05-04-2012 06:19 AM - edited 03-10-2019 07:04 PM
Hello,
I have an ACS 4.0 server that i use to authenticate the routers and switches on the network. Its been working fine for 4 years but over last two days i can only login to devices via the local password. Routing between the server and the devices on the network seem fine and i can ping everything. I have restarted the services on the ACS server and even rebooted the server but still no luck.
Nothing has changed on the routers & switches ie aaa new model etc is all still in place.
Anyone seen this issue before?
thanks
Kevin
05-04-2012 08:19 AM
well kinda hard to know what's going on.. but I'd start eliminating things..
Try plugging a router/switch in the same switch where the ACS is plugged in, maybe there is an ACL somewhere that's stopping the ports or so.
05-04-2012 08:33 AM
Its a strange one - even the switch where the ACS is plugged in cant authenticate. Maybe its an issue with the ACS software though i cant think whats changed (i dont think anything has). Its also funny in that its not failing back to the local username and password. Its as if it knows that the tacacs server is there and it also shows you as authenticated successfully on the ACS logs even though it fails on the device.
05-06-2012 09:00 PM
Is it failing for multiple users or just one?
What do the ACS event logs say?
05-08-2012 01:45 AM
Its failing for all users. The ACS event logs are saying: CS password invalid
All connectivty from the network to and from the server is fine. We thing we might need to rebuild the server.
05-14-2012 12:16 AM
In a nutshell when you have to fallback to local users defined on the router given that the first option in the method list
is your ACS server means one thing:
no reply comming from ACS
This can be due to many reasons:
- ACS services are dead or not handling the request properly
You need to check CSTACACS and CSAUTH services on the ACS.
- The ACS is responding but the response never received on the AAA client.
In our case i can see that the ACS is saying invalid cs password which means that the ACS is rejecting the request and accordingly this reply should be sent back to the AAA client which should fail the authentication and never failover to the loca database on the AAA client.
In the meantime we need to have the following:
set the logging level to FUll on the ACS
Try to authenticate through that AAA client
Capture the username and the timestamp for the try
collect the package.cab and then send the TCS.log and auth.log
files that correlate to the timestamps of the try.
Regards
06-06-2012 08:56 AM
Eventually got to the bottom of this one. Restored the database on the server and restarted all the services.
thanks
Kevin
06-06-2012 10:36 AM
After restoring also the result is same or working fine now???? because when you hav the aaa pointed to acs in the devices.... it will not fall back to local database unless and until the ACS server goes down/not reachable. Am bit confused here.
06-07-2012 01:09 AM
Its working fine. The reason devices would not fall back to local database was because the ACS server was actually up and devices were still trying to authenticate. But the server got itself into a bit of a muddle and needed rebooted with teh the Cisco ACS services restarted.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide