was generated by hypermail 2.1.4
: Tue May 01 2007 - 08:28:35 ART