RE: Problem with ACS

From: Todd, Douglas M. (DTODD@PARTNERS.ORG)
Date: Wed Apr 11 2007 - 16:45:37 ART

• Next message: A.G. Ananth Sarma (GMail): "Re: Reporting NDA violations"
• Previous message: Ian Blaney: "Re: HSRP - Default Gateway"
• Maybe in reply to: CCDesire: "Problem with ACS"
• Next in thread: Andrew Larkins: "RE: Problem with ACS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I am assuming that 192.168.1.0 is a /24.

It seems from this that the acs server is blocking your request and that there
is not a problem on the router. A few ideas:

1) Remove the client ip address and leave it wide open. (Restart the service to
make sure that it has taken effect).
2) You should see under the tacacs key that you are authenticating via ?
(tacacs/radius etc). make sure you have tacacs selected.
3) Turn on logging
4) Submit and restart

I would make sure your AAA servers are also setup correctly.

Once you do this you should beable to telent to 192.168.1.200:49 and get a
connection. If you do not then the problem is still with the acs setup.

I would also enable all logging to see if this will point us in a direction.

DMT
 

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of Luu Hoang Dung
> Sent: Wednesday, April 11, 2007 2:57 PM
> To: Sean.Zimmerman@clubcorp.com
> Cc: Cisco certification; nobody@groupstudy.com
> Subject: Re: Problem with ACS
>
> I've got the following error message when reconfigure aaa
> authentication
> 17:33:43: TAC+: Opening TCP/IP to 192.168.1.200/49 timeout=5
> 17:33:43: TAC+: TCP/IP open to 192.168.1.200/49 failed --
> Connection refused by remote host
>
> This is my config:
> hostname SW2950
> !
> aaa new-model
> aaa authentication login default group tacacs+ none ip tacacs
> source-interface Vlan1 tacacs-server host 192.168.1.200
> single-connection tacacs-server key cisco
>
> Configuration entry on Cisco Secure ACS server
> SW2950 192.168.1.104 TACACS+ (Cisco IOS)
> AAA Client IP Address: 192.168.1.104
> Key: Cisco
>
> By the way: how can I open the TCP port 49, it seems like ACS
> uses this port to do the authentication for the router access.
>
> On 4/12/07, Sean.Zimmerman@clubcorp.com
> <Sean.Zimmerman@clubcorp.com> wrote:
> >
> >
> > Are you getting the message from your telnet client or when
> you try to
> > telnet or on the router? If you're getting it from the router, I'd
> > check
> the
> > failed attempts log on the ACS server. The router may be connecting
> > with a different source IP address than the one you
> configured in ACS,
> > which will cause the server to reset the connection.
> >
> >
> > *"CCDesire" <lhd.ccdzi@gmail.com>*
> > Sent by: nobody@groupstudy.com
> >
> > 04/10/2007 08:37 PM Please respond to "CCDesire"
> > <lhd.ccdzi@gmail.com>
> >
> > To
> > "'Cisco certification'" <ccielab@groupstudy.com> cc
> >
> > Subject
> > Problem with ACS
> >
> >
> >
> >
> >
> >
> > Dear group,
> >
> > I have the following error message every time I try to authenticate
> > routers to the Tacacs+ Server in Cisco Secure ACS:
> >
> >  Connection is refused by remote host
> >
> >
> >
> > I tried different ways to fix this problem but still unsuccessful.
> >
> > Router-to-be-authenticated can ping Server, all firewall on
> server are
> > closed (ACS with W2K server).
> >
> > The hostname, the IP and the shared-key for the router is correctly
> > configured.
> >
> >
> >
> > This is what I configured about authentication:
> >
> > Aaa new-model
> >
> > Aaa authen login default group tacacs local
> >
> >
> >
> > Tacacs-server host 206.222.152.1 single
> >
> > Tacacs-server key ventu
> >
> >
> >
> >
> >
> > Pls help me troubleshoot this problem.
> >
> >
> >
> >
> > --
> > Internal Virus Database is out-of-date.
> > Checked by AVG Free Edition.
> > Version: 7.5.446 / Virus Database: 268.18.17/731 - Release Date:
> > 3/23/2007
> > 3:27 PM
> >
> >
> >
> > --
> > Internal Virus Database is out-of-date.
> > Checked by AVG Free Edition.
> > Version: 7.5.446 / Virus Database: 268.18.17/731 - Release Date:
> > 3/23/2007
> > 3:27 PM
> >
> >
> ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________
> _________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

The information transmitted in this electronic communication is intended only for the person or entity to whom it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this information in error, please contact the Compliance HelpLine at 800-856-1983 and properly dispose of this information.

• Next message: A.G. Ananth Sarma (GMail): "Re: Reporting NDA violations"
• Previous message: Ian Blaney: "Re: HSRP - Default Gateway"
• Maybe in reply to: CCDesire: "Problem with ACS"
• Next in thread: Andrew Larkins: "RE: Problem with ACS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART