Solved: ACS authorization failed

nkumaruniv · ‎11-08-2022

I created a policy and tried to save the changes and it did not save the change even existing config disappear automatically so i thought restore the lastest snapshot and after that i am getting authorization failed error.

We are currently on 5.5.0.46. and trying to go in 5.8

Below are the logs we are getting on cosole of swtich just for info to check furhter , i am looking for help becasue remote access has been gone now for every device :(.

Nov 8 12:35:48.569: AAA/BIND(000061A6): Bind i/f
Nov 8 12:35:48.569: AAA/AUTHEN/LOGIN (000061A6): Pick method list 'default'
Nov 8 12:35:48.569: TPLUS: Queuing AAA Authentication request 24998 for processing
Nov 8 12:35:48.569: TPLUS(000061A6) login timer started 1020 sec timeout
Nov 8 12:35:48.569: TPLUS: processing authentication start request id 24998
Nov 8 12:35:48.569: TPLUS: Authentication start packet created for 24998(username)
Nov 8 12:35:48.569: TPLUS: Using server <removed server IP>
Nov 8 12:35:48.569: TPLUS(000061A6)/0/NB_WAIT/3A88DA8: Started 5 sec timeout
Nov 8 12:35:48.577: TPLUS(000061A6)/0/NB_WAIT: socket event 2
Nov 8 12:35:48.577: TPLUS(000061A6)/0/NB_WAIT: wrote entire 44 bytes request
Nov 8 12:35:48.577: TPLUS(000061A6)/0/READ: socket event 1
Nov 8 12:35:48.577: TPLUS(000061A6)/0/READ: Would block while reading
Nov 8 12:35:48.577: TPLUS(000061A6)/0/READ: socket event 1
Nov 8 12:35:48.577: TPLUS(000061A6)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Nov 8 12:35:48.577: TPLUS(000061A6)/0/READ: socket event 1
Nov 8 12:35:48.577: TPLUS(000061A6)/0/READ: read entire 28 bytes response
Nov 8 12:35:48.577: TPLUS(000061A6)/0/3A88DA8: Processing the reply packet
Nov 8 12:35:48.577: TPLUS: Received authen response status GET_PASSWORD (8)
Nov 8 12:35:58.040: TPLUS: Queuing AAA Authentication request 24998 for processing
Nov 8 12:35:58.040: TPLUS(000061A6) login timer started 1020 sec timeout
Nov 8 12:35:58.040: TPLUS: processing authentication continue request id 24998
Nov 8 12:35:58.040: TPLUS: Authentication continue packet generated for 24998
Nov 8 12:35:58.040: TPLUS(000061A6)/0/WRITE/37CEB34: Started 5 sec timeout
Nov 8 12:35:58.040: TPLUS(000061A6)/0/WRITE: wrote entire 29 bytes request
Nov 8 12:35:58.040: TPLUS(000061A6)/0/READ: socket event 1
Nov 8 12:35:58.040: TPLUS(000061A6)/0/READ: read entire 12 header bytes (expect 6 bytes data)
Nov 8 12:35:58.040: TPLUS(000061A6)/0/READ: socket event 1
Nov 8 12:35:58.040: TPLUS(000061A6)/0/READ: read entire 18 bytes response
Nov 8 12:35:58.040: TPLUS(000061A6)/0/37CEB34: Processing the reply packet
Nov 8 12:35:58.040: TPLUS: Received Authen status error
Nov 8 12:35:58.040: TPLUS(000061A6)/0/REQ_WAIT/37CEB34: timed out
Nov 8 12:35:58.040: TPLUS(000061A6)/0/37CEB34: Processing the reply packet
Nov 8 12:36:00.338: AAA/AUTHEN/LOGIN (000061A6): Pick method list 'default'
Nov 8 12:36:00.338: TPLUS: Queuing AAA Authentication request 24998 for processing
Nov 8 12:36:00.338: TPLUS(000061A6) login timer started 1020 sec timeout
Nov 8 12:36:00.338: TPLUS: processing authentication start request id 24998
Nov 8 12:36:00.338: TPLUS: Authentication start packet created for 24998(username)
Nov 8 12:36:00.338: TPLUS: Using server <removed server IP>
Nov 8 12:36:00.338: TPLUS(000061A6)/0/NB_WAIT/3A88E90: Started 5 sec timeout
Nov 8 12:36:00.347: TPLUS(000061A6)/0/NB_WAIT: socket event 2
Nov 8 12:36:00.355: TPLUS(000061A6)/0/NB_WAIT: wrote entire 44 bytes request
Nov 8 12:36:00.355: TPLUS(000061A6)/0/READ: socket event 1
Nov 8 12:36:00.355: TPLUS(000061A6)/0/READ: Would block while reading
Nov 8 12:36:00.355: TPLUS(000061A6)/0/READ: socket event 1
Nov 8 12:36:00.355: TPLUS(000061A6)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Nov 8 12:36:00.355: TPLUS(000061A6)/0/READ: socket event 1
Nov 8 12:36:00.355: TPLUS(000061A6)/0/READ: read entire 28 bytes response
Nov 8 12:36:00.355: TPLUS(000061A6)/0/3A88E90: Processing the reply packet
Nov 8 12:36:00.355: TPLUS: Received authen response status GET_PASSWORD (8)
Nov 8 12:36:01.915: TPLUS: Queuing AAA Authentication request 24998 for processing
Nov 8 12:36:01.915: TPLUS(000061A6) login timer started 1020 sec timeout
Nov 8 12:36:01.915: TPLUS: processing authentication continue request id 24998
Nov 8 12:36:01.915: TPLUS: Authentication continue packet generated for 24998
Nov 8 12:36:01.915: TPLUS(000061A6)/0/WRITE/37C4D58: Started 5 sec timeout
Nov 8 12:36:01.915: TPLUS(000061A6)/0/WRITE: wrote entire 29 bytes request
Nov 8 12:36:01.915: TPLUS(000061A6)/0/READ: socket event 1
Nov 8 12:36:01.924: TPLUS(000061A6)/0/READ: read entire 12 header bytes (expect 6 bytes data)
Nov 8 12:36:01.924: TPLUS(000061A6)/0/READ: socket event 1
Nov 8 12:36:01.924: TPLUS(000061A6)/0/READ: read entire 18 bytes response
Nov 8 12:36:01.924: TPLUS(000061A6)/0/37C4D58: Processing the reply packet
Nov 8 12:36:01.924: TPLUS: Received Authen status error
Nov 8 12:36:01.924: TPLUS(000061A6)/0/REQ_WAIT/37C4D58: timed out
Nov 8 12:36:01.924: TPLUS(000061A6)/0/37C4D58: Processing the reply packet
Nov 8 12:36:04.222: AAA/AUTHEN/LOGIN (000061A6): Pick method list 'default'
Nov 8 12:36:04.222: TPLUS: Queuing AAA Authentication request 24998 for processing
Nov 8 12:36:04.222: TPLUS(000061A6) login timer started 1020 sec timeout
Nov 8 12:36:04.222: TPLUS: processing authentication start request id 24998
Nov 8 12:36:04.222: TPLUS: Authentication start packet created for 24998(username)
Nov 8 12:36:04.222: TPLUS: Using server <removed server IP>
Nov 8 12:36:04.222: TPLUS(000061A6)/0/NB_WAIT/37CEA4C: Started 5 sec timeout
Nov 8 12:36:04.239: TPLUS(000061A6)/0/NB_WAIT: socket event 2
Nov 8 12:36:04.239: TPLUS(000061A6)/0/NB_WAIT: wrote entire 44 bytes request
Nov 8 12:36:04.239: TPLUS(000061A6)/0/READ: socket event 1
Nov 8 12:36:04.239: TPLUS(000061A6)/0/READ: Would block while reading
Nov 8 12:36:04.247: TPLUS(000061A6)/0/READ: socket event 1
Nov 8 12:36:04.247: TPLUS(000061A6)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Nov 8 12:36:04.247: TPLUS(000061A6)/0/READ: socket event 1
Nov 8 12:36:04.247: TPLUS(000061A6)/0/READ: read entire 28 bytes response
Nov 8 12:36:04.247: TPLUS(000061A6)/0/37CEA4C: Processing the reply packet
Nov 8 12:36:04.247: TPLUS: Received authen response status GET_PASSWORD (8)

balaji.bandi · ‎11-08-2022

i would check also same logs on ACS side.

TPLUS: Received Authen status error

ACS using AD source ? or local ?

troubleshooting :

https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113590-acs5-tacacs-config.html#ade

Do not use Chrome - it messup the config, always use IE

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎11-08-2022

i would check also same logs on ACS side.

TPLUS: Received Authen status error

ACS using AD source ? or local ?

troubleshooting :

https://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113590-acs5-tacacs-config.html#ade

Do not use Chrome - it messup the config, always use IE

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

nkumaruniv · ‎11-08-2022

ACS using AD source ? or local ? AD

Do not use Chrome - it messup the config, always use IE , ---------- thank you

nkumaruniv · ‎11-08-2022

THIS LINK HELPD ME ALOT AND I FIX MY ISSUE.

marce1000 · ‎11-08-2022

- Ref : https://www.cisco.com/c/en/us/products/collateral/security/secure-access-control-system/eos-eol-c51-738197.html

Whilst not a specific answer you need to consider that ACS is very old and no longer supported , this will also lead to incompatibilities with modern switches , consider migrating to ISE.

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

nkumaruniv · ‎11-08-2022

Curretnly needs to fix and we are planning for ISA as well but will take time