topic Re: No Response from the ACS in Network Access Control

No Response from the ACS

conceptzone — Sun, 10 Mar 2019 21:46:57 GMT

Dear Group,

I have Two ACS , the Primary ACS has the IP address 192.168.1.8 and the secondary ACS has the IP address 192.168.1.9

I tried to forward the authentication requests to the secondary ACS to make sure that we have no problem in case the primary fail but the secondary ACS did not respond to the requests sent from the AAA Client though I have no problem with the primary ACS.

The secondary ACS has the same configuration and feature set as the primary ACS, the primary ACS is configured to replicates its username, configuration, etc. every 60 minutes, the Secondary ACS is configured to receive those replication information.

Unfortunately the secondary ACS is not responding and is giving the following message:

No response from (192.168.1.9:1645,1646)

RADIUS/ENCODE(00000019): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

I will appreciate if someone can help me with diagnosing what?s going on

Here is the complete debug while entering the username/password :

Username: testuser

*Mar 23 16:00:15.625: AAA/BIND(00000019): Bind i/f

*Mar 23 16:00:15.625: AAA/AUTHEN/LOGIN (00000019): Pick method list 'VTY'

*Mar 23 16:00:15.625: RADIUS/ENCODE(00000019): ask "Username: "

*Mar 23 16:00:15.625: RADIUS/ENCODE(00000019): send packet; GET_USER

Password:

*Mar 23 16:00:22.037: RADIUS/ENCODE(00000019): ask "Password: "

*Mar 23 16:00:22.037: RADIUS/ENCODE(00000019): send packet; GET_PASSWORD

*Mar 23 16:00:28.201: RADIUS: AAA Unsupported [150] 6

*Mar 23 16:00:28.201: RADIUS: 74 74 79 31 [tty1]

*Mar 23 16:00:28.201: RADIUS(00000019): Storing nasport 162 in rad_db

*Mar 23 16:00:28.201: RADIUS/ENCODE(00000019): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

*Mar 23 16:00:28.201: RADIUS(00000019): Config NAS IP: 192.168.1.12

*Mar 23 16:00:28.201: RADIUS/ENCODE(00000019): acct_session_id: 22

*Mar 23 16:00:28.201: RADIUS(00000019): sending

*Mar 23 16:00:28.201: RADIUS(00000019): Send Access-Request to 192.168.1.9:1645 id 21645/14, len 79

*Mar 23 16:00:28.201: RADIUS: authenticator 79 79 F3 E5 6F 89 69 EA - AA 87 44 E3 F7 93 47 6B

*Mar 23 16:00:28.201: RADIUS: User-Name [1] 9 "testuser"

*Mar 23 16:00:28.201: RADIUS: User-Password [2] 18 *

*Mar 23 16:00:28.201: RADIUS: NAS-Port [5] 6 162

*Mar 23 16:00:28.201: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

*Mar 23 16:00:28.201: RADIUS: Calling-Station-Id [31] 14 "192.168.1.12"

*Mar 23 16:00:28.201: RADIUS: NAS-IP-Address [4] 6 192.168.1.12

*Mar 23 16:00:33.201: RADIUS: Retransmit to (192.168.1.9:1645,1646) for id 21645/14

*Mar 23 16:00:38.201: RADIUS: Retransmit to (192.168.1.9:1645,1646) for id 21645/14

*Mar 23 16:00:43.201: RADIUS: Retransmit to (192.168.1.9:1645,1646) for id 21645/14

*Mar 23 16:00:48.201: RADIUS: No response from (192.168.1.9:1645,1646) for id 21645/14

*Mar 23 16:00:48.201: RADIUS/DECODE: parse response no app start; FAIL

*Mar 23 16:00:48.201: RADIUS/DECODE: parse response; FAIL

% Authentication failed.

*Mar 23 16:01:47.929: RADIUS: Retransmit to (192.168.1.9:1645,1646) for id 21645/15

*Mar 23 16:01:52.929: RADIUS: Retransmit to (192.168.1.9:1645,1646) for id 21645/15

*Mar 23 16:01:57.929: RADIUS: Retransmit to (192.168.1.9:1645,1646) for id 21645/15

*Mar 23 16:02:02.929: RADIUS: No response from (192.168.1.9:1645,1646) for id 21645/15

*Mar 23 16:02:02.929: RADIUS/DECODE: parse response no app start; FAIL

*Mar 23 16:02:02.929: RADIUS/DECODE: parse response; FAIL

% Authentication failed.

Thanks for helping me in advance

Re: No Response from the ACS

osamoz — Sun, 08 Oct 2006 09:34:16 GMT

Can you please post the configuration.!

Re: No Response from the ACS

conceptzone — Sun, 08 Oct 2006 10:43:57 GMT

aaa new-model

aaa authentication login VTY group radius local

aaa authentication login no_authentication non

aaa accounting exec default stop-only group radius

aaa accounting connection default start-stop group radius

aaa accounting system default start-stop group radius

ip radius source-interface Ethernet0/0

radius-server host 192.168.1.9 auth-port 1645 acct-port 1646 key lemon123

interface Ethernet0/0

ip address 192.168.1.12 255.255.255.0

line con 0

line aux 0

line vty 0 4

password cisco

transport input telnet

line vty 5 15

transport input telnet

Re: No Response from the ACS

darpotter — Mon, 09 Oct 2006 13:09:05 GMT

If you look in the failed attempts report on the secondary ACS - does it say anything?

You need to know if the request is making to the secondary, if its getting there is it being ignored or is there a problem in processing it.

Failed attempts is the first place to look

Darran

Re: No Response from the ACS

conceptzone — Tue, 10 Oct 2006 16:57:00 GMT

Dear Daran,

Unfortunately there are no any logs in the Secondary ACS, the only logs I can see is the commands I entered it on the AAA client, there is no failed attempts records.

The Radius is dead, currently I bypassed this issue by installing a new ACS on a third server , the IT department is persistent to solve this issue from the root, they want me to analyze the problem and discover the reason behind this phenomenon.

I will dedicate a time next week to play very hard with this ACS to know what?s going on, meanwhile I will be glad if some one can tell me some methods to run a debug on the windows machine.

Thanks