topic Cisco ACS authentication problems in Network Access Control

Cisco ACS authentication problems

Wayne Cromwell — Sun, 10 Mar 2019 23:40:14 GMT

Hi All,

I just setup my ACS server for Windows. It running software version 4.1. I having problems authenticating. I have my AAA Clients setup in the ACS gui use tacacs to authenticate. I the switch key and ACS server keys matching. I have users setup. Here is my AAA config on the switch..

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

Here is the debug info on tacacs

183757: Sep 2 10:14:22.131 edt: TAC+: send AUTHEN/START packet ver=192 id=2789804961

183758: Sep 2 10:14:22.131 edt: TAC+: Using default tacacs server-group "tacacs+" list.

183759: Sep 2 10:14:22.131 edt: TAC+: Opening TCP/IP to 10.11.8.200/49 timeout=5

183760: Sep 2 10:14:22.135 edt: TAC+: Opened TCP/IP handle 0x80E767B8 to 10.11.8.200/49

183761: Sep 2 10:14:22.135 edt: TAC+: 10.11.8.200 (2789804961) AUTHEN/START/LOGIN/ASCII queued

183762: Sep 2 10:14:22.335 edt: TAC+: (2789804961) AUTHEN/START/LOGIN/ASCII processed

183763: Sep 2 10:14:22.335 edt: TAC+: received bad AUTHEN packet: length = 6, expected 128683

WC2950-12#

183764: Sep 2 10:14:22.335 edt: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).

183765: Sep 2 10:14:22.335 edt: TAC+: Closing TCP/IP 0x80E767B8 connection to 10.11.8.200/49

183766: Sep 2 10:14:22.339 edt: TAC+: Using default tacacs server-group "tacacs+" list.

183767: Sep 2 10:14:22.339 edt: SSH1: password authentication failed for wcromwell

I have same keys on the AAA server as I do on my switch..

Thanks

Re: Cisco ACS authentication problems

Jagdeep Gambhir — Wed, 02 Sep 2009 13:59:25 GMT

Please check the NDG secret key and aaa client key. NDG override aaa client key.

Make sure you have correct key in NDG>

Regards,

~JG

Do rate helpful posts

Re: Cisco ACS authentication problems

Wayne Cromwell — Wed, 02 Sep 2009 15:11:15 GMT

That all set! thanks... I have accounting questioned. I set accounting for commands in the switch . Were do I view the report in ACS? In the Report and Activity I don't see the report for commands. I click on Tacacs+ Accounting but that report doesn't have any of the commands that I have used. If I debug AAA i do see AAA recording the commands.

Re: Cisco ACS authentication problems

Jagdeep Gambhir — Wed, 02 Sep 2009 15:18:02 GMT

Here are the command you need on IOS

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 aaa-list start-stop group tacacs+

aaa accounting commands 15 aaa-list start-stop group tacacs+

These logs are stored in tacacs administration report, so make sure you are checking the correct head.

Still it is not working then check acs code. Incase it is 4.1.1 then you need to apply patch 5 to fix it.

To download patch for appliance,

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des

For windows

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des

Regards,

~JG

Do rate helpful posts

Re: Cisco ACS authentication problems

Wayne Cromwell — Wed, 02 Sep 2009 16:30:54 GMT

Thanks, Thanks worked!