Configuring RADIUS and TACACS+ with CSACS
Troubleshooting

Start troubleshooting Cisco Secure ACS-related AAA problems by examining the Failed Attempts Report under Reports and Activity . The report shows several types of failures.

Authentication Failure
Assuming that Cisco Secure ACS and the router are communicating, the following can be checked.

If authenticating against the Windows 2000 user database, check these items:

  • Are the username and password being entered correctly? The password is case sensitive.
  • Do the username and password exist in the Windows 2000 user database? Check for these in the User Manager.
  • Is the dial-in interface on the network access server configured with the ppp authentication pap command?
  • Is the User must change password at next login check box checked in Windows 2000 Server? Deselect it if it is.
  • Does the username have the rights to log on locally in the Windows 2000 Server window (Trust Relationship/Domain)?
  • Is Cisco Secure ACS configured to authenticate against the Windows 2000 user database?
  • Is Cisco Secure ACS configured to reference the grant dial-in permission to user setting (Trust Relationship/Domain)?
  • If the username was able to authenticate before and cannot now, is the account disabled on Windows 2000 Server or Cisco Secure ACS?
  • Has the password expired on Windows 2000 Server?
  • Does the username contain an illegal character?
  • Windows 2000 Server will send domain name and username for authentication if using dial-up networking.

Authorization Failure
If the dial-in user is authenticating, but authorization is failing, check the following:

  • Are the proper network services checked in the Group Settings area?
  • If IP is checked, how is the dial-in user obtaining an IP address?
  • Is there an IP pool configured on the NAS?
  • Is the name of the IP pool entered in the Group Settings area? (Leave blank if a default IP pool has been configured.)
  • If authorizing commands, has the aaa authorization commands 1 tacacs+ command been entered in to the Cisco IOS software configuration? The 1 can be substituted for any privilege level from 0 – 15.
  • Has the Permitted radio button for the command been selected?
  • Has the Permitted radio button for the argument been selected?

Additional troubleshooting techniques for the Cisco Secure ACS are available in the Demonstration Activity below.


Interactive Media Activity

Demonstration Activity: Troubleshooting Techniques for Cisco Secure ACS 3.3 for Windows

In this activity, students will learn troubleshooting techniques for Cisco Secure ACS 3.3 for Windows.