cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
555
Views
0
Helpful
2
Replies

Unable to login AAA client

sayast001
Level 1
Level 1

Hi,

I have two ACS servers in my network server-A & Server-B with version 4.2. I am facing issue with one of my AAA client to login with AD credentials or local credentials configured.

Upon analysis I could find low disk space in secondary ACS server, server-B which is causing the issue. However as per my configuration AAA client should reach Server-A instead of server-B. When ever ihave low disk space issue with server-B I am unable to login my AAA client with AD credentials or local.

aaa-server TACSERVER protocol tacacs+

aaa-server TACSERVER (outside) host 10.238.60.45---Server-A

aaa-server TACSERVER (outside) host 10.226.33.64----Server-B

aaa authentication telnet console TACSERVER LOCAL

aaa authentication http console TACSERVER LOCAL

aaa authentication serial console TACSERVER LOCAL

aaa authentication ssh console TACSERVER LOCAL

aaa authentication enable console TACSERVER LOCAL

aaa authorization command TACSERVER LOCAL

aaa accounting enable console TACSERVER

aaa accounting ssh console TACSERVER

aaa accounting telnet console TACSERVER

aaa accounting command TACSERVER

Thanks

Soumya

2 Replies 2

Jatin Katyal
Cisco Employee
Cisco Employee

that's right, the authentication request should reach out to primary tacacs server 10.238.60.45 as it comes first in the sequence. Can you check "show tacacs" output.

Run the follow debugs and see what we get in debugs:

debug tacacs

debug aaa authentication

We can also remove both the servers and re-add them again.

Regarding the low disk issue, please ensure that logging level on that server B is set to low under system configuration > services control. If that is set to high it will fill up the installation directory of the ACS and that can create issues with the disk space.

I would also suggest you to check the ACS installation directory and make sure there are no big log files accumlated. If there are any, I'd say either move those files to a different location or delete them.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Muhammad Munir
Level 5
Level 5

Hi

FYI

A AAA server is a server program that handles user requests for access to computer resources, and for an enterprise, provides AAA services. The AAA server typically interacts with network access and gateway servers, and databases and directories that contain user information. The current standard by which devices or applications communicate with an AAA server is RADIUS.

ACS 5.3 functions as a AAA server for one or more network access devices (NADs). The NADs are clients of the ACS server. You must specify the IP address of ACS on each client NAD, to direct user access requests to ACS by using the RADIUS protocol.

RADIUS is universally used to secure the access of end-users to network resources. A RADIUS server can act as a proxy to other RADIUS servers or other kinds of authentication servers.

The NAD serves as the network gatekeeper and sends an Access-Request to ACS on behalf of the user. ACS verifies the username, password, and possibly other data by using either the internal identity store, or an externally configured LDAP or Windows Active Directory identity store.

ACS ultimately responds to the NAD with either an Access-Reject message or an Access-Accept message that contains a set of authorization attributes.

ACS 5.3 provides network transport over UDP and implements the RADIUS protocol, including RADIUS packet parsing and assembling, necessary data validation, and tracking of duplicate requests.

Some reasons for using UDP are:

• The processing time is only a few seconds.

• No special handling is required for rebooting or offline clients and servers.

• UDP is a connectionless protocol.

• UDP easily implements multithreaded servers to serve multiple client requests.

The UDP-assigned port number for RADIUS are:

• 1812 for access requests

• 1813 for accounting

• 1645 for access requests

• 1646 for accounting

For step by step configuration, please visit given link:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/rad_tac_phase.html