cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1606
Views
0
Helpful
6
Replies

ACS 5.6 authentication problem

Colin Higgins
Level 2
Level 2

We are in the process of upgrading our ACS 4.1 to an ACS 5.6 appliance.

 

The appliance is installed on the network, properly licensed etc.

 

I joined the ACS server to the AD domain without a problem. I created some local and external (AD) users for testing.

 

I created a network device (catalyst switch) as a tacacs+ client, and specified single-connect.

 

When I SSH into the switch, I can log in using my AD username and password, but I cannot go into enable mode. It says "Error in authentication"

 

my aaa settings are

 

tacacs-server host 172.25.50.8
tacacs-server timeout 3
tacacs-server directed-request
tacacs-server key <key>

 

I am missing something somewhere, I just don't know where. If I try and download the ACS support bundle, it says downloading, but doesn't say where to get it (or how).

 

any advice would be great. I am new to this product.

1 Accepted Solution
6 Replies 6

Colin Higgins
Level 2
Level 2

also, my aaa settings are:

 

aaa new-model
aaa authentication login listsw2s group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec listsw2s group tacacs+ local

OK, I have an update

 

I found the reports in ACS, so that is not an issue. Here is what is happening

 

I have a Catalyst 6509 that has been added to the ACS 5.6 server as a AAA client. Key has been verified, and user accounts are fine (I have verified authentication against other network devices without a problem).

 

the AAA settings for the switch are

aaa new-model
aaa authentication login listsw2s group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec listsw2s group tacacs+ local

tacacs-server host 172.25.50.8
tacacs-server timeout 3
tacacs-server directed-request
tacacs-server key <key>

 

If I do a test aaa group tacacs <username> <password>

and enable aaa debugging on the switch, it says user authenticated. If I look in the logs on the ACS server, it verifies that the user was authenticated without a problem.

 

Now, if I ssh into the switch and attempt to authenticate using the same credentials, it fails.

 

Nothing shows up in the ACS log, and the aaa debugging indicates it is trying to use the local database and failing.

 

The switch seems to be "stuck" somehow, and refusing to use the tacacs server.

 

Has anyone seen this?

 

OK, I have the solution

 

the authentication list of the vty lines 04 and 5 15 didn't match. The list specified in the aaa settings did not match the one in the line (one digit off). Therefore, the switch was never looking to ACS when authenticating ssh users.

 

OK, looks like I have everything working now. I had the wrong shell authorization specified for the group. I was authenticating, but then couldn't do anything.

 

But the other question is, when I download the support pack to view the logs, where does ACS send this download? It doesn't say.

Actually, I spoke too soon. It is working for some users and not others, even though they are set up exactly the same way. Some can authenticate and some cannot.

 

Where can I go to see what is failing?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: