Failed logins from a cisco routersto ACS

michael guerrero · ‎04-27-2018

Hey Guys, we're setup w/a pair of data centers. The sites are mirrors of each other. DC1 hosts the ACS server. We've created a mgt network behind a palo alto in each DC. DC1 cisco's don't have any issues getting authenticated to the ACS server via tacacs. We get failed logins from every device in DC2 that sits behind that palo alto. I had palo alto tech support verify that both PAs are set up correctly. In the packet capture I took I see the 3 way handshake between the router and ACS but then the ACS sends a fin,ack and kills the connection. I checked the ACS tacacs monitor but it's not logging the attempted login. Is there a way to dig deeper into the ACS GIU and look at the data stream? I tried to ssh in to the ACS but I don't have the correct credentials. Any guidance would be greatly appreciated!

RichardAtkin · ‎05-01-2018

Run a tcpdump on ACS (or span the switchport it uses and capture that) and you'll see exactly what is / is not being sent to ACS.

Can the none-working boxes definately communicate with ACS properly? No NAT boundaries in the way? Proved you can ping both ways? FW isn't complaining about something? All the right ports are open on the FW and on any ACLs? Got the correct IP addresses defined in ACS?

For RADIUS - UDP 1812 (Auth),1813 (Acct), 1700(CoA)

For TACACS+ - TCP/UDP 49

michael guerrero · ‎08-10-2020

as a work around i created an SVI for 192.168.253.3