RE: AAA authentication

From: Tim (ccie2be@nyc.rr.com)
Date: Fri Jun 20 2008 - 11:50:42 ART

• Next message: Tim: "RE: AAA authentication - It's finally working"
• Previous message: Muhammad Nasim: "Re: AAA authentication"
• Maybe in reply to: Tim: "AAA authentication"
• Next in thread: Shawn Zandi: "Re: AAA authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

PS: I tried stopping and then restarting ACS from within ACS itself.

Then, I did netstat -na again to see if that fixed the problem.

Unfortunately, the Tacacs+ port was still being listened to at addrsss
0.0.0.0, not 10.0.0.100.

BTW, I don't think this should make a difference but this box has 2 nic's,
one which is used for RDP access from anywhere and another

Which is used in the practice lab.

Thanks, Tim

-----Original Message-----
From: Luca Hall [mailto:lhall@setnine.com]
Sent: Friday, June 20, 2008 9:55 AM
To: Tim
Cc: 'Cisco certification'; security@groupstudy.com
Subject: Re: AAA authentication

just because the aaa box is up dosent mean radius/tacacs is running on it
which is what its telling you with the debug message:
"AAA authentication server not accessible"
id make sure aaa is running and you have the ports correct on the server and
the router (old 1812 vs new 1645). netstat -na on your aaa box then nmap the
ports radius/tacacs is running on to make sure you can access it.

----- Original Message -----
From: Tim <ccie2be@nyc.rr.com>
To: 'Cisco certification' <ccielab@groupstudy.com>, security@groupstudy.com
Sent: Fri, 20 Jun 2008 09:33:12 -0400 (EDT)
Subject: AAA authentication

Hey guys,
 
This is driving me batty.
 
I setup aaa authen but it's failing.
 
Here's the debug output:
 
%PIX-6-113014: AAA authentication server not accessible : server =
10.0.0.100 : <----- NOT TRUE, see ping below.
 user = cisco123

%PIX-6-109006: Authentication failed for user 'cisco123' from
183.1.19.12/2811 t
o 183.1.19.100/80 on interface inside

%PIX-6-302014: Teardown TCP connection 9230 for inside:10.0.0.100/49 to NP
Ident ity Ifc:183.1.19.9/1048 duration 0:00:01 bytes 96 TCP FINs

%PIX-6-302014: Teardown TCP connection 9227 for outside:183.1.19.100/80 to
insid
e:183.1.19.12/2811 duration 0:00:59 bytes 135 TCP FINs

%PIX-6-302013: Built outbound TCP connection 9231 for
outside:183.1.19.100/80 (1
83.1.19.100/80) to inside:183.1.19.12/2834 (183.1.19.12/2834)

%PIX-6-109001: Auth start for user '???' from 183.1.19.12/2834 to
183.1.19.100/8
0

%PIX-6-302013: Built outbound TCP connection 9232 for inside:10.0.0.100/49
(10.0
.0.100/49) to NP Identity Ifc:183.1.19.9/1049 (183.1.19.9/1049)

 
 
PIX(config)# ping 10.0.0.100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.100, timeout is 2 seconds:

!!!!!
 
Why would the debug say "AAA authen server not accessible when it is?
 
I thought maybe the shared key wasn't correct or maybe the ip addresses
weren't correct but I checked them and they're all correct.
 
Thanks, Tim

• Next message: Tim: "RE: AAA authentication - It's finally working"
• Previous message: Muhammad Nasim: "Re: AAA authentication"
• Maybe in reply to: Tim: "AAA authentication"
• Next in thread: Shawn Zandi: "Re: AAA authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:22 ART