Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1045
Views
0
Helpful
0
Comments

CiscoSecure ACS for Windows 3.3 chooses the wrong NDG for NARs when the TACACS+ and the RADIUS NAS use the same IP address

TCC_2
Level 10
Level 10

‎06-22-2009 04:44 PM - edited ‎02-21-2020 09:55 PM

Core issue

This problem occurs due to the presence of Cisco bug ID CSCeg51873.

The CiscoSecure ACS for Windows chooses a TACACS+ Network Device Group (NDG) to apply Network Access Restrictions (NARs), instead of a RADIUS NAR.

This problem occurs when these two conditions are met:

  1. Both a TACACS+ and RADIUS Network Access Server (NAS) are defined with the same IP address and placed in separate NDGs.
     
  2. Authentication is performed through RADIUS.

The NDG that contains the TACACS+ NAS is always used. ACS chooses the wrong NDG for NAR matching. As a result, access is blocked for all users, and the ACS Failed Authentication log displays the User access filtered error message.

Resolution

As a workaround, stop all seven CiscoSecure ACS services in Windows and restart them.

Open a service request with the Cisco Technical Assistance Center (TAC)  for further assistance.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents