RE: Problem with ACS

From: CCDesire (lhd.ccdzi@gmail.com)
Date: Fri Apr 13 2007 - 04:54:42 ART

When I did the netstat - an | more , I've got the following result:
Protocol Local Address Foreigh Address Status
TCP 0.0.0.0:49 0.0.0.0:0 LISTENING

I couldn't telnet to port 49 of the server from a remote PC but I can telnet
from the server to it's local port 49 (telnet localhost 49)

I think that is the problem, how can I turn on the port 49 for the server.

-----Original Message-----
From: Todd, Douglas M. [mailto:DTODD@PARTNERS.ORG]
Sent: Thursday, April 12, 2007 9:22 PM
To: CCDesire; Gustavo Novais; Karl Brenner; ccielab@groupstudy.com
Subject: RE: Problem with ACS

ZoneAlarm?

Ugh! Ok - can you do this on the box...

cmd:
telnet localhost 49
(see if you get a connection)
if refused:
telnet <server ip> 49
(see if you get a connection)

It is very possible that zonealarm even shutdown is causing your problems.
Can
you dump out a netstat -an after you have done these connections and see
what
you find. If you have admin privs on this box and you can install other
software, you might want to install a sniffer on the box and see if it's
getting
and rejecting the traffic.

I would try installing this on a test box with out any firewalls (microsoft
or
other) and see if you can connect to port 49. Even a basic windoze box.

Douglas

-----Original Message-----
From: CCDesire [mailto:lhd.ccdzi@gmail.com]
Sent: Thursday, April 12, 2007 10:19 AM
To: 'Gustavo Novais'; 'Karl Brenner'; Todd, Douglas M.;
ccielab@groupstudy.com
Subject: RE: Problem with ACS

Hi,
Status of CSTacacs was: stated automatic This happened to all
device-to-be-authenticated There no log in the failed-attempts The server is
installed with ZoneAlarm firewall but I shut it down when configured.

-----Original Message-----
From: Gustavo Novais [mailto:gustavo.novais@novabase.pt]
Sent: Thursday, April 12, 2007 2:43 AM
To: Karl Brenner; Todd, Douglas M.; Luu Hoang Dung; ccielab@groupstudy.com
Subject: RE: Problem with ACS

Hi,
Can't you connect through console and do a debug tacacs, on a router that is
not
heavily utilized?
If you happen to be experiencing timeout on tacacs auth, try to restart
CSTacacs
on the ACS.

If you go to services.msc (you said it was a windows box), what is the
status of
CSTacacs?

Is this happening only to one router, or to all of your infrastructure?
Also check under system configuration-logging, that you are in fact logging
failed attempts.

Re-check your windows firewall status or any other firewall you may have
installed (like CVPN Client)

HTH

Gustavo Novais

 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Karl
Brenner
Sent: quarta-feira, 11 de Abril de 2007 19:50
To: 'Todd, Douglas M.'; 'Luu Hoang Dung'; ccielab@groupstudy.com
Subject: RE: Problem with ACS

Have you looked into the 'Reports' -> 'Failed Authentications' (might not be
exactly these names). You should see all denied authentication attempts and
the
reason for the denial there. You also need to set the router up in the
network
groups as others have suggested.

If you do a 'sh tacacs' on the router you should see if a tcp session to the
server exists.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Todd,
Douglas M.
Sent: 11 April 2007 18:32
To: Luu Hoang Dung; ccielab@groupstudy.com
Subject: RE: Problem with ACS

Just wondering:

Your acs logs should not be blank Unless you are not logging anything.
You
might
want to turn them on. If they are blank then it's like the service is not
listening to requests or getting the request. Under reports and activities
what
does the appliance status page state for the basic configuration (tcp/udp
ports
open). Are the ports open?

 Are you filtering any ip addresses in the acs client setup?

DMT

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of Luu Hoang Dung
> Sent: Wednesday, April 11, 2007 1:10 PM
> To: ccielab@groupstudy.com
> Subject: RE: Problem with ACS
>
> I tried to use the *ip tacacs source-interface ethernet0/0 *
>
> The result still is "authentication failed"
>
>
> ------------------------------
>
> *From:* Greg Wendel [mailto:gwendel@gmail.com]
> *Sent:* Wednesday, April 11, 2007 10:13 AM
> *To:* Marvin Greenlee
> *Cc:* CCDesire; Cisco certification
> *Subject:* Re: Problem with ACS
>
>
>
> I would guess your problem is that you are missing the ip tacacs
> source-interface command
>
> On 4/10/07, *Marvin Greenlee* < marvin@ipexpert.com> wrote:
>
> Are there other devices in the data path between your router and the
> ACS server?
>
> Do you get the same response (connection is refused) if you telnet
> from the router to the ACS server on TCP port 49 ?
>
> Are you getting this message when you try an authentication from the
> router locally (using the 'test aaa' command)?
>
> Do you only get the 'connection refused' when trying to connect to the
> router from somewhere else? If only when trying to connect to the
> router from somewhere else, is there any configured access-class/ACL
> blocking traffic to the router?
>
> Are you able to authenticate to the ACS server from the router using
> RADIUS?
>
> Marvin Greenlee, CCIE #12237 (R&S, SP, Sec) Senior Technical
> Instructor - IPexpert, Inc.
> "When Will You Be an IP Expert?"
> marvin@ipexpert.com
> http://www.IPexpert.com <http://www.ipexpert.com/>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of CCDesire
> Sent: Tuesday, April 10, 2007 9:37 PM
> To: 'Cisco certification'
> Subject: Problem with ACS
>
> Dear group,
>
> I have the following error message every time I try to authenticate
> routers to the Tacacs+ Server in Cisco Secure ACS:
>
>  Connection is refused by remote host
>
>
>
> I tried different ways to fix this problem but still unsuccessful.
>
> Router-to-be-authenticated can ping Server, all firewall on server are
> closed (ACS with W2K server).
>
> The hostname, the IP and the shared-key for the router is correctly
> configured.
>
>
>
> This is what I configured about authentication:
>
> Aaa new-model
>
> Aaa authen login default group tacacs local
>
>
>
> Tacacs-server host 206.222.152.1 single
>
> Tacacs-server key ventu
>
>
>
>
>
> Pls help me troubleshoot this problem.
>
>
>
>
> --
> Internal Virus Database is out-of-date.
> Checked by AVG Free Edition.
> Version: 7.5.446 / Virus Database: 268.18.17/731 - Release
> Date: 3/23/2007
> 3:27 PM
>
>
>
> --
> Internal Virus Database is out-of-date.
> Checked by AVG Free Edition.
> Version: 7.5.446 / Virus Database: 268.18.17/731 - Release
> Date: 3/23/2007
> 3:27 PM
>
> ______________________________________________________________
> _________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________
> _________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
> --
> Gregory Wendel
> Springfield VA, 22153
>
> --
> Internal Virus Database is out-of-date.
> Checked by AVG Free Edition.
> Version: 7.5.446 / Virus Database: 268.18.17/731 - Release
> Date: 3/23/2007
> 3:27 PM
>
> ______________________________________________________________
> _________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

The information transmitted in this electronic communication is intended
only
for the person or entity to whom it is addressed and may contain
confidential
and/or privileged material. Any review, retransmission, dissemination or
other
use of or taking of any action in reliance upon this information by persons
or
entities other than the intended recipient is prohibited. If you received
this
information in error, please contact the Compliance HelpLine at 800-856-1983
and
properly dispose of this information.

This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART