Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2817
Views
5
Helpful
10
Replies

Cisco ACS 5.2: unknown network device or AAA client

staalebotnen
Level 1
Level 1

‎12-14-2010 05:25 AM - edited ‎03-10-2019 05:39 PM

We have recently started testing Cisco ACS 5.2, but we are hitting an issue when we try to register a Wireless LAN Controller. Even when the device is registered on the ACS under "Network Devices and AAA Clients" we are getting the following error message in the logs:

"11017 Received TACACS+ packet from unknown Network device or AAA client"

We have deleted and recreated the object, restarted the ACS, verified IP address and netmask, still no luck.

Has anyone experienced something similiar? I'm begining to think we are hitting a bug, but I see there are several post from people who have successfully setup authentication beweeen a ACS 5.2 and WLC 6...

Labels:
0 Helpful
10 Replies 10

Tiago Antunes
Cisco Employee
Cisco Employee

‎12-14-2010 11:41 AM

Hi,

What kind of authentication are we talking about?

Clients or the WLC admin users?

If it is clients, then the protocol should be RADIUS...

From the error message the acs is receiving a TACACS+ packet...so i would say that you are trying to authenticate admin users...is it correct?

Now, is it possible that you have defined the WLC as a RADIUS device and what you want to do is TACACS device (WLC) authentication?

If yes, then i would review the aaa client config to match the protocol.

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

staalebotnen
Level 1
Level 1
In response to Tiago Antunes

‎12-15-2010 10:50 PM

Hi,

Both TACACS+ and RADIUS authentication of Admin users. The definitions on the object are correct (tried both as a RADIUS and a TACACS+ object).

I have done some more testing and it turns out that any changes that we do in the "Network Devices or AAA Clients" have no effect, the changes get updated in the GUI but never seem to get activated for real. I tested this by deleting an object, and even when the object is gone I can authenticate with the ACS from that NAS device... So it would seem that we are hitting some bug/corruption. I have created a TAC case with Cisco, this will be the third case since we started implementing the new 5.x version..and we are still in testing phace..

0 Helpful

Tiago Antunes
Cisco Employee
Cisco Employee
In response to staalebotnen

‎12-15-2010 11:30 PM

Hi,

Could it be that you have another ACS and the authentications are going there?

BR,

Tiago

0 Helpful

staalebotnen
Level 1
Level 1
In response to Tiago Antunes

‎12-16-2010 12:03 AM

Hi,

We do have two ACSs (Primary/Secondary), authentications go to both of these (we see this in the logs). Both ACSs experience the same issue. So we are currently unable to register any new devices or change exsting ones. Currently waiting for the TAC.

0 Helpful

Tiago Antunes
Cisco Employee
Cisco Employee
In response to staalebotnen

‎12-16-2010 12:07 AM

Hi,

Please note that changes can only be done on the Primary ACS, and then these changes are mirrored to the other ACS.

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

staalebotnen
Level 1
Level 1
In response to Tiago Antunes

‎12-16-2010 12:16 AM

Yes, and this does seem to work fine. Any changes done on primary are quickly replicated to the secondary. But they do not take effect there either...

0 Helpful

Javier Henderson
Level 4
Level 4
In response to staalebotnen

‎12-16-2010 05:57 AM

If you look at the details of the failed authentication, is the IP address shown the same as it is listed for the AAA client?

0 Helpful

staalebotnen
Level 1
Level 1
In response to Javier Henderson

‎12-16-2010 06:04 AM

Yes, the IP address is identical. Another issue we detected now is that this is not only affecting "Network Devices and AAA Clients", but our "Service Selection Rules" as well. We can disable rules, but the counters still increment and the rules still triggers. I'm hoping that we have just been unlucky with our configuration/appliance and that this is not the general state of the product...

On a side note, adding/deleting/modifying users work...

0 Helpful

jrabinow
Level 7
Level 7
In response to staalebotnen

‎12-16-2010 06:23 AM

This is a general issue. While the database is replicating OK - you will see updated config data on the GUI on the servers - the piece that updates the protocol component with the new config has stopped and so no updated configuration will be processed. This will affect all configuraiton items; the only exception is the internal user data which is read directly from the database.

You said you have opened a TAC case so they will need to troubleshoot. Only other comments/suggestions:

  • A stop/start on the server "may" recover things
  • worth checking whether there are any system alarms that relate to this issue
0 Helpful

Tiago Antunes
Cisco Employee
Cisco Employee
In response to staalebotnen

‎12-16-2010 06:25 AM

Hi just for curiosity,

What browser are you using to browse the ACS?

Can you try with IE to see if the config changes are taken into account?

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful
Top