Start troubleshooting Cisco Secure ACS-related AAA problems by examining the
Failed Attempts Report under Reports and Activity
. The report
shows several types of failures.
Authentication
Failure
Assuming that Cisco Secure ACS and the router are
communicating, the following can be checked.
If authenticating against
the Windows 2000 user database, check these items:
- Are the username and password being entered correctly? The password is case
sensitive.
- Do the username and password exist in the Windows 2000 user database? Check
for these in the User Manager.
- Is the dial-in interface on the network access server configured with the
ppp authentication pap command?
- Is the User must change password at next login check box checked in
Windows 2000 Server? Deselect it if it is.
- Does the username have the rights to log on locally in the Windows
2000 Server window (Trust Relationship/Domain)?
- Is Cisco Secure ACS configured to authenticate against the Windows 2000
user database?
- Is Cisco Secure ACS configured to reference the grant dial-in permission
to user setting (Trust Relationship/Domain)?
- If the username was able to authenticate before and cannot now, is the
account disabled on Windows 2000 Server or Cisco Secure ACS?
- Has the password expired on Windows 2000 Server?
- Does the username contain an illegal character?
- Windows 2000 Server will send domain name and username for authentication
if using dial-up networking.
Authorization Failure
If the dial-in user is authenticating,
but authorization is failing, check the following:
- Are the proper network services checked in the Group Settings area?
- If IP is checked, how is the dial-in user obtaining an IP address?
- Is there an IP pool configured on the NAS?
- Is the name of the IP pool entered in the Group Settings area? (Leave blank
if a default IP pool has been configured.)
- If authorizing commands, has the aaa authorization commands 1
tacacs+ command been entered in to the Cisco IOS software
configuration? The 1 can be substituted for any privilege
level from 0 – 15.
- Has the Permitted radio button for the command been selected?
- Has the Permitted radio button for the argument been selected?
Additional troubleshooting techniques for the Cisco Secure ACS are
available in the Demonstration Activity below.