https://community.cisco.com/t5/network-access-control/issue-with-acs-4-2-in-authentication/m-p/2353952#M88920 <HTML><HEAD></HEAD><BODY><P>Hi Mohammad,</P><P></P><P>I think I see the problem right away.</P><P>The ACS is dropping the packet due to IP mismatch.</P><P>Check the IP addresses.</P><P>The IP that you have defined is 147.23</P><P>The IP that the device is using is 149.24</P><P></P><P>It seems that you have multiple interfaces on the device and its using its own routing table.</P><P>If you want to force the device to use a specific IP for T+, then use "ip tacacs source-interface <INTERFACE>"</INTERFACE></P><P></P><P>or if you want to change this on the server end, then define, 149.24 as a network device.</P><P></P><P>**Share your knowledge. It’s a way to achieve immortality. <BR />--Dalai Lama** <BR /> <BR />Please Rate if helpful. <BR />Regards <BR />Ed</P></BODY></HTML> Thu, 09 Jan 2014 13:16:55 GMT edwjames 2014-01-09T13:16:55Z https://community.cisco.com/t5/network-access-control/issue-with-acs-4-2-in-authentication/m-p/2353949#M88913 <P><SPAN style="font-size: 10pt;"> </SPAN><SPAN style="font-size: 10pt;">Hey guys.</SPAN></P><P>I ve got a problem with the ACS 4.2 just in authentication</P><P>I have a 3750 Catalyst and installed an ACS 4.2 both in 1 zone. They can ping each other and there is no problem in their connectivity. I ve created a user called “test” in ACS local database, defined the switch in ACS database and configured 3750 with below commands:</P><P></P><P>aaa new-model</P><P>aaa authentication attempts login 10</P><P>aaa authentication login default group tacacs+ local enable</P><P>aaa authentication enable default group tacacs+ enable</P><P>tacacs-server host 192.168.149.30</P><P>tacacs-server directed-request</P><P>tacacs-server key 7 046803071F</P><P></P><P>When I try to login via the “test” user the below problem is appeared in my screen while debugging the authentication process in switch:</P><P></P><P><STRONG style="font-size: 10pt; ">Apr&nbsp; 1 05:29:11: AAA/BIND(00000049): Bind i/f</STRONG></P><P style="margin-bottom: 0.0001pt;"><STRONG>Apr&nbsp; 1 05:29:11: AAA/AUTHEN/LOGIN (00000049): Pick method list 'default'</STRONG></P><P style="margin-bottom: 0.0001pt;"><STRONG>Apr&nbsp; 1 05:29:11: TPLUS: Queuing AAA Authentication request 73 for processing</STRONG></P><P><STRONG style="font-size: 10pt; ">Apr&nbsp; 1 05:29:11: TPLUS: processing authentication start request id 73</STRONG></P><P style="margin-bottom: 0.0001pt;"><STRONG>Apr&nbsp; 1 05:29:11: TPLUS: Authentication start packet created for 73(test)</STRONG></P><P style="margin-bottom: 0.0001pt;"><STRONG>Apr&nbsp; 1 05:29:11: TPLUS: Using server 192.168.149.30</STRONG></P><P style="margin-bottom: 0.0001pt;"><STRONG>Apr&nbsp; 1 05:29:12: TPLUS(00000049)/0/NB_WAIT/82F6C3C: Started 5 sec timeout</STRONG></P><P style="margin-bottom: 0.0001pt;"><STRONG>Apr&nbsp; 1 05:29:12: TPLUS(00000049)/0/NB_WAIT: socket event 2</STRONG></P><P style="margin-bottom: 0.0001pt;"><STRONG>Apr&nbsp; 1 05:29:12: TPLUS(00000049)/0/NB_WAIT: wrote entire 39 bytes request</STRONG></P><P style="margin-bottom: 0.0001pt;"><STRONG>Apr&nbsp; 1 05:29:12: TPLUS(00000049)/0/READ: socket event 1</STRONG></P><P style="margin-bottom: 0.0001pt;"><STRONG>SW48-3#</STRONG></P><P style="margin-bottom: 0.0001pt;"><STRONG>Apr&nbsp; 1 05:29:12: TPLUS(00000049)/0/READ: Would block while reading</STRONG></P><P style="margin-bottom: 0.0001pt;"><STRONG>Apr&nbsp; 1 05:29:12: TPLUS(00000049)/0/READ: socket event 1</STRONG></P><P style="margin-bottom: 0.0001pt;"><STRONG>Apr&nbsp; 1 05:29:12: TPLUS(00000049)/0/READ: errno 32</STRONG></P><P style="margin-bottom: 0.0001pt;"><STRONG>Apr&nbsp; 1 05:29:12: TPLUS(00000049)/0/82F6C3C: Processing the reply packet</STRONG></P><P style="margin-bottom: 0.0001pt;"><STRONG>Apr&nbsp; 1 05:29:12: AAA/LOCAL/LOGIN(00000049): user test not found</STRONG></P><P style="margin-bottom: 0.0001pt;"><STRONG>Apr&nbsp; 1 05:29:12: AAA/LOCAL/LOGIN(00000049): get password</STRONG></P><P style="margin-bottom: 0.0001pt;"><STRONG>Apr&nbsp; 1 05:29:12: AAA/LOCAL/LOGIN(00000049): failover</STRONG></P><P style="margin-bottom: 0.0001pt;"><STRONG>Apr&nbsp; 1 05:29:12: AAA/AUTHEN/ENABLE(00000049): Processing request action LOGIN</STRONG></P><P style="margin-bottom: 0.0001pt;"><STRONG>Apr&nbsp; 1 05:29:12: AAA/AUTHEN/ENABLE(00000049): Done status GET_PASSWORD</STRONG></P><P style="margin-bottom: 0.0001pt;"><STRONG>SW48-3#</STRONG></P><P style="margin-bottom: 0.0001pt;"><STRONG>Apr&nbsp; 1 05:29:16: AAA/AUTHEN/ENABLE(00000049): Processing request action LOGIN</STRONG></P><P style="margin-bottom: 0.0001pt;"><STRONG>Apr&nbsp; 1 05:29:16: AAA/AUTHEN/ENABLE(00000049): Done status FAIL - bad password</STRONG></P><P></P><P>Just to confirm that the password is definitely correct and there is not any authorization process.</P><P></P><P>I will be very thankful if someone can help me to troubleshoot this matter.&nbsp; (or any doc that shows how to authenticate a user via ACS 4.2)</P><P></P><P>Moe</P> Mon, 11 Mar 2019 04:15:12 GMT https://community.cisco.com/t5/network-access-control/issue-with-acs-4-2-in-authentication/m-p/2353949#M88913 m_sadeghpour 2019-03-11T04:15:12Z https://community.cisco.com/t5/network-access-control/issue-with-acs-4-2-in-authentication/m-p/2353950#M88916 <HTML><HEAD></HEAD><BODY><P>Hi Moe,</P><P></P><P>What are all the debugs that you have used here?</P><P></P><P>Based on the debugs:</P><P>the request to falling back to local, user is not there in the internal DB and then its falling back to the enable password to which it fails.</P><P></P><P>What is the attempt or report on the ACS?</P><P>Can you share screenshots of the ACS configuration?</P><P></P><P>**Share your knowledge. It’s a way to achieve immortality. <BR />--Dalai Lama** <BR /> <BR />Please Rate if helpful. <BR />Regards <BR />Ed</P></BODY></HTML> Wed, 08 Jan 2014 16:13:12 GMT https://community.cisco.com/t5/network-access-control/issue-with-acs-4-2-in-authentication/m-p/2353950#M88916 edwjames 2014-01-08T16:13:12Z https://community.cisco.com/t5/network-access-control/issue-with-acs-4-2-in-authentication/m-p/2353951#M88919 <HTML><HEAD></HEAD><BODY><P>Tnx for your reply Ed.</P><P>As it was already mentioned the user was created on local ACS database and the switch was added too.</P><P>I have attached a screenshot of configured ACS and its report section.</P><P></P><P>the debug commands that was used to capture above information on switch are:</P><P></P><P>debug aaa authentication</P><P>debug tacacs authentication</P><P></P><P></P><P>honelsty, I have never been that much confused about ACS.<IMG src="http://supportforums.cisco.com/sites/default/files/legacy/8/2/3/174328-Untitled.jpg" class="jive-image" /></P><P></P><P>Cheers</P><P>Moe</P></BODY></HTML> Thu, 09 Jan 2014 04:27:35 GMT https://community.cisco.com/t5/network-access-control/issue-with-acs-4-2-in-authentication/m-p/2353951#M88919 m_sadeghpour 2014-01-09T04:27:35Z https://community.cisco.com/t5/network-access-control/issue-with-acs-4-2-in-authentication/m-p/2353952#M88920 <HTML><HEAD></HEAD><BODY><P>Hi Mohammad,</P><P></P><P>I think I see the problem right away.</P><P>The ACS is dropping the packet due to IP mismatch.</P><P>Check the IP addresses.</P><P>The IP that you have defined is 147.23</P><P>The IP that the device is using is 149.24</P><P></P><P>It seems that you have multiple interfaces on the device and its using its own routing table.</P><P>If you want to force the device to use a specific IP for T+, then use "ip tacacs source-interface <INTERFACE>"</INTERFACE></P><P></P><P>or if you want to change this on the server end, then define, 149.24 as a network device.</P><P></P><P>**Share your knowledge. It’s a way to achieve immortality. <BR />--Dalai Lama** <BR /> <BR />Please Rate if helpful. <BR />Regards <BR />Ed</P></BODY></HTML> Thu, 09 Jan 2014 13:16:55 GMT https://community.cisco.com/t5/network-access-control/issue-with-acs-4-2-in-authentication/m-p/2353952#M88920 edwjames 2014-01-09T13:16:55Z