Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
333
Views
0
Helpful
1
Replies

ACS Login Failing on Switches

Carlos Aguinaldo
Level 1
Level 1

‎08-27-2015 10:59 PM - edited ‎03-10-2019 11:00 PM

Hi Team,

 

I'm running ACS 5.5 on a server.

 

I have an issue where in I am failing to authenticate via AD (TACACS) in some of my switches but I am able to login normally to others. What I did was to navigate via Network Resources > Network Devices and AAA Clients then duplicated a switch entry (one that I'm able to login normally) and then just changed the IP in reference to the switch that I'm having trouble to login to. Still, the issue persists.

 

Though, I am able to login via the local account as fallback.

 

-Basically, the switches that I'm having trouble to login to have the exact same setup (both config and ACS setup) with the ones with no issues.

-I already tried everything such as replicating every single config from the switches with successful login to the ones that fail but no joy.

-Made sure that the shared secret matches

-The switch can reach the ACS server

 

**debug aaa authentication on the failing switch shows:

 

Aug 28 05:52:20.955 GMT: AAA/BIND(0000004D): Bind i/f
Aug 28 05:52:20.955 GMT: AAA/AUTHEN/LOGIN (0000004D): Pick method list 'COMPANY'
SW09#
Aug 28 05:52:23.841 GMT: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 10.254.253.222] [localport: 23] [Reason: Login Authentica               tion Failed] at 05:52:23 GMT Fri Aug 28 2015
SW09#
Aug 28 05:52:23.841 GMT: AAA/AUTHEN/LOGIN (0000004D): Pick method list 'COMPANY'
SW09#
Aug 28 05:52:24.504 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: LOCAL] [Source: 10.254.253.222] [localport: 23] at 05:52:24 G               MT Fri Aug 28 2015

 

SW09#show aaa method-lists authentication
authen queue=AAA_ML_AUTHEN_LOGIN
  name=REGUS valid=1 id=0 state=ALIVE : SERVER_GROUP COMPANY_ACS LOCAL
authen queue=AAA_ML_AUTHEN_ENABLE
authen queue=AAA_ML_AUTHEN_PPP
authen queue=AAA_ML_AUTHEN_SGBP
authen queue=AAA_ML_AUTHEN_ARAP
authen queue=AAA_ML_AUTHEN_DOT1X
authen queue=AAA_ML_AUTHEN_8021X
authen queue=AAA_ML_AUTHEN_EAPOUDP
authen queue=AAA_ML_AUTHEN_DOT1X
permanent lists
  name=Permanent Enable None valid=1 id=0 state=ALIVE : ENABLE  NONE
  name=Permanent Enable valid=1 id=0 state=ALIVE : ENABLE
  name=Permanent None valid=1 id=0 state=ALIVE : NONE
  name=Permanent Local valid=1 id=0 state=ALIVE : LOCAL
  name=Permanent rcmd valid=1 id=0 state=ALIVE : RCMD

 

**Logs from the switch where AD access is successful:

 

Aug 28 04:33:47.600 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: 10.254.253.222] [localport: 23] at 04:33:47 GMT Fri Aug 28 2015
Aug 28 04:35:02.617 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: 10.254.253.222] [localport: 23] at 04:35:02 GMT Fri Aug 28 2015
Aug 28 06:03:07.310 GMT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: 10.254.253.222] [localport: 23] at 06:03:07 GMT Fri Aug 28 2015

 

Do you think restarting the ACS services will do the trick?

 

Any help will be appreciated. Thanks.

 

 

Labels:
0 Helpful
1 Reply 1

Ivan Gonzalez
Cisco Employee
Cisco Employee

‎08-28-2015 02:06 PM

Hello Carlos,

 

You might also want to enable the following debugs to make completely sure you are getting an "access-accept" or "access-reject" from the ACS server.

"debug tacacs" or "debug radius" ( depending on what you are using )

Now, when you check the ACS reports, are you able to see the attempt of the authentication request? It should be listed under "Monitoring and Reports" section

0 Helpful
Customers Also Viewed These Support Documents