Sam, did you get a chance to work on the issue lately. Let us know if you need some assistance or you were able to fis this issue.

Jatin Katyal
- Do rate helpful posts -

I took the day off yesterday. I will get this thread updated with the relivent information you wanted today (hopefully sooner then later).

Hope you had a nice stay. No worries. anytime

Jatin Katyal
- Do rate helpful posts -

Let me preface this as saying, I am building out Cisco Labs, so everything I'm doing is pretty fresh / non prod.

I have a fresh install of ACS 4.2, and I upgraded it to 4.2.1.15. I have no NDG, so no keys there.

Below is the link for "ACS > reports and activity > failed attempts"

https://dl.dropboxusercontent.com/u/486946/Random/Failed.csv

debug aaa tacacs enable

______________________________________________________________________

(Cisco Controller) >*emWeb: Jun 05 16:50:41.769: Authentication failed for user

*aaaQueueReader: Jun 07 09:42:19.391: AuthenticationRequest: 0x31151fcc

*aaaQueueReader: Jun 07 09:42:19.391:   Callback................................

.....0x10733b2c

*aaaQueueReader: Jun 07 09:42:19.391:   protocolType............................

.....0x00020030

*aaaQueueReader: Jun 07 09:42:19.392:   proxyState..............................

.....00:00:00:2D:00:00-00:00

*aaaQueueReader: Jun 07 09:42:19.392:   Packet contains 5 AVPs (not shown)

*aaaQueueReader: Jun 07 09:42:19.392: Forwarding request to 10.60.1.7 port=49

*tplusTransportThread: Jun 07 09:42:29.396: Exhausted all available servers

*tplusTransportThread: Jun 07 09:42:29.396: ReProcessAuthentication previous pro

to 30, next proto 20008

*tplusTransportThread: Jun 07 09:42:29.396: Unable to find requested user entry

for user

*tplusTransportThread: Jun 07 09:42:29.396: 00:00:00:2d:00:00 Returning AAA Erro

r 'Authentication Failed' (-4) for mobile 00:00:00:2d:00:00

*tplusTransportThread: Jun 07 09:42:29.396: AuthorizationResponse: 0x3186ecec

*tplusTransportThread: Jun 07 09:42:29.396:     structureSize...................

.............32

*tplusTransportThread: Jun 07 09:42:29.396:     resultCode......................

.............-4

*tplusTransportThread: Jun 07 09:42:29.396:     protocolUsed....................

.............0x00000008

*tplusTransportThread: Jun 07 09:42:29.396:     proxyState......................

.............00:00:00:2D:00:00-00:00

*tplusTransportThread: Jun 07 09:42:29.396:     Packet contains 0 AVPs:

*emWeb: Jun 07 09:42:29.397: Authentication failed for user

______________________________________________________________________

show aaa auth

______________________________________________________________________

Management authentication server order:

    1............................................ tacacs

    2............................................ local

______________________________________________________________________

show tacacs auth stat

______________________________________________________________________

Authentication Servers:

Server Index..................................... 1

Server Address................................... 10.60.1.7

Msg Round Trip Time.............................. 0 (msec)

First Requests................................... 34

Retry Requests................................... 0

Accept Responses................................. 0

Reject Responses................................. 0

Error Responses.................................. 0

Restart Responses................................ 0

Follow Responses................................. 0

GetData Responses................................ 0

Encrypt no secret Responses...................... 0

Challenge Responses.............................. 0

Malformed Msgs................................... 0

Bad Authenticator Msgs........................... 0

Timeout Requests................................. 102

Unknowntype Msgs................................. 0

Other Drops...................................... 0

______________________________________________________________________

debugs suggest that WLC is not getting Tacacs response from the ACS and request is getting timed out.

aaaQueueReader: Jun 07 09:42:19.392: Forwarding request to 10.60.1.7 port=49

tplusTransportThread: Jun 07 09:42:29.396: Exhausted all available servers

It seems the WLC ip address is x.x.x.4.  The ACS logs says that WLC is unknown to the server. Have you added

Controller IP address x.x.x.4 as AAA client with Authentication mechanism as TACACS+ (Cisco IOS) as shown here: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml#topic3

If that's been done on the ACS then reset the shared secret key on the ACS and WLC side.

Jatin Katyal
- Do rate helpful posts -

Odd, yes I put both shared secrets as "cisco" and reset them to that to make sure I didn't fat finger it.

Here are some pictures that varify my claims

http://imgur.com/a/oM1pw

Don't worry about IPs / Hostname's showing, this is strictly a Lab environment that does not mirror any production network.

Any other ideas or troubleshooting I can do ?

The list of screen shots doesn't show up if you have added your ACS on WLC as a authorization server as well.

Would like to see the debugs again if issue persist.

Jatin Katyal
- Do rate helpful posts -

I found the solution to my problem. I origonally had the server IP as 10.40.1.7 for some previous ACS labs, when I swapped the server to a new IP of 10.60.1.7, it appeared ACS was still functioning, but was not. I had to unintstall ACS and install it fresh with the new IP.

For future reference, is there a way with ACS4.2 to overcome an obsticle like this?

If not, do future versions of ACS overcome this problem?

In case it answered all your quries, would appreciate if you mark this thread resolved so other community members take benefits out of it.

Jatin Katyal
- Do rate helpful posts -