Spotty ACS Login Prompt On Cisco Network Devices

jjbowers1 · ‎04-30-2010

We're using Cisco Secure ACS 5.1.0.44 for LDAP(Active Directory) authentication on our cisco devices. The login prompt is spotty at times. I have noticed that two like devices, say two 1231 AP's with the exact same configurations and IOS, minus device name and IP address of course, on the same subnet, do not respond to ACS the same way. One prompts for domain credentials and the other just asks for a password. The thing that sucks is that half the time the ACS fails, the old vty login password no longer works either so I can no longer access the device.

Also, the device that failed to prompt for the domain credentials takes an extremely long time to prompt for a password and then takes an extremely long time to authenticate the password.

$ telnet x.x.x.x
Trying... <---------- this takes up to 10 seconds or longer.
Connected to x.x.x.x
Escape character is '^]'.

Password: vty password works most times, but not all

the other resonds appropriately

$ telnet x.x.x.x
Trying... <---------- This is instantaneous.
Connected to x.x.x.x
Escape character is '^]'.

Corp Domain Username: user

Password: xxxx

What gives?!?!?!?!?!? It's driving me nuts!!!!!!!!!!!!!!!!

jjbowers1 · ‎04-30-2010

The odd password problem stems from the delay from when the AP is expecting the password and

when it actually prompts on the screen. Basically if I wait for the password prompt it's too late because

the password timeout has already occured.

I believe it may be an IOS problem. I got the bootloader version confused with the IOS.

Anybody got a list of AP IOS's supported by ACS 5.1.0.44? The following link sucks, http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/device_support/sdt51.html ,

and Cisco's website is too convoluted to be much help.