Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1401
Views
0
Helpful
3
Replies

CWLMS 3.2 and ACS 5.2 (Authentication Problem)

Amir Mehri
Level 1
Level 1

‎08-27-2011 12:57 AM

hello dear

before i have problem, i installed CWLMS3.2 and ACS 4.2 and everything is ok, but after upgrade, ACS 4.2 to ACS 5.2, CWLMS can't authenticate to devices and get their configuration. i checked everything include creadential, and i debuged aaa authentication and tacacs on devices. it seems devices can not get username from CWLMS.

also i run putty on CWLMS server and try to telnet to devices with ACS username nad password, and the result, there is no problem, and i can telnet to device with ACS username and password without any problem.

the below text is the output of debug on devices when CWLMS try to archive configuration:

R#

Aug 27 05:10:11.571: AAA/BIND(00000064): Bind i/f

Aug 27 05:10:11.571: AAA/AUTHEN/LOGIN (00000064): Pick method list 'CACS'

Aug 27 05:10:11.575: TPLUS: Queuing AAA Authentication request 100 for processing

Aug 27 05:10:11.575: TPLUS: processing authentication start request id 100

Aug 27 05:10:11.575: TPLUS: Authentication start packet created for 100()

Aug 27 05:10:11.575: TPLUS: Using server 10.0.51.56

Aug 27 05:10:11.575: TPLUS(00000064)/0/NB_WAIT/62D13F98: Started 5 sec timeout

Aug 27 05:10:11.691: TPLUS(00000064)/0/NB_WAIT: socket event 2

Aug 27 05:10:11.691: TPLUS(00000064)/0/NB_WAIT: wrote entire 36 bytes request

Aug 27 05:10:11.691: TPLUS(00000064)/0/READ: socket event 1

Aug 27 05:10:11.691: TPLUS(00000064)/0/READ: Would block while reading

Aug 27 05:10:11.747: TPLUS(00000064)/0/READ: socket event 1

Aug 27 05:10:11.747: TPLUS(00000064)/0/READ: read entire 12 header bytes (expect 16 bytes data)

Aug 27 05:10:11.747: TPLUS(00000064)/0/READ: socket event 1

Aug 27 05:10:11.747: TPLUS(00000064)/0/READ: read entire 28 bytes response

Aug 27 05:10:11.747: TPLUS(00000064)/0/62D13F98: Processing the reply packet

Aug 27 05:10:11.747: TPLUS: Received authen response status GET_USER (7)

R#

R#

Aug 27 05:10:44.168: AAA/BIND(00000065): Bind i/f

Aug 27 05:10:44.172: AAA/AUTHEN/LOGIN (00000065): Pick method list 'CACS'

Aug 27 05:10:44.172: TPLUS: Queuing AAA Authentication request 101 for processing

Aug 27 05:10:44.172: TPLUS: processing authentication start request id 101

Aug 27 05:10:44.172: TPLUS: Authentication start packet created for 101()

Aug 27 05:10:44.172: TPLUS: Using server 10.0.51.56

Aug 27 05:10:44.172: TPLUS(00000065)/0/NB_WAIT/62D00D90: Started 5 sec timeout

Aug 27 05:10:44.284: TPLUS(00000065)/0/NB_WAIT: socket event 2

Aug 27 05:10:44.288: TPLUS(00000065)/0/NB_WAIT: wrote entire 36 bytes request

Aug 27 05:10:44.288: TPLUS(00000065)/0/READ: socket event 1

Aug 27 05:10:44.288: TPLUS(00000065)/0/READ: Would block while reading

Aug 27 05:10:44.344: TPLUS(00000065)/0/READ: socket event 1

Aug 27 05:10:44.344: TPLUS(00000065)/0/READ: read entire 12 header bytes (expect 16 bytes data)

Aug 27 05:10:44.344: TPLUS(00000065)/0/READ: socket event 1

Aug 27 05:10:44.344: TPLUS(00000065)/0/READ: read entire 28 bytes response

Aug 27 05:10:44.344: TPLUS(00000065)/0/62D00D90: Processing the reply packet

Aug 27 05:10:44.344: TPLUS: Received authen response status GET_USER (7)

R#

R#

Aug 27 05:11:17.169: AAA/BIND(00000066): Bind i/f

Aug 27 05:11:17.173: AAA/AUTHEN/LOGIN (00000066): Pick method list 'CACS'

Aug 27 05:11:17.173: TPLUS: Queuing AAA Authentication request 102 for processing

Aug 27 05:11:17.173: TPLUS: processing authentication start request id 102

Aug 27 05:11:17.173: TPLUS: Authentication start packet created for 102()

Aug 27 05:11:17.173: TPLUS: Using server 10.0.51.56

Aug 27 05:11:17.177: TPLUS(00000066)/0/NB_WAIT/62D00D90: Started 5 sec timeout

Aug 27 05:11:17.293: TPLUS(00000066)/0/NB_WAIT: socket event 2

Aug 27 05:11:17.293: TPLUS(00000066)/0/NB_WAIT: wrote entire 36 bytes request

Aug 27 05:11:17.293: TPLUS(00000066)/0/READ: socket event 1

Aug 27 05:11:17.293: TPLUS(00000066)/0/READ: Would block while reading

Aug 27 05:11:17.349: TPLUS(00000066)/0/READ: socket event 1

Aug 27 05:11:17.349: TPLUS(00000066)/0/READ: read entire 12 header bytes (expect 16 bytes data)

Aug 27 05:11:17.349: TPLUS(00000066)/0/READ: socket event 1

Aug 27 05:11:17.349: TPLUS(00000066)/0/READ: read entire 28 bytes response

Aug 27 05:11:17.349: TPLUS(00000066)/0/62D00D90: Processing the reply packet

Aug 27 05:11:17.349: TPLUS: Received authen response status GET_USER (7)

R#

***************** LOGIN **********************

R#
R#
Aug 27 05:07:25.673: AAA/BIND(00000063): Bind i/f
Aug 27 05:07:25.673: AAA/AUTHEN/LOGIN (00000063): Pick method list 'CACS'
Aug 27 05:07:25.677: TPLUS: Queuing AAA Authentication request 99 for processing
Aug 27 05:07:25.677: TPLUS: processing authentication start request id 99
Aug 27 05:07:25.677: TPLUS: Authentication start packet created for 99()
Aug 27 05:07:25.677: TPLUS: Using server 10.0.51.56
Aug 27 05:07:25.677: TPLUS(00000063)/0/NB_WAIT/62D00D90: Started 5 sec timeout
Aug 27 05:07:25.789: TPLUS(00000063)/0/NB_WAIT: socket event 2
Aug 27 05:07:25.793: TPLUS(00000063)/0/NB_WAIT: wrote entire 36 bytes request
Aug 27 05:07:25.793: TPLUS(00000063)/0/READ: socket event 1
Aug 27 05:07:25.793: TPLUS(00000063)/0/READ: Would block while reading
Aug 27 05:07:25.852: TPLUS(00000063)/0/READ: socket event 1
Aug 27 05:07:25.852: TPLUS(00000063)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Aug 27 05:07:25.852: TPLUS(00000063)/0/READ: socket event 1
Aug 27 05:07:25.852: TPLUS(00000063)/0/READ: read entire 28 bytes response
Aug 27 05:07:25.852: TPLUS(00000063)/0/62D00D90: Processing the reply packet
Aug 27 05:07:25.852: TPLUS: Received authen response status GET_USER (7)
R#
R#

***************** USERNAME **********************
R#
R#
Aug 27 05:07:36.693: TPLUS: Queuing AAA Authentication request 99 for processing
Aug 27 05:07:36.693: TPLUS: processing authentication continue request id 99
Aug 27 05:07:36.693: TPLUS: Authentication continue packet generated for 99
Aug 27 05:07:36.693: TPLUS(00000063)/0/WRITE/62D13F98: Started 5 sec timeout
Aug 27 05:07:36.693: TPLUS(00000063)/0/WRITE: wrote entire 21 bytes request
Aug 27 05:07:36.745: TPLUS(00000063)/0/READ: socket event 1
Aug 27 05:07:36.745: TPLUS(00000063)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Aug 27 05:07:36.745: TPLUS(00000063)/0/READ: socket event 1
Aug 27 05:07:36.745: TPLUS(00000063)/0/READ: read entire 28 bytes response
Aug 27 05:07:36.745: TPLUS(00000063)/0/62D13F98: Processing the reply packet
Aug 27 05:07:36.745: TPLUS: Received authen response status GET_PASSWORD (8)
R#
R#

***************** PASSWORD **********************
R#
R#
Aug 27 05:07:45.482: TPLUS: Queuing AAA Authentication request 99 for processing
Aug 27 05:07:45.482: TPLUS: processing authentication continue request id 99
Aug 27 05:07:45.482: TPLUS: Authentication continue packet generated for 99
Aug 27 05:07:45.482: TPLUS(00000063)/0/WRITE/62D13F98: Started 5 sec timeout
Aug 27 05:07:45.482: TPLUS(00000063)/0/WRITE: wrote entire 27 bytes request
Aug 27 05:07:45.618: TPLUS(00000063)/0/READ: socket event 1
Aug 27 05:07:45.618: TPLUS(00000063)/0/READ: read entire 12 header bytes (expect 6 bytes data)
Aug 27 05:07:45.618: TPLUS(00000063)/0/READ: socket event 1
Aug 27 05:07:45.618: TPLUS(00000063)/0/READ: read entire 18 bytes response
Aug 27 05:07:45.618: TPLUS(00000063)/0/62D13F98: Processing the reply packet
Aug 27 05:07:45.618: TPLUS: Received authen response status PASS (2)
R#
R#

***************** EXIT **********************

R#
Aug 27 05:09:08.103: AAA: parse name=tty194 idb type=-1 tty=-1
Aug 27 05:09:08.103: AAA: name=tty194 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=194 channel=0
Aug 27 05:09:08.103: AAA/MEMORY: create_user (0x630A48AC) user='amir' ruser='R' ds0=0 port='tty194' rem_addr='10.0.50.27' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
Aug 27 05:09:08.443: TAC+: (817278840): received author response status = PASS_ADD
Aug 27 05:09:08.443: AAA/MEMORY: free_user (0x630A48AC) user='amir' ruser='R' port='tty194' rem_addr='10.0.50.27' authen_type=ASCII service=NONE priv=0 vrf= (id=0)
R#

R#

Aug 27 05:10:11.571: AAA/BIND(00000064): Bind i/f

Aug 27 05:10:11.571: AAA/AUTHEN/LOGIN (00000064): Pick method list 'CACS'

Aug 27 05:10:11.575: TPLUS: Queuing AAA Authentication request 100 for processing

Aug 27 05:10:11.575: TPLUS: processing authentication start request id 100

Aug 27 05:10:11.575: TPLUS: Authentication start packet created for 100()

Aug 27 05:10:11.575: TPLUS: Using server 10.0.51.56

Aug 27 05:10:11.575: TPLUS(00000064)/0/NB_WAIT/62D13F98: Started 5 sec timeout

Aug 27 05:10:11.691: TPLUS(00000064)/0/NB_WAIT: socket event 2

Aug 27 05:10:11.691: TPLUS(00000064)/0/NB_WAIT: wrote entire 36 bytes request

Aug 27 05:10:11.691: TPLUS(00000064)/0/READ: socket event 1

Aug 27 05:10:11.691: TPLUS(00000064)/0/READ: Would block while reading

Aug 27 05:10:11.747: TPLUS(00000064)/0/READ: socket event 1

Aug 27 05:10:11.747: TPLUS(00000064)/0/READ: read entire 12 header bytes (expect 16 bytes data)

Aug 27 05:10:11.747: TPLUS(00000064)/0/READ: socket event 1

Aug 27 05:10:11.747: TPLUS(00000064)/0/READ: read entire 28 bytes response

Aug 27 05:10:11.747: TPLUS(00000064)/0/62D13F98: Processing the reply packet

Aug 27 05:10:11.747: TPLUS: Received authen response status GET_USER (7)

R#

R#

Aug 27 05:10:44.168: AAA/BIND(00000065): Bind i/f

Aug 27 05:10:44.172: AAA/AUTHEN/LOGIN (00000065): Pick method list 'CACS'

Aug 27 05:10:44.172: TPLUS: Queuing AAA Authentication request 101 for processing

Aug 27 05:10:44.172: TPLUS: processing authentication start request id 101

Aug 27 05:10:44.172: TPLUS: Authentication start packet created for 101()

Aug 27 05:10:44.172: TPLUS: Using server 10.0.51.56

Aug 27 05:10:44.172: TPLUS(00000065)/0/NB_WAIT/62D00D90: Started 5 sec timeout

Aug 27 05:10:44.284: TPLUS(00000065)/0/NB_WAIT: socket event 2

Aug 27 05:10:44.288: TPLUS(00000065)/0/NB_WAIT: wrote entire 36 bytes request

Aug 27 05:10:44.288: TPLUS(00000065)/0/READ: socket event 1

Aug 27 05:10:44.288: TPLUS(00000065)/0/READ: Would block while reading

Aug 27 05:10:44.344: TPLUS(00000065)/0/READ: socket event 1

Aug 27 05:10:44.344: TPLUS(00000065)/0/READ: read entire 12 header bytes (expect 16 bytes data)

Aug 27 05:10:44.344: TPLUS(00000065)/0/READ: socket event 1

Aug 27 05:10:44.344: TPLUS(00000065)/0/READ: read entire 28 bytes response

Aug 27 05:10:44.344: TPLUS(00000065)/0/62D00D90: Processing the reply packet

Aug 27 05:10:44.344: TPLUS: Received authen response status GET_USER (7)

R#

R#

Aug 27 05:11:17.169: AAA/BIND(00000066): Bind i/f

Aug 27 05:11:17.173: AAA/AUTHEN/LOGIN (00000066): Pick method list 'CACS'

Aug 27 05:11:17.173: TPLUS: Queuing AAA Authentication request 102 for processing

Aug 27 05:11:17.173: TPLUS: processing authentication start request id 102

Aug 27 05:11:17.173: TPLUS: Authentication start packet created for 102()

Aug 27 05:11:17.173: TPLUS: Using server 10.0.51.56

Aug 27 05:11:17.177: TPLUS(00000066)/0/NB_WAIT/62D00D90: Started 5 sec timeout

Aug 27 05:11:17.293: TPLUS(00000066)/0/NB_WAIT: socket event 2

Aug 27 05:11:17.293: TPLUS(00000066)/0/NB_WAIT: wrote entire 36 bytes request

Aug 27 05:11:17.293: TPLUS(00000066)/0/READ: socket event 1

Aug 27 05:11:17.293: TPLUS(00000066)/0/READ: Would block while reading

Aug 27 05:11:17.349: TPLUS(00000066)/0/READ: socket event 1

Aug 27 05:11:17.349: TPLUS(00000066)/0/READ: read entire 12 header bytes (expect 16 bytes data)

Aug 27 05:11:17.349: TPLUS(00000066)/0/READ: socket event 1

Aug 27 05:11:17.349: TPLUS(00000066)/0/READ: read entire 28 bytes response

Aug 27 05:11:17.349: TPLUS(00000066)/0/62D00D90: Processing the reply packet

Aug 27 05:11:17.349: TPLUS: Received authen response status GET_USER (7)

R#

and the below text is output of debug aaa authentication and debug tacacs authentication when i telnet to device use putty.

***************** LOGIN **********************

R#
R#
Aug 27 05:07:25.673: AAA/BIND(00000063): Bind i/f
Aug 27 05:07:25.673: AAA/AUTHEN/LOGIN (00000063): Pick method list 'CACS'
Aug 27 05:07:25.677: TPLUS: Queuing AAA Authentication request 99 for processing
Aug 27 05:07:25.677: TPLUS: processing authentication start request id 99
Aug 27 05:07:25.677: TPLUS: Authentication start packet created for 99()
Aug 27 05:07:25.677: TPLUS: Using server 10.0.51.56
Aug 27 05:07:25.677: TPLUS(00000063)/0/NB_WAIT/62D00D90: Started 5 sec timeout
Aug 27 05:07:25.789: TPLUS(00000063)/0/NB_WAIT: socket event 2
Aug 27 05:07:25.793: TPLUS(00000063)/0/NB_WAIT: wrote entire 36 bytes request
Aug 27 05:07:25.793: TPLUS(00000063)/0/READ: socket event 1
Aug 27 05:07:25.793: TPLUS(00000063)/0/READ: Would block while reading
Aug 27 05:07:25.852: TPLUS(00000063)/0/READ: socket event 1
Aug 27 05:07:25.852: TPLUS(00000063)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Aug 27 05:07:25.852: TPLUS(00000063)/0/READ: socket event 1
Aug 27 05:07:25.852: TPLUS(00000063)/0/READ: read entire 28 bytes response
Aug 27 05:07:25.852: TPLUS(00000063)/0/62D00D90: Processing the reply packet
Aug 27 05:07:25.852: TPLUS: Received authen response status GET_USER (7)
R#
R#

***************** USERNAME **********************
R#
R#
Aug 27 05:07:36.693: TPLUS: Queuing AAA Authentication request 99 for processing
Aug 27 05:07:36.693: TPLUS: processing authentication continue request id 99
Aug 27 05:07:36.693: TPLUS: Authentication continue packet generated for 99
Aug 27 05:07:36.693: TPLUS(00000063)/0/WRITE/62D13F98: Started 5 sec timeout
Aug 27 05:07:36.693: TPLUS(00000063)/0/WRITE: wrote entire 21 bytes request
Aug 27 05:07:36.745: TPLUS(00000063)/0/READ: socket event 1
Aug 27 05:07:36.745: TPLUS(00000063)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Aug 27 05:07:36.745: TPLUS(00000063)/0/READ: socket event 1
Aug 27 05:07:36.745: TPLUS(00000063)/0/READ: read entire 28 bytes response
Aug 27 05:07:36.745: TPLUS(00000063)/0/62D13F98: Processing the reply packet
Aug 27 05:07:36.745: TPLUS: Received authen response status GET_PASSWORD (8)
R#
R#

***************** PASSWORD **********************
R#
R#
Aug 27 05:07:45.482: TPLUS: Queuing AAA Authentication request 99 for processing
Aug 27 05:07:45.482: TPLUS: processing authentication continue request id 99
Aug 27 05:07:45.482: TPLUS: Authentication continue packet generated for 99
Aug 27 05:07:45.482: TPLUS(00000063)/0/WRITE/62D13F98: Started 5 sec timeout
Aug 27 05:07:45.482: TPLUS(00000063)/0/WRITE: wrote entire 27 bytes request
Aug 27 05:07:45.618: TPLUS(00000063)/0/READ: socket event 1
Aug 27 05:07:45.618: TPLUS(00000063)/0/READ: read entire 12 header bytes (expect 6 bytes data)
Aug 27 05:07:45.618: TPLUS(00000063)/0/READ: socket event 1
Aug 27 05:07:45.618: TPLUS(00000063)/0/READ: read entire 18 bytes response
Aug 27 05:07:45.618: TPLUS(00000063)/0/62D13F98: Processing the reply packet
Aug 27 05:07:45.618: TPLUS: Received authen response status PASS (2)
R#
R#

***************** EXIT **********************

R#
Aug 27 05:09:08.103: AAA: parse name=tty194 idb type=-1 tty=-1
Aug 27 05:09:08.103: AAA: name=tty194 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=194 channel=0
Aug 27 05:09:08.103: AAA/MEMORY: create_user (0x630A48AC) user='amir' ruser='R' ds0=0 port='tty194' rem_addr='10.0.50.27' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)
Aug 27 05:09:08.443: TAC+: (817278840): received author response status = PASS_ADD
Aug 27 05:09:08.443: AAA/MEMORY: free_user (0x630A48AC) user='amir' ruser='R' port='tty194' rem_addr='10.0.50.27' authen_type=ASCII service=NONE priv=0 vrf= (id=0)
R#

Labels:
0 Helpful
3 Replies 3

Gaganjeet Chug
Level 4
Level 4

‎08-27-2011 04:11 AM

Hi Amir,

LMS 3.2 is not supportd with ACS 5.2.

Cisco Secure ACS Support for Common Services Client Applications

CiscoWorks Common Services supports ACS mode of authentication and  authorization. To use this mode, you must have a Cisco Secure ACS  (Access Control Server), installed on your network. Common Services 3.3  supports the following versions of Cisco Secure ACS:

Cisco Secure ACS 3.2 for Windows Server

Cisco Secure ACS 3.2.3 for Windows Server

Cisco Secure ACS 3.3.2 for Windows Server

Cisco Secure ACS 3.3.3 for Windows Server

Cisco Secure ACS 3.3.4 for Windows Server

Cisco Secure ACS 4.0.1 for Windows Server

Cisco Secure ACS 4.1 for Windows Server

Cisco Secure ACS 4.1.1 for Windows Server

Cisco Secure ACS 4.1.4 for Windows Server

Cisco Secure ACS 4.2 for Windows Server

Cisco Secure ACS 5.0 (only for authentication services)

Cisco Secure Appliance 3.3.3

Cisco Secure Appliance 3.3.4

Cisco Secure Appliance 4.0.1

Cisco Secure Appliance 4.1

Cisco Secure Appliance 4.1.1

Cisco Secure Appliance 4.1.4

Cisco Secure Appliance 4.2

Cisco Secure Appliance 5.0 (only for authentication services)

Link :-

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.3/user/guide/admin.html#wp796634

Hope it helps,

Many Thanks,

Gaganjeet

0 Helpful

Amir Mehri
Level 1
Level 1
In response to Gaganjeet Chug

‎08-27-2011 08:37 AM

Hi dear Gaganjeet Chugh <>

Thanks for your reply, i think, I have another story, I didn’t integrate CWLMS with ACS and CWLMS does not know anything about TACACS and ACS Server and just wants to telnet into devices.

Please give me more explanation if I made mistake.

Thank you

0 Helpful

Gaganjeet Chug
Level 4
Level 4
In response to Amir Mehri

‎08-27-2011 10:19 AM

Hi Amir,

Thanks for the clarification. Kindly run the credentials verification report for the 2 problematic devices and share the same here.

Many Thanks,

Gaganjeet

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents