05-10-2008 01:12 AM - edited 03-11-2019 05:42 AM
routers & Switches (outside zone) can't authenticate using ACS (inside zone)
even if i permit any any
i can telnet to ACS port 49 , i can also ping to ACS
but there is no failed or passed attempt is coming from devices in outside Zone
05-10-2008 06:26 AM
Have you added the devices in the in the ACS. Also, have you conigured AAA on the routers and switches on the outside. A config of these will help answer better.
05-10-2008 09:10 AM
Raman
If I understand the post from Mohammed correctly there are no failed attempts reported. If the issue were that they were not configured in ACS then there would be entries in the failed attempt log - indicating attempts from an unknown host.
Asking to see some configs from devices that do not work is a very reasonable thing. It would allow us to see if there were issues that might prevent authentication. And it would allow us to see if the source interface is specified. Mohammed says that he can telnet to the server on port 49 which demonstrates that there is IP connectivity using the default choice of interface. I would like to see if that is the same interface that AAA is using.
If there are no failed attempts reported then that implies that either the firewall is denying the requests (which Mohammed implies is not the case) or they are not being sent from the router, or they are being misdirected. If seeing the configs does not point toward a solution perhaps the output of debug tacacs authentication would be helpful.
HTH
Rick
05-10-2008 09:35 PM
actually , there is no failed or passed attempt at ACS server
the router is choosing to authenticate locally , like if it is can't see the ACS.
but why it can't see the ACS?
05-11-2008 02:13 PM
As I suggested in my previous post:
If there are no failed attempts reported then that implies that either the firewall is denying the requests (which Mohammed implies is not the case) or they are not being sent from the router, or they are being misdirected. If seeing the configs does not point toward a solution perhaps the output of debug tacacs authentication would be helpful.
Please post configs or post debug output.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide