Authentication problem with ACS 4.1 TACACS+ (Windows Server 2000)

alexandr.safronov · ‎07-10-2012

Hi everyone!

The problem is:

I have a Cisco ACS 4.1 installed on Windows Server 2000.

There are several Cisco devices authenticating by this ACS.

Few days ago Cisco devices had started failing the authentication.

All Cisco devices are configured 100% correctly.

ACS server was reloaded. All ACS services were restarted. That didn't help.

There are no authentication attempts neither in "Failed attempts active.csv" log nor in AUTH.log.

There are failed login attempts in TCS.log (log's crop in the bottom of the post).

Local authentication using tactest.exe utility goes correct.

What might be the problem?

----------------------------

TCS.log:

TCS 09/07/2012 17:22:57 I 1507 3272 0x0 Thread 0 allocated work

TCS 09/07/2012 17:22:57 I 0043 3272 0x0 <<< RECEIVED FROM CLIENT:rt3845 TYPE=AUTHEN/START, SEQ=1, FLAGS=1

TCS 09/07/2012 17:22:57 I 0043 3272 0x0 SESSIONID -2041586819 (0x864fdb7d), DATALEN 23 (0x17)

TCS 09/07/2012 17:22:57 I 0043 3272 0x0 PRIV:1

TCS 09/07/2012 17:22:57 I 0043 3272 0x0 ACTION=login AUTHEN_TYPE=ascii SERVICE=login

TCS 09/07/2012 17:22:57 I 0043 3272 0x0 USERLEN=0 PORTLEN=6 (0x6), REMADDRLEN=9 (0x9) DATALEN=0

TCS 09/07/2012 17:22:57 I 0043 3272 0x0 PORT=tty452

TCS 09/07/2012 17:22:57 I 0043 3272 0x0 REM_ADDR=10.10.10.1

TCS 09/07/2012 17:22:57 I 0043 3272 0x0 END >>>

TCS 09/07/2012 17:22:57 I 0688 4596 0x5e Single Connect thread 3 allocated work

TCS 09/07/2012 17:22:57 I 0043 4596 0x5e <<< PACKET TO CLIENT:rt3845 TYPE:AUTHEN/GETUSER, SEQ 2, FLAGS 1

TCS 09/07/2012 17:22:57 I 0043 4596 0x5e SESSIONID -2041586819 (0x864fdb7d), DATALEN 16 (0x10)

TCS 09/07/2012 17:22:57 I 0043 4596 0x5e type=AUTHEN status=4 (AUTHEN/GETUSER) flags=0x0

TCS 09/07/2012 17:22:57 I 0043 4596 0x5e msg_len=10, data_len=0

TCS 09/07/2012 17:22:57 I 0043 4596 0x5e MSG=Username:

TCS 09/07/2012 17:22:57 I 0043 4596 0x5e End >>>

TCS 09/07/2012 17:22:59 I 0043 3272 0x0 <<< RECEIVED FROM CLIENT:rt3845 TYPE=AUTHEN/CONT, SEQ=3, FLAGS=1

TCS 09/07/2012 17:22:59 I 0043 3272 0x0 SESSIONID -2041586819 (0x864fdb7d), DATALEN 12 (0xc)

TCS 09/07/2012 17:22:59 I 0043 3272 0x0 TYPE=AUTHEN/CONT

TCS 09/07/2012 17:22:59 I 0043 3272 0x0 USER_MSG_LEN=d (0x7), USER_DATA_LEN=7 (0x0) FLAGS=0x0

TCS 09/07/2012 17:22:59 I 0043 3272 0x0 USER_MSG=0d 1f 1a 10 06 0c 07

TCS 09/07/2012 17:22:59 I 0043 3272 0x0 END >>>

TCS 09/07/2012 17:23:04 I 0342 3272 0x0 rt3845: fd 1756 eof (connection closed)

TCS 09/07/2012 17:23:04 I 1498 3272 0x0 Thread 0 waiting for work

TCS 09/07/2012 17:23:10 I 1312 3296 0x3e Cannot connect to TACACS+ server on :49

TCS 09/07/2012 17:23:10 I 0183 3296 0x3e Sending authen error to NAS rt3845 : Authentication Failed : Proxy failure

TCS 09/07/2012 17:23:10 I 0043 3296 0x3e <<< PACKET TO CLIENT:rt3845 TYPE:AUTHEN/ERROR, SEQ 4, FLAGS 1

TCS 09/07/2012 17:23:10 I 0043 3296 0x3e SESSIONID -158650267 (0xf68b3065), DATALEN 43 (0x2b)

TCS 09/07/2012 17:23:10 I 0043 3296 0x3e type=AUTHEN status=7 (AUTHEN/ERROR) flags=0x0

TCS 09/07/2012 17:23:10 I 0043 3296 0x3e msg_len=37, data_len=0

TCS 09/07/2012 17:23:10 I 0043 3296 0x3e MSG=Authentication Failed : Proxy failure

TCS 09/07/2012 17:23:10 I 0043 3296 0x3e End >>>

TCS 09/07/2012 17:23:10 I 0387 3296 0x3e rt3845: error in select fd 1676

TCS 09/07/2012 17:23:10 I 0680 3296 0x3e Single Connect thread 0 waiting for work

TCS 09/07/2012 17:23:22 I 1312 4596 0x5e Cannot connect to TACACS+ server on :49

TCS 09/07/2012 17:23:22 I 0183 4596 0x5e Sending authen error to NAS rt3845 : Authentication Failed : Proxy failure

TCS 09/07/2012 17:23:22 I 0043 4596 0x5e <<< PACKET TO CLIENT:rt3845 TYPE:AUTHEN/ERROR, SEQ 4, FLAGS 1

TCS 09/07/2012 17:23:22 I 0043 4596 0x5e SESSIONID -2041586819 (0x864fdb7d), DATALEN 43 (0x2b)

TCS 09/07/2012 17:23:22 I 0043 4596 0x5e type=AUTHEN status=7 (AUTHEN/ERROR) flags=0x0

TCS 09/07/2012 17:23:22 I 0043 4596 0x5e msg_len=37, data_len=0

TCS 09/07/2012 17:23:22 I 0043 4596 0x5e MSG=Authentication Failed : Proxy failure

TCS 09/07/2012 17:23:22 I 0043 4596 0x5e End >>>

TCS 09/07/2012 17:23:22 I 0387 4596 0x5e rt3845: error in select fd 1756

TCS 09/07/2012 17:23:22 I 0680 4596 0x5e Single Connect thread 3 waiting for work

I hope everybody can help me. I've read all the documentation and haven't find anything.

Looking forward to hearing from you soon.

Thanks!

Ramraj Sivagnanam Sivajanam · ‎07-20-2012

Hi Bro

From the logs you’ve provided “TCS 09/07/2012 17:23:10 I 1312 3296 0x3e Cannot connect to TACACS+ server on :49” it appears that your TACACS services is down.

Since you’ve restart the CSAdmin services, and reboot the server, and this still doesn’t help, I can only assume that this is a bug issue. Please patch it with ACS for Windows 4.1.4.13.20 cumulative patch (Release Date: 14 Nov 2009).

However, before you proceed to patch your Cisco ACS 4.1, try to increase the TACACS+/RADIUS timeout interval from the default, 5, to 20 in your Cisco devices.

tacacs-server timeout 20

radius-server timeout 20

By the way, have you recently patch your Windows 0/S with any Service Packs or updates etc. This could be another possible cause, as well.

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam