12-29-2009 11:36 AM - edited 03-10-2019 04:51 PM
I am having RADIUS accounting issues with an ASA 5520 that uses TACACS for authentication. Both are hosted on the same ACS server. I can send RADIUS info to my Microsoft IAS box but get Syslog ID 113022 errors when trying to send to the ACS RADIUS. A packet capture shows the RADIUS accounting request getting to the ACS box (Windows Server 2003 R2) but syslog shows failedauth. Any ideas?
12-29-2009 09:39 PM
Hi,
Check out the below explantion and what is the configuration for aaa in asa has done and in ACS also .
Explanation This message indicates that the adaptive security appliance has attempted an authentication, authorization, or accounting request to the AAA server and did not receive a response within the configured timeout window. The AAA server is marked as "failed" and has been removed from service.
Recommended Action Verify that the AAA server is online and is accessible from the adaptive security appliance
Regards
Ganesh.H
12-30-2009 03:06 PM
Thank you for the response. I did verify the syslog explanation you gave below and the AAA server is online as TACACS message are getting to it. My configuration for the ASA for RADIUS is as follows
Server Group - RADIUS
Protocol - RADIUS
Accounting Mode - Simultaneous
Reactivation Mode - Timed
Max Failed attempts - 3
Two servers in the Server Group
ACS - Not working
Microsoft IAS - Working
I have tried removing the IAS server and changing the accounting mode to single and still getting auth failures.
ACS is configured as follows
Network Configuration
AAA Clients - ASA authenticate using TACACS+
AAA Servers - None listed. When I tried to add the ACS machine the error said the server already existed (In another Network Device Group)
12-30-2009 10:13 PM
Hi,
Please check out the following things:-
1) Check out the ASA aaa client ip address is configured in ACS that is the trusted interface from where the ACS is reachable. Means if ACS is residing in Public zone interface so configure in ACS under aaa clients the public interface of ASA.
2) In ASA for radius server configuration, check out the authentication port is configured 1645 at both the end in ASA as well as in ACS under aaa client table.
3) and in ASA ACS server should come in online state, so the raidus port need to have communication betwee the two.
Hope this helps !!
Regards
Ganesh.H
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide