cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4366
Views
0
Helpful
6
Replies

ACS does not allow local users to authenticate

Hi all, 

 

Im having issues with the ACS, we are running Version : 5.8.0.38 (latest patch) however, we have been recently having issues with authentication, it simply does not allow you to login even with the server is up and running, so most liklely some services and db services get stucked for some reason, 

 

Now, the question is, if that sceneario happens, how can I tell cisco ACS to allow me to login via local username and local password, its happening more often and randomly and it does not even allow you to connect via console, we always get access denied messages

 

 

Here is the script I use in the access swtich:

 

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+

 

Here is the lines vty 

 

line vty 0 4
access-class AUTHORIZED-USERS in
exec-timeout 5 0
privilege level 15
password 7 XXXXXXX
logging synchronous
transport input ssh
transport output ssh
line vty 5 15
access-class AUTHORIZED-USERS in
exec-timeout 5 0
privilege level 15
password 7 XXXXXXXX
logging synchronous
transport input ssh
transport output ssh

 

so after 5 to 10 minutes, when its back up, it allows you to connect.

 

ANy ideas on where to set up on the ACS server to allow you to connect locally if something wrong goes in the server? 

 

Not sure about the aaa commands you see above, but if you know something, please let me know, 

 

Regards, 

 

 

1 Accepted Solution

Accepted Solutions

Hi,

 

Have you checked the accounting logs from ACS (monitoring/reports) section to see if this gives any indication to why tacacs authentication failed? Might give you an idea as to whether the ACS is even trying to process the requests. Do you have ACS connected to AD and using this as your backend for authentication? Is the ACS maybe losing connection to your Active Directory if so?

Is this happening at random times, or during a similar time period? Are there any DB backups / purges happening during the "down" time?

The fact that the local credentials don't work seems to indicate that ACS returns a failed logon rather than timing out.

 

Regarding the Serial Connection - What do you have configured under line con 0?

View solution in original post

6 Replies 6

GRANT3779
Spotlight
Spotlight

H,

So first question would be - do you have a local username and password configured on your Network Devices?

 

You could use also try the following -

 

aaa authentication login default group tacacs+ line

 

This would use the line password configured on the vty lines.

 

The unknown here is - When you say the ACS server does not let you login - is it receiving your intial TACACs logon request and returning a fail for some reason? If so, your local credentials / line password won't ever work in this case. Or does is not respond in general? If the latter then local creds should work or line password if you amend the config to above.

You could debug aaa/tacacs on the device if possible. I would however concentrate on the actual problemyou have in general also and get to the root cause.

Thanks for the reply, 

 

Yes, we have local username and password on all devices, in fact, thats the way we had been using before deploying this ACS. we have around  cisco added so far around 500 devices, at the beginining around 100 and it was working perfectly fine, in other words, no authentication issues, so we were not worrried about the local access, 

 

now since its happening more often, sometimes its non responsive the access between 5 and 10 minutes and by magic, the service returns, 

 

 

however, while the service of the acs is not working, it does not even allow us to login with the local credentials, not even via console, 

 

Now for your unknown concern, yes, the server is not that it goes down, in fact, we can ping the server while we cannot access the network devices, its just like the service gets stuck, so not sure how the network device works in terms of comunication to the ACS since its like the switch sees the ACS server up in terms of reachability, but in terms of the actual service it does not respond and still believes the server its there and thats why it does not switch to the local credentials, 

 

I have grabbed the support bundle but dont know how to read or where to find the real logs to check this sceneario, 

 

I will try to debug a switch and see how it goes, but as of now, I can tell you, Im able to login to the device fine, but the problem is when something in the background happens between acs and switch that does not allow us to use local credentials, 

 

thanks for your assistance, 

 

 

Hi,

 

Have you checked the accounting logs from ACS (monitoring/reports) section to see if this gives any indication to why tacacs authentication failed? Might give you an idea as to whether the ACS is even trying to process the requests. Do you have ACS connected to AD and using this as your backend for authentication? Is the ACS maybe losing connection to your Active Directory if so?

Is this happening at random times, or during a similar time period? Are there any DB backups / purges happening during the "down" time?

The fact that the local credentials don't work seems to indicate that ACS returns a failed logon rather than timing out.

 

Regarding the Serial Connection - What do you have configured under line con 0?

Thank you for the response, and sorry for the long delay, 

 

I would like to tell you that you point me to the right path in order to find the root cause, 

 

it was a miss config on the firewall side that was not allowing comunication between the AD servers and the ACS, 

 

thanks so much for your help, 

 

 

Hi Alex,

 

I'm glad you managed to get to the bottom of it. Thanks also for getting back to the forum to let us know.

Hi All,

 

i need help with CISCO ACS.

 

i keep receiving following alerts "Cisco ACS DB Purge -- x@y.com -- No DB Purge in over 86400 seconds"

 

could someone in the community help me with the solution, is this going to cause any impact/outage.