topic Re: Cisco ACS 5.2: unknown network device or AAA client in Network Access Control

Cisco ACS 5.2: unknown network device or AAA client

staalebotnen — Mon, 11 Mar 2019 00:39:11 GMT

We have recently started testing Cisco ACS 5.2, but we are hitting an issue when we try to register a Wireless LAN Controller. Even when the device is registered on the ACS under "Network Devices and AAA Clients" we are getting the following error message in the logs:

"11017 Received TACACS+ packet from unknown Network device or AAA client"

We have deleted and recreated the object, restarted the ACS, verified IP address and netmask, still no luck.

Has anyone experienced something similiar? I'm begining to think we are hitting a bug, but I see there are several post from people who have successfully setup authentication beweeen a ACS 5.2 and WLC 6...

Re: Cisco ACS 5.2: unknown network device or AAA client

Tiago Antunes — Tue, 14 Dec 2010 19:41:04 GMT

Hi,

What kind of authentication are we talking about?

Clients or the WLC admin users?

If it is clients, then the protocol should be RADIUS...

From the error message the acs is receiving a TACACS+ packet...so i would say that you are trying to authenticate admin users...is it correct?

Now, is it possible that you have defined the WLC as a RADIUS device and what you want to do is TACACS device (WLC) authentication?

If yes, then i would review the aaa client config to match the protocol.

HTH,
Tiago

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Re: Cisco ACS 5.2: unknown network device or AAA client

staalebotnen — Thu, 16 Dec 2010 06:50:00 GMT

Hi,

Both TACACS+ and RADIUS authentication of Admin users. The definitions on the object are correct (tried both as a RADIUS and a TACACS+ object).

I have done some more testing and it turns out that any changes that we do in the "Network Devices or AAA Clients" have no effect, the changes get updated in the GUI but never seem to get activated for real. I tested this by deleting an object, and even when the object is gone I can authenticate with the ACS from that NAS device... So it would seem that we are hitting some bug/corruption. I have created a TAC case with Cisco, this will be the third case since we started implementing the new 5.x version..and we are still in testing phace..

Re: Cisco ACS 5.2: unknown network device or AAA client

Tiago Antunes — Thu, 16 Dec 2010 07:30:01 GMT

Hi,

Could it be that you have another ACS and the authentications are going there?

BR,

Tiago

Re: Cisco ACS 5.2: unknown network device or AAA client

staalebotnen — Thu, 16 Dec 2010 08:03:41 GMT

Hi,

We do have two ACSs (Primary/Secondary), authentications go to both of these (we see this in the logs). Both ACSs experience the same issue. So we are currently unable to register any new devices or change exsting ones. Currently waiting for the TAC.

Re: Cisco ACS 5.2: unknown network device or AAA client

Tiago Antunes — Thu, 16 Dec 2010 08:07:05 GMT

Hi,

Please note that changes can only be done on the Primary ACS, and then these changes are mirrored to the other ACS.

HTH,
Tiago

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Re: Cisco ACS 5.2: unknown network device or AAA client

staalebotnen — Thu, 16 Dec 2010 08:16:04 GMT

Yes, and this does seem to work fine. Any changes done on primary are quickly replicated to the secondary. But they do not take effect there either...

Re: Cisco ACS 5.2: unknown network device or AAA client

Javier Henderson — Thu, 16 Dec 2010 13:57:54 GMT

If you look at the details of the failed authentication, is the IP address shown the same as it is listed for the AAA client?

Re: Cisco ACS 5.2: unknown network device or AAA client

staalebotnen — Thu, 16 Dec 2010 14:04:18 GMT

Yes, the IP address is identical. Another issue we detected now is that this is not only affecting "Network Devices and AAA Clients", but our "Service Selection Rules" as well. We can disable rules, but the counters still increment and the rules still triggers. I'm hoping that we have just been unlucky with our configuration/appliance and that this is not the general state of the product...

On a side note, adding/deleting/modifying users work...

Re: Cisco ACS 5.2: unknown network device or AAA client

jrabinow — Thu, 16 Dec 2010 14:23:41 GMT

This is a general issue. While the database is replicating OK - you will see updated config data on the GUI on the servers - the piece that updates the protocol component with the new config has stopped and so no updated configuration will be processed. This will affect all configuraiton items; the only exception is the internal user data which is read directly from the database.

You said you have opened a TAC case so they will need to troubleshoot. Only other comments/suggestions:

A stop/start on the server "may" recover things
worth checking whether there are any system alarms that relate to this issue

Re: Cisco ACS 5.2: unknown network device or AAA client

Tiago Antunes — Thu, 16 Dec 2010 14:25:49 GMT

Hi just for curiosity,

What browser are you using to browse the ACS?

Can you try with IE to see if the config changes are taken into account?

HTH,
Tiago

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.