topic Refer the document : http:/ in Network Access Control

ACS 5.6 authentication problem

Colin Higgins — Mon, 11 Mar 2019 05:18:43 GMT

We are in the process of upgrading our ACS 4.1 to an ACS 5.6 appliance.

The appliance is installed on the network, properly licensed etc.

I joined the ACS server to the AD domain without a problem. I created some local and external (AD) users for testing.

I created a network device (catalyst switch) as a tacacs+ client, and specified single-connect.

When I SSH into the switch, I can log in using my AD username and password, but I cannot go into enable mode. It says "Error in authentication"

my aaa settings are

tacacs-server host 172.25.50.8
tacacs-server timeout 3
tacacs-server directed-request
tacacs-server key <key>

I am missing something somewhere, I just don't know where. If I try and download the ACS support bundle, it says downloading, but doesn't say where to get it (or how).

any advice would be great. I am new to this product.

also, my aaa settings are:

Colin Higgins — Tue, 30 Dec 2014 20:52:48 GMT

also, my aaa settings are:

aaa new-model
aaa authentication login listsw2s group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec listsw2s group tacacs+ local

Refer the document : http:/

mohanak — Wed, 31 Dec 2014 09:13:46 GMT

Refer the document : http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/migration/guide/migration_guide/Migration_support.html#pgfId-1014889

OK, looks like I have

Colin Higgins — Wed, 31 Dec 2014 15:59:52 GMT

OK, looks like I have everything working now. I had the wrong shell authorization specified for the group. I was authenticating, but then couldn't do anything.

But the other question is, when I download the support pack to view the logs, where does ACS send this download? It doesn't say.

Actually, I spoke too soon.

Colin Higgins — Wed, 31 Dec 2014 16:44:45 GMT

Actually, I spoke too soon. It is working for some users and not others, even though they are set up exactly the same way. Some can authenticate and some cannot.

Where can I go to see what is failing?

OK, I have an update I found

Colin Higgins — Wed, 31 Dec 2014 17:37:01 GMT

OK, I have an update

I found the reports in ACS, so that is not an issue. Here is what is happening

I have a Catalyst 6509 that has been added to the ACS 5.6 server as a AAA client. Key has been verified, and user accounts are fine (I have verified authentication against other network devices without a problem).

the AAA settings for the switch are

aaa new-model
aaa authentication login listsw2s group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec listsw2s group tacacs+ local

tacacs-server host 172.25.50.8
tacacs-server timeout 3
tacacs-server directed-request
tacacs-server key <key>

If I do a test aaa group tacacs <username> <password>

and enable aaa debugging on the switch, it says user authenticated. If I look in the logs on the ACS server, it verifies that the user was authenticated without a problem.

Now, if I ssh into the switch and attempt to authenticate using the same credentials, it fails.

Nothing shows up in the ACS log, and the aaa debugging indicates it is trying to use the local database and failing.

The switch seems to be "stuck" somehow, and refusing to use the tacacs server.

Has anyone seen this?

OK, I have the solution the

Colin Higgins — Wed, 31 Dec 2014 18:01:31 GMT

OK, I have the solution

the authentication list of the vty lines 04 and 5 15 didn't match. The list specified in the aaa settings did not match the one in the line (one digit off). Therefore, the switch was never looking to ACS when authenticating ssh users.