05-25-2011 09:04 AM - edited 03-10-2019 06:06 PM
Getting started on ACS 5.0, pretty comfortable with 4.x.
I think i've got everything set up to authenticate against AD for Tacacs+ device logins. When i check the logs, i see:
"24408 User authentication against Active Directory failed since user has entered the wrong password". This leads me to believe that it is checking AD correctly, however if i enter the password correctly for the same AD user, there is no log at all...no pass, no fail.
If i look at the Tacacs debugs on the switch, i see the following:
May 25 10:55:07.927 CDT: TAC+: ver=192 id=874699084 received AUTHEN status = ERROR
May 25 10:55:09.932 CDT: TAC+: send abort reason=Unknown
"unknown" is very unhelpful....suggestions on what to check? obviously the switch is communicating to ACS, and ACS is passing info back to the switch. ACS also appears to be communicating effectively with AD since it knows when i put in an incorrect password for the specific user.
05-25-2011 09:15 AM
Did you really mean 5.0?
the reason I ask is that the latest ACS version is ACS 5.2 and so if you are just getting started I would suggest to use this latest version
05-26-2011 10:07 AM
Yeah, looks like it may have been an issue with 5.0.0.21. Put patch 9 on it and it's happy (more or less). upgrading to 5.1 as we speak.
now to find the spot where I can restrict non-admins from device admin looks like i just need to change some policy rules that only allow a specific group permission.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide