08-27-2015 10:59 PM - edited 03-10-2019 11:00 PM
Hi Team,
I'm running ACS 5.5 on a server.
I have an issue where in I am failing to authenticate via AD (TACACS) in some of my switches but I am able to login normally to others. What I did was to navigate via Network Resources > Network Devices and AAA Clients then duplicated a switch entry (one that I'm able to login normally) and then just changed the IP in reference to the switch that I'm having trouble to login to. Still, the issue persists.
Though, I am able to login via the local account as fallback.
-Basically, the switches that I'm having trouble to login to have the exact same setup (both config and ACS setup) with the ones with no issues.
-I already tried everything such as replicating every single config from the switches with successful login to the ones that fail but no joy.
-Made sure that the shared secret matches
-The switch can reach the ACS server
**debug aaa authentication on the failing switch shows:
Aug 28 05:52:20.955 GMT: AAA/BIND(0000004D): Bind i/f
Aug 28 05:52:20.955 GMT: AAA/AUTHEN/LOGIN (0000004D): Pick method list 'COMPANY'
SW09#
Aug 28 05:52:23.841 GMT: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 10.254.253.222] [localport: 23] [Reason: Login Authentica tion Failed] at 05:52:23 GMT Fri Aug 28 2015
SW09#
Aug 28 05:52:23.841 GMT: AAA/AUTHEN/LOGIN (0000004D): Pick method list 'COMPANY'
SW09#
Aug 28 05:52:24.504 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: LOCAL] [Source: 10.254.253.222] [localport: 23] at 05:52:24 G MT Fri Aug 28 2015
SW09#show aaa method-lists authentication
authen queue=AAA_ML_AUTHEN_LOGIN
name=REGUS valid=1 id=0 state=ALIVE : SERVER_GROUP COMPANY_ACS LOCAL
authen queue=AAA_ML_AUTHEN_ENABLE
authen queue=AAA_ML_AUTHEN_PPP
authen queue=AAA_ML_AUTHEN_SGBP
authen queue=AAA_ML_AUTHEN_ARAP
authen queue=AAA_ML_AUTHEN_DOT1X
authen queue=AAA_ML_AUTHEN_8021X
authen queue=AAA_ML_AUTHEN_EAPOUDP
authen queue=AAA_ML_AUTHEN_DOT1X
permanent lists
name=Permanent Enable None valid=1 id=0 state=ALIVE : ENABLE NONE
name=Permanent Enable valid=1 id=0 state=ALIVE : ENABLE
name=Permanent None valid=1 id=0 state=ALIVE : NONE
name=Permanent Local valid=1 id=0 state=ALIVE : LOCAL
name=Permanent rcmd valid=1 id=0 state=ALIVE : RCMD
**Logs from the switch where AD access is successful:
Aug 28 04:33:47.600 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: 10.254.253.222] [localport: 23] at 04:33:47 GMT Fri Aug 28 2015
Aug 28 04:35:02.617 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: 10.254.253.222] [localport: 23] at 04:35:02 GMT Fri Aug 28 2015
Aug 28 06:03:07.310 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: 10.254.253.222] [localport: 23] at 06:03:07 GMT Fri Aug 28 2015
Do you think restarting the ACS services will do the trick?
Any help will be appreciated. Thanks.
08-28-2015 02:06 PM
Hello Carlos,
You might also want to enable the following debugs to make completely sure you are getting an "access-accept" or "access-reject" from the ACS server.
"debug tacacs" or "debug radius" ( depending on what you are using )
Now, when you check the ACS reports, are you able to see the attempt of the authentication request? It should be listed under "Monitoring and Reports" section
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide