RE: Problem with ACS
From: Mohamed, Majid (majid.mohamed@eds.com)
Date: Thu Apr 12 2007 - 14:07:24 ART
Also please check the vty settings... Password is not set or
access-group is assigned to block telnet, etc...
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
John Mistichelli
Sent: Thursday, April 12, 2007 11:05 AM
To: CCIE Lab Group
Subject: RE: Problem with ACS
Can you do a "show tacacs" command and send us the output?
John
7536
--- CCDesire <lhd.ccdzi@gmail.com> wrote:
> I am 100% sure about the connectivity between the router and the ACS
> server.
> It's up and running well.
>
> -----Original Message-----
> From: Todd, Douglas M. [mailto:DTODD@PARTNERS.ORG]
> Sent: Thursday, April 12, 2007 2:29 AM
> To: Luu Hoang Dung; Karl Brenner
> Cc: ccielab@groupstudy.com
> Subject: RE: Problem with ACS
>
> Ok -
>
> I don't remember if this is happening on all routers or just this one.
> I also assume that this device is production so debugging is out of
> the question.
> Can
> you run a network trace on the acs server and see what you see?
>
> DMT
>
>
> ________________________________
>
> From: Luu Hoang Dung [mailto:lhd.ccdzi@gmail.com]
> Sent: Wednesday, April 11, 2007 3:26 PM
> To: Karl Brenner
> Cc: Todd, Douglas M.; ccielab@groupstudy.com
> Subject: Re: Problem with ACS
>
>
> This is what I got when doing the show tacacs:
>
> SW2950#sh tacacs
>
> Server: 192.168.1.200/49: opens=0 closes=0 aborts=0
> errors=2
> packets in=0 packets out=0 timeout=0 connection_fails=0
> expected replies=0
> no connection
>
>
>
> On 4/12/07, Karl Brenner <karl.brenner@morenet.biz>
> wrote:
>
> Have you looked into the 'Reports' -> 'Failed
> Authentications'
> (might not be
> exactly these names). You should see all denied
> authentication
> attempts and
> the reason for the denial there. You also need to
> set the
> router
> up in the
> network groups as others have suggested.
>
> If you do a 'sh tacacs' on the router you should
> see if a
> tcp
> session to the
> server exists.
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com]
> On
> Behalf Of
> Todd, Douglas M.
> Sent: 11 April 2007 18:32
> To: Luu Hoang Dung; ccielab@groupstudy.com
> Subject: RE: Problem with ACS
>
> Just wondering:
>
> Your acs logs should not be blank Unless you are
> not logging
> anything. You
> might
> want to turn them on. If they are blank then it's
> like the
> service is not
> listening to requests or getting the request.
> Under reports
> and
> activities
> what
> does the appliance status page state for the
> basic
> configuration (tcp/udp
> ports
> open). Are the ports open?
>
> Are you filtering any ip addresses in the acs
> client setup?
>
> DMT
>
> > -----Original Message-----
> > From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com]
> On
> > Behalf Of Luu Hoang Dung
> > Sent: Wednesday, April 11, 2007 1:10 PM
> > To: ccielab@groupstudy.com
> > Subject: RE: Problem with ACS
> >
> > I tried to use the *ip tacacs source-interface
> ethernet0/0
> *
> >
> > The result still is "authentication failed"
> >
> >
> > ------------------------------
> >
> > *From:* Greg Wendel [mailto:gwendel@gmail.com
> <mailto:gwendel@gmail.com> ]
> > *Sent:* Wednesday, April 11, 2007 10:13 AM
> > *To:* Marvin Greenlee
> > *Cc:* CCDesire; Cisco certification
> > *Subject:* Re: Problem with ACS
> >
> >
> >
> > I would guess your problem is that you are
> missing the ip
> > tacacs source-interface command
> >
> > On 4/10/07, *Marvin Greenlee* <
> marvin@ipexpert.com>
> wrote:
> >
> > Are there other devices in the data path between
> your
> router
> > and the ACS server?
> >
> > Do you get the same response (connection is
> refused) if
> you
> > telnet from the router to the ACS server on TCP
> port 49 ?
> >
> > Are you getting this message when you try an
> authentication
> > from the router locally (using the 'test aaa'
> command)?
> >
> > Do you only get the 'connection refused' when
> trying to
> > connect to the router from somewhere else? If
> only when
> > trying to connect to the router from somewhere
> else, is
> there
> > any configured access-class/ACL blocking traffic
> to the
> router?
> >
> > Are you able to authenticate to the ACS server
> from the
> > router using RADIUS?
> >
> > Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
> Senior
> Technical
> > Instructor - IPexpert, Inc.
> > "When Will You Be an IP Expert?"
> > marvin@ipexpert.com
> > http://www.IPexpert.com
> <http://www.ipexpert.com/>
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com]
> On
> > Behalf Of CCDesire
> > Sent: Tuesday, April 10, 2007 9:37 PM
> > To: 'Cisco certification'
> > Subject: Problem with ACS
> >
> > Dear group,
> >
> > I have the following error message every time I
> try to
> > authenticate routers to the Tacacs+ Server in
> Cisco Secure
> ACS:
> >
> > � Connection is refused by remote host�
> >
> >
> >
> > I tried different ways to fix this problem but
> still
> unsuccessful.
> >
> > Router-to-be-authenticated can ping Server, all
> firewall
> on
> > server are closed (ACS with W2K server).
> >
> > The hostname, the IP and the shared-key for the
> router is
> > correctly configured.
> >
> >
> >
> > This is what I configured about authentication:
> >
> > Aaa new-model
> >
> > Aaa authen login default group tacacs local
> >
> >
> >
> > Tacacs-server host 206.222.152.1 single
> >
> > Tacacs-server key ventu
> >
> >
> >
> >
> >
> > Pls help me troubleshoot this problem.
> >
> >
> >
> >
> > --
> > Internal Virus Database is out-of-date.
> > Checked by AVG Free Edition.
> > Version: 7.5.446 / Virus Database: 268.18.17/731
> - Release
> > Date: 3/23/2007
> > 3:27 PM
> >
> >
> >
> > --
> > Internal Virus Database is out-of-date.
> > Checked by AVG Free Edition.
> > Version: 7.5.446 / Virus Database: 268.18.17/731
> - Release
> > Date: 3/23/2007
> > 3:27 PM
> >
> >
>
This archive was generated by hypermail 2.1.4
: Tue May 01 2007 - 08:28:35 ART