04-01-2011 10:37 AM - edited 03-10-2019 05:57 PM
We have a Cisco Access Control Server (TACACS+ version 5.1) with an additional
2 port NIC card. This produces 4 ports on the ACS server(G0 through G3).
After initial setup of the ACS server with an IP address on G0, I connected a Windows 7
server with IE8 to G0. The ACS web interface appears (after accepting certificate) and I
entered some user accounts and NDGs.
I then connected the ACS server to a configured port with port-security on our 6500
switch. The port becomes err-disabled since the MAC address does not match up. It appears
that the onboard NIC on the ACS server is bonded thus producing the MAC address issue.
To fix this connection issue, on the ACS server, I cleared out G0 and setup G2 (additiional
NIC card) with the IP address. After connecting to the 6500 switch, the ACS server port
works fine.
I removed the connection to the 6500 and connected the Windows server to the ACS.I can ping
the ACS server but the web interface is now unavailable unlike before. I do not get a
certificate warning on IE, it just states that internet not available.
On ACS, the 'show' status of acs shows all the processes are running and initialized.
Any help would be appreciated. It has got me stumped as all I did was change NIC configuration
on the ACS server.
Antonio
Solved! Go to Solution.
04-03-2011 05:33 PM
I wanted to verify if the failure of the web interface loading could also be due to something on the 6500 switch.
So far:
You have been able to see the Web interface with the ACS configured on G0 and directly connected to the Win 7 PC.
With G0 configured for ACS you have seen some MAC issue and therefore no web interface.
With the ACS configured on G2 you can ping the ACS server when it is directly connected and connected to the 6500 but in both cases cannot view the web interface.
So it looks like you have two options:
1) Look at resolving your 6500 port-security issue. (Do you have access to configure the 6500 port-security?)
2) Troubleshoot the G2 interface configuration. If you cannot see the web interface with the Win 7 PC directly connected then there is something wrong with the config on the ACS.
04-01-2011 12:28 PM
Greetings,
I have seen the same issue. Have you tried stopping the acs services via the ssh interface then restarting them? I have upgraded to 5.2.x train and don't see the issue anymore but I did see that issue on 5.1.x train.
04-03-2011 09:30 AM
ThunderCk,
Thank you. Do you mean going on to the ACS server and performing an "acs stop" followed by an "acs start?" I have also tried this but to no avail. I have also tried rebooting. I just dont understand how once I was able to get the web interface and now I cant even though I have link connection from the Windows server. It doesnt make sense to me. And because the ACS server is closed, I cant do any linux manipulations.
04-03-2011 12:21 PM
I assume if you connect the Win 7 computer to the ACS directly again you will be able to see the ACS's Web interface again? If so, have you troubleshot the connection between the PC and ACS when the ACS is connected to your 6500? When the ACS is connected to the 6500, can you ping the ACS IP from your PC?
04-03-2011 02:53 PM
When I connect the Win7 to ACS server, I can ping, but NO web interface. It worked prior when I used the G0 interface rather than the G2 interface on the ACS server (that is the only difference but should not matter).
I will try connecting both the ACS and Win7 machines to the 6500. But why would that differ from a direct connection from Win 7 to ACS server?
Thanks again for you help on this.
04-03-2011 05:33 PM
I wanted to verify if the failure of the web interface loading could also be due to something on the 6500 switch.
So far:
You have been able to see the Web interface with the ACS configured on G0 and directly connected to the Win 7 PC.
With G0 configured for ACS you have seen some MAC issue and therefore no web interface.
With the ACS configured on G2 you can ping the ACS server when it is directly connected and connected to the 6500 but in both cases cannot view the web interface.
So it looks like you have two options:
1) Look at resolving your 6500 port-security issue. (Do you have access to configure the 6500 port-security?)
2) Troubleshoot the G2 interface configuration. If you cannot see the web interface with the Win 7 PC directly connected then there is something wrong with the config on the ACS.
04-04-2011 05:56 AM
So it looks like you have two options:
1) Look at resolving your 6500 port-security issue. (Do you have access to configure the 6500 port-security?)
2) Troubleshoot the G2 interface configuration. If you cannot see the web interface with the Win 7 PC directly connected then there is something wrong with the config on the ACS.
Options Concerns:
1. Because of our security mandates, I cannot change any 6500 port-security settings. So this option is out for now.
2. I set the G2 interface configuration the same as I did for G0. It only has an IP address and subnet mask. G0, G1, and G3 are shutdown.
What do you think is wrong with the configuration on the ACS?
04-04-2011 06:12 AM
Did you use "acs reset-config" command when you moved from G0 --> G2 interface web configuration?
Does this ACS have data on it you need to save?
04-04-2011 06:21 AM
I did NOT do the 'acs reset-config'. Will try it now.
Also it appears from Cisco documentation that G1, G2, and G3 are "blocked" ports.
So it appears that I can only use G0. So I would have to make changes to the port security on the 6500 port to allow more than 1 MAC address as it appears G0 and G1 are bonded (teamed) together.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide