cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1026
Views
0
Helpful
4
Replies
Highlighted
Beginner

TACACS+ Authentication Fails on ACS 5.3 - 24495 Active Directory Servers are not available

We have a four-node ACS deployment and one node is experiencing problems when handling TACACS authentications.

ACS shows "24495 Active Directory Servers are not available"

The ACS log via SSH shows:

Feb 20 03:01:29 DRACS adclient[10643]: WARN <fd:29 CAPIAuthValidatePlainTextUser > audit User 'AHunt' not authenticated: AD was unavailable for Kerberos authentication, and validation against cached hash failed: No user hash in cache for [domain]\ahunt

We're running ACS 5.3 with patch 9

The two scenarios in http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html#err24495 do not seem to be relevant in our case.

ACS shows it is joined to the domain and doing nslookup via SSH lists all the domain controllers.  The other three nodes in the deployment don't have an issue and work correctly.

Any advice or suggestions appreciated.

Thanks,

Andrew.

Everyone's tags (4)
4 REPLIES 4
Highlighted
Enthusiast

TACACS+ Authentication Fails on ACS 5.3 - 24495 Active Directory

Check the ACSADAgent.log file through the CLI of the ACS 5.x for messages such as:Mar 11 00:06:06 xlpacs01 adclient[30401]: INFO base.bind.healing Lost connection to xxxxxxxx. Running in disconnected mode: unlatch. If you see the Running in disconnected mode: unlatch error message, this means the ACS 5.3 cannot maintain a stable connection with Active Directory. The workaround is to either switch to LDAP or downgrade the ACS to 5.2 version. Refer to Cisco bug ID

CSCtx71254

(registered customers only) for more information.

Highlighted
Beginner

TACACS+ Authentication Fails on ACS 5.3 - 24495 Active Directory

Thanks for the post but this is not our issue.  We don't see that output in the log.  The output is:

Feb 25 02:46:02 DRACS adclient[10643]: WARN  <25 capiauthvalidateplaintextuser=""> audit User 'AHunt' not authenticated: AD was unavailable for Kerberos authentication, and validation against cached hash failed: No user hash in cache for lw\ahunt

This seems awfully like our issue:

http://community.centrify.com/t5/DirectControl-Express-for-UNIX/Maually-specified-DC-s-because-No-DNS-having-issues/td-p/8934

Any thoughts?  Thanks!


Andrew.

Highlighted
Cisco Employee

TACACS+ Authentication Fails on ACS 5.3 - 24495 Active Directory

Have you condigured NTP server in the ACS?
It seems like there is synchronization problem between ntpd and the ntp server.
Please try to reconfigure the NTP server ( if t is there) and test again.
Highlighted
Beginner

TACACS+ Authentication Fails on ACS 5.3 - 24495 Active Directory

Yes, NTP is fine.  This is a four-node ACS deployment and everything was working fine until recently.  However, the issue is actually now fixed.

I issued debug-adclient enable from which I was able to see that the ACS instance was connecting to a DC in Singapore (the ACS box is in California) which led me to assume that the subnet wasn't associated with the correct AD site.  I added the subnet to AD Sites and Services, waited for replication, and then restarted ACS.  It is now associated with the correct local DC and working correctly.  I assume the problem was caused by high latency / timeouts.

Thanks for your help and suggestions.