From: Tim (ccie2be@nyc.rr.com)
Date: Fri Jun 20 2008 - 11:55:42 ART
Yippee!!!!
Something finally actually worked.
Thanks guys for sharing your ideas with me.
Tim
_____
From: Muhammad Nasim [mailto:muhammad.nasim@gmail.com]
Sent: Friday, June 20, 2008 10:48 AM
To: Tim
Cc: Luca Hall; Cisco certification; security@groupstudy.com
Subject: Re: AAA authentication
go the ACS service control . stop it and then start it
May be this helps if not then restart ACS server
2008/6/20 Tim <ccie2be@nyc.rr.com>:
Luca,
You're 100% right.
I did the netstat -na command like you said and saw that Tacacs+ is running
on the wrong ip address, 0.0.0.0, not 10.0.0.100 which
Is the address it should be running on.
I don't understand why Tacacs is NOT running on 10.0.0.100 because when I
defined the AAA server in ACS, I specified 10.0.0.100 as the address.
Do you know how I can fix this problem?
Thanks so much,
Tim
-----Original Message-----
From: Luca Hall [mailto:lhall@setnine.com]
Sent: Friday, June 20, 2008 9:55 AM
To: Tim
Cc: 'Cisco certification'; security@groupstudy.com
Subject: Re: AAA authentication
just because the aaa box is up dosent mean radius/tacacs is running on it
which is what its telling you with the debug message:
"AAA authentication server not accessible"
id make sure aaa is running and you have the ports correct on the server and
the router (old 1812 vs new 1645). netstat -na on your aaa box then nmap the
ports radius/tacacs is running on to make sure you can access it.
----- Original Message -----
From: Tim <ccie2be@nyc.rr.com>
To: 'Cisco certification' <ccielab@groupstudy.com>, security@groupstudy.com
Sent: Fri, 20 Jun 2008 09:33:12 -0400 (EDT)
Subject: AAA authentication
Hey guys,
This is driving me batty.
I setup aaa authen but it's failing.
Here's the debug output:
%PIX-6-113014: AAA authentication server not accessible : server =
10.0.0.100 : <----- NOT TRUE, see ping below.
user = cisco123
%PIX-6-109006: Authentication failed for user 'cisco123' from
183.1.19.12/2811 t
o 183.1.19.100/80 on interface inside
%PIX-6-302014: Teardown TCP connection 9230 for inside:10.0.0.100/49 to NP
Ident ity Ifc:183.1.19.9/1048 duration 0:00:01 bytes 96 TCP FINs
%PIX-6-302014: Teardown TCP connection 9227 for outside:183.1.19.100/80 to
insid
e:183.1.19.12/2811 duration 0:00:59 bytes 135 TCP FINs
%PIX-6-302013: Built outbound TCP connection 9231 for
outside:183.1.19.100/80 (1
83.1.19.100/80) to inside:183.1.19.12/2834 (183.1.19.12/2834)
%PIX-6-109001: Auth start for user '???' from 183.1.19.12/2834 to
183.1.19.100/8
0
%PIX-6-302013: Built outbound TCP connection 9232 for inside:10.0.0.100/49
(10.0
.0.100/49) to NP Identity Ifc:183.1.19.9/1049 (183.1.19.9/1049)
PIX(config)# ping 10.0.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.100, timeout is 2 seconds:
!!!!!
Why would the debug say "AAA authen server not accessible when it is?
I thought maybe the shared key wasn't correct or maybe the ip addresses
weren't correct but I checked them and they're all correct.
Thanks, Tim
This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:22 ART