Troubleshooting Information for Cisco Secure ACS

Remote administrator cannot bring up the Cisco Secure ACS HTML interface in a browser or receives a warning that access is not permitted.

Ping the machine running Cisco Secure ACS to confirm connectivity.

Verify that the remote administrator is using a valid administrator name and password that has already been added in Administration Control.

Verify that Java functionality is enabled in the browser.

Determine whether the remote administrator is trying to administer Cisco Secure ACS through a firewall, through a device performing network address translation, or from a browser configured to use an HTTP proxy server. For more information about accessing the HTML interface in these networking scenarios, see Network Environments and Remote Administrative Sessions.

Unauthorized users can log in.

Reject listed IP addresses is selected, but no start or stop IP addresses are listed. Go to Administrator Control: Access Policy and specify the Start IP Address and Stop IP Address.

Restart Services does not work.

The system is not responding. To manually restart services, from the Windows Start menu, choose Control Panel > Services. Click CSAdmin, and then Stop, and then Start.

Cannot install Novell NDS database authentication.

Make sure Novell Requestor is installed on the same Windows NT/2000 server as the Cisco Secure ACS.

No remote administrators can log in.

Allow only listed IP addresses to connect is selected, but no start or stop IP addresses are listed. Go to Administrator Control: Access Policy and specify the Start IP Address and Stop IP Address.

Administrator configured for event notification is not receiving e-mail.

Make sure that the SMTP server name is correct. If the name is correct, make sure that the Cisco Secure ACS machine can ping the SMTP server or can send e-mail via a third-party e-mail software package. Make sure you have not used underscores in the e-mail address.

The browser cannot bring up the Cisco Secure ACS HTML interface.

Open Internet Explorer or Netscape Navigator and choose Help > About to determine the version of the browser. See System Requirements for a list of browsers supported by Cisco Secure ACS and the Release Notes for known issues with a particular browser version.

For information about various network scenarios that affect remote administrative sessions, see Network Environments and Remote Administrative Sessions.

The browser displays the Java message that your session connection is lost.

Check the idle timeout value for remote administrators. This is in the Administration Control window. Increase the value as needed.

Administrator database appears corrupted.

The remote Netscape client is caching the password. If you specify an incorrect password, it is cached. When you attempt to reauthenticate with the correct password, the incorrect password is sent. Clear the cache before attempting to reauthenticate or close the browser and open a new session.

Under EXEC Commands, Cisco IOS commands are not being denied when checked.

Examine the Cisco IOS configuration at the AAA client. If not already present, add the following Cisco IOS command to the AAA client configuration:

aaa authorization command <0-15> default group TACACS+

The correct syntax for the arguments in the text box is permit argument or deny argument.

Administrator has been locked out of the AAA client because of an incorrect configuration being set up in the AAA client.

Try to connect directly to the AAA client at the console port. If that is not successful, consult your AAA client documentation or go to Cisco.com regarding password recovery procedures on your AAA client. For more information, see the "Cisco.com" section.

IETF RADIUS attributes not supported in Cisco IOS 12.0.5.T

Cisco incorporated RADIUS (IETF) attributes in Cisco IOS Release 11.1. However, there are a few attributes that are not yet supported or that require a later version of the Cisco IOS software. The following attributes fall into this category:

Number—Attribute Supported

17—Change Password 11.3

21—Password-Expiration 11.3

35—Login-LAT-Node No

36—Login-LAT-Group No

AAA client times out when authenticating against Windows NT/2000.

Increase the TACACS+ timeout interval from the default, 5, to 20. Set the Cisco IOS command as follows:

tacacs-server timeout 20

RDBMS Synchronization is not operating properly.

Make sure the correct server is listed in the Partners list.

Database Replication not operating properly.

Make sure you have set the server correctly as either Send or Receive.

On the sending server, make sure the receiving server is in the Replication list.

On the receiving server, make sure the sending server is selected in the Accept Replication from list.

Make sure that the replication schedule on the sending Cisco Secure ACS is not conflicting with the replication schedule on the receiving Cisco Secure ACS.

If the receiving server has dual network cards, on the sending server add a AAA server to the AAA Servers table in Network Configuration for every IP address of the receiving server. If the sending server has dual network cards, on the receiving server add a AAA server to the AAA Servers table in Network Configuration for every IP address of the receiving server.

The external user database is not available in the Group Mapping section.

The external database has not been configured in External User Databases or the username and password have been typed incorrectly. Make sure the username and password are correct. Click the applicable external database to configure.

External databases not operating properly.

Make sure a two-way trust (for dial-in check) has been established between the Cisco Secure ACS domain and the other domains. Turn logging to the maximum and check the csauth service log file for any debug messages beginning with [External DB]. See Setting Up Event Logging.

A dial-in user is unable to make a connection to the AAA client.

No record of the attempt appears in either the TACACS+ or RADIUS Accounting Report (in the Reports & Activity section, click TACACS+ Accounting or RADIUS Accounting or Failed Attempts).

Examine the Cisco Secure ACS Reports or AAA client Debug output to narrow the problem to a system error or a user error. Confirm the following:

• The dial-in user was able to establish a connection and ping the Windows NT/2000 server before Cisco Secure ACS was installed. If the dial-in user could not, the problem is related to a AAA client/modem configuration, not Cisco Secure ACS.
  
  
• LAN connections for both the AAA client and the Windows NT/2000 server supporting Cisco Secure ACS are physically connected.
  
  
• IP address of the AAA client in the Cisco Secure ACS configuration is correct.
  
  
• IP address of Cisco Secure ACS in AAA client configuration is correct.
  
  
• TACACS+ or RADIUS key in both AAA client and Cisco Secure ACS are identical (case sensitive).
  
  
• The command ppp authentication pap is entered for each interface, if the Windows NT/2000 user database is being used.
  
  
• The command ppp authentication chap pap is entered for each interface, if the Cisco Secure ACS database is being used.
  
  
• The AAA and TACACS+ or RADIUS commands are correct in the AAA client. The necessary commands are listed in the following:
  
  

Program Files\CiscoSecure ACS vx.x\TacConfig.txt

Program Files\CiscoSecure ACS vx.x\RadConfig.txt.

• The Cisco Secure ACS Services are running (CSAdmin, CSAuth, CSDBSync CSLog, CSRadius, CSTacacs) on the Windows NT/2000 server.
  
  

A dial-in user is unable to make a connection to the AAA client.

The Windows NT/2000 user database is being used for authentication.

A record of a failed attempt appears in the Failed Attempts Report (in the Reports & Activity section, click Failed Attempts).

The user information is not properly configured for authentication in Windows NT/2000 or Cisco Secure ACS.

The Windows NT/2000 user database resides on the same machine as Cisco Secure ACS.

From the Windows NT User Manager or Windows 2000 Active Directory Users and Computers, confirm the following:

• The username and password are configured in Windows NT User Manager or the Windows 2000 Active Directory Users and Computers.
  
  
• The User Properties window does not have User Must Change Password at Login enabled.
  
  
• The User Properties window does not have Account Disabled selected.
  
  
• The User Properties for the dial-in window does not have Grant dial-in permission to user disabled, if Cisco Secure ACS is using this option for authenticating.
  
  

From within the Cisco Secure ACS confirm the following:

• If the username has already been entered into Cisco Secure ACS, a Windows NT/2000 database configuration is selected in the Password Authentication list in User Setup for the user.
  
  
• If the username has already been entered into Cisco Secure ACS, the Cisco Secure ACS group to which the user is assigned has the correct authorization enabled (such as IP/PPP, IPX/PPP or Exec/Telnet). Be sure to click Submit + Restart if a change has been made.
  
  
• The user's expiration information in the Windows NT/2000 database has not caused failed authentication. For troubleshooting purposes, disable password expiry for the user in the Windows NT/2000 database.
  
  

(continued)

Click External User Databases, and click List All Databases Configured, and then make sure that the database configuration for Windows NT/2000 is listed.

Check the Unknown User Policy to make sure that Fail the Attempt is not selected.

Select the Selected Databases check box in the Unknown User Policy page in the External User Databases section.

Verify that the Windows NT/2000 group that the user belongs to has not been mapped to No Access.

A dial-in user is unable to make a connection to the AAA client.

The CiscoSecure user database being used for authentication.

A record of a failed attempt is displayed in the Failed Attempts Report (in the Reports & Activity section, click Failed Attempts).

From within Cisco Secure ACS confirm the following:

• The username has been entered into Cisco Secure ACS.
  
  
• CiscoSecure user database is selected on the Password Authentication list and a password has been entered in User Setup for the user
  
  
• The Cisco Secure ACS group to which the user is assigned has the correct authorization enabled (such as IP/PPP, IPX/PPP or Exec/Telnet). Be sure to click Submit + Restart if a change has been made.
  
  
• Expiration information has not caused failed authentication. Set to Expiration: Never for troubleshooting.
  
  

A dial-in user is unable to make a connection to the AAA client; however, a Telnet connection can be authenticated across the LAN.

This isolates the problem to one of three areas:

• Line/modem configuration problem. Review the documentation that came with your modem and verify that the modem is properly configured.
  
  
• The user is not assigned to a group that has the correct authorization rights. Authorization rights can be modified under Group Setup or User Setup. User settings override group settings.
  
  
• The Cisco Secure ACS or TACACS+ or RADIUS configuration is not correct in the AAA client. The necessary commands are listed in the following:
  
  

Program Files\CiscoSecure ACS vx.x\TacConfig.txt 

Program Files\CiscoSecure ACS vx.x\RadConfig.txt 

Program Files\CiscoSecure ACS vx.x\README.TXT

You can additionally verify Cisco Secure ACS connectivity as follows:

• Telnet to the access server from a workstation connected to the LAN.
  
  

A successful authentication for Telnet confirms that Cisco Secure ACS is working with the AAA client.

A dial-in user is unable to make a connection to the AAA client, and a Telnet connection cannot be authenticated across the LAN.

Determine if the Cisco Secure ACS is receiving the request. This can be done by viewing the Cisco Secure ACS reports. Based on what does not appear in the reports and which database is being used, troubleshoot the problem based on one of the following:

• Line/modem configuration problem. Review the documentation that came with your modem and verify that the modem is properly configured.
  
  
• The user does not exist in the Windows NT/2000 user database or the CiscoSecure user database and might not have the correct password. Authentication parameters can be modified under User Setup.
  
  
• The Cisco Secure ACS or TACACS+ or RADIUS configuration is not correct in the AAA client. The necessary commands are listed in the following:
  
  

Program Files\CiscoSecure ACS vx.x\TacConfig.txt 

Program Files\CiscoSecure ACS vx.x\RadConfig.txt 

Program Files\CiscoSecure ACS vx.x\README.TXT

When running debug aaa authentication on the AAA client, a failure message is returned from Cisco Secure ACS.

The configurations of the AAA client or Cisco Secure ACS are likely to be at fault.

From within Cisco Secure ACS confirm the following:

• Cisco Secure ACS is receiving the request. This can be done by viewing the Cisco Secure ACS reports. Based on what does/does not appear in the reports and which database is being used, troubleshoot Cisco Secure ACS based on one of the first three listings in this matrix.
  
  

From the AAA client, confirm the following:

• The command ppp authentication pap is entered for each interface if authentication against the Windows NT/2000 User Database is being used.
  
  
• The command ppp authentication chap pap is entered for each interface if authentication against the CiscoSecure user database is being used.
  
  
• The AAA and TACACS+ or RADIUS configuration is correct in the AAA client. The necessary commands are listed in the following:
  
  

Program Files\CiscoSecure ACS vx.x\TacConfig.txt

Program Files\CiscoSecure ACS vx.x\RadConfig.txt

Program Files\CiscoSecure ACS vx.x\README.TXT

When running debug aaa authentication and debug aaa authorization on the AAA client, a PASS is returned for authentication, but a FAIL is returned for authorization.

This problem occurs because authorization rights are not correctly assigned.

From Cisco Secure ACS User Setup, confirm that the user is assigned to a group that has the correct authorization rights. Authorization rights can be modified under Group Setup or User Setup. User settings override group settings.

If a specific attribute for TACACS+ or RADIUS is not displayed within the Group Setup section, this might indicate it has not been enabled in Interface Configuration: TACACS+ (Cisco IOS) or RADIUS.

Proxy fails.

Make sure that the direction on the remote server is set to Incoming/Outgoing or Incoming, and that the direction on the authentication forwarding server is set to Incoming/Outgoing or Outgoing.

Make sure the shared secret (key) matches the shared secret of one or both Cisco Secure ACS servers.

Make sure the character string and delimiter match the stripping information configured in the Proxy Distribution Table, and the position is set correctly to either Prefix or Suffix.

One or more servers is down, or no fallback server is configured. Go to Network Configuration and configure a fallback server. Fallback servers are used only under the following circumstances:

• The remote Cisco Secure ACS is down.
  
  
• One or more services (CSTacacs, CSRadius, or CSAuth) are down.
  
  
• The secret key is misconfigured.
  
  
• Inbound/Outbound messaging is misconfigured.
  
  

The following error message displays when you try to upgrade or uninstall Cisco Secure ACS:

The following file is 
invalid or the data is 
corrupted "DelsL1.isu"

From the Windows NT/2000 Registry, delete the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Uninstall\CiscoSecure

All previous accounting logs are missing.

If you are reinstalling or upgrading the Cisco Secure ACS software, the files are deleted unless moved to another directory location.

MaxSessions over VPDN is not working.

The use of MaxSessions over VPDN is not supported.

User MaxSessions fluctuates or is unreliable.

Services were restarted, possibly because the connection between the Cisco Secure ACS and the AAA client is unstable. Clear the Single Connect TACACS+ AAA Client check box.

The active.csv report is blank.

You changed protocol configurations recently.

Whenever protocol configurations change, the existing active.csv report file is renamed to yyyy-mm-dd.csv, and a new, blank active.csv report is generated

A report is blank.

Make sure you have selected Log to reportname Report under System Configuration: Logging: Log Target: reportname. You must also set Network Configuration: servername: Access Server Type to CiscoSecure ACS for Windows NT.

No Unknown User information is included in reports.

The Unknown User database was changed. Accounting reports will still contain unknown user information.

Two entries are logged for one user session.

Make sure that remote logging and the Send Accounting Information fields in the Proxy Distribution Table are not configured to send accounting packets to the same location.

After you have changed the date format, the Logged-In User list and CSAdmin log still display old format dates.

Restart the csadmin services by clicking X in the upper right corner of the HTML interface.

You cannot properly implement the RSA token server.

Remote administrator cannot bring up Cisco Secure ACS from his or her browser or receives a warning that access is not permitted.

If Network Address Translation is enabled on the PIX Firewall, administration through the firewall cannot work.

To administer Cisco Secure ACS through a firewall, you must configure an HTTP port range in System Configuration: Access Policy. The PIX Firewall must be configured to permit HTTP traffic over all ports included in the range specified in Cisco Secure ACS. For more information, see Access Policy.

After the administrator removes the Check NT Callback setting from External User Databases: Database Configuration: Windows NT/2000: Configuration, Windows NT/2000 database users can still dial in and apply the Callback string configured under the Windows NT/2000 user database.

Restart the Cisco Secure ACS services.

Callback is not working.

Ensure that callback works on the AAA client using local authentication. Then add AAA authentication.

User authentication fails when using PAP.

Outbound PAP is not enabled. If the Failed Attempts report shows that you are using outbound PAP, go to Interface Configuration and select the Per-User Advanced TACACS+ Features check box. Then, go to User Setup: Advanced TACACS+ Settings. Click TACACS+ Enable Control and type and confirm the password in the TACACS+ Outbound Password box.

Unknown users are not authenticated.

Go to External User Databases: Unknown User Policy. Click Check the following external user databases. From the External Databases list, select the database(s) against which to authenticate unknown users. Click —> (right arrow button) to add the database to the Selected Databases list. Click Up or Down to move the database into the desired position in the authentication hierarchy.

If you are using the Cisco Secure ACS Unknown User feature, external databases can authenticate using only PAP.

User did not inherit settings from new group.

Users moved to a new group inherit new group settings but they keep their existing user settings. Manually change the settings in User Settings.

User can authenticate but authorizations are different from expected.

Different vendors use different AV pairs. AV pairs not used in one vendor's protocol are ignored by another vendor's protocol.

Make sure the user settings reflect the correct vendor protocol; for example, Cisco RADIUS.

User cannot log in.

Re-enable the user account or reset the failed attempts counter.

Authentication fails.

The retry interval is too short. (The default is 5 seconds.) Increase the retry interval (tacacs-server timeout 20) on the AAA client to 20 or greater.

Check the Failed Attempts report.

TACACS+ and RADIUS attributes do not appear on the Group Setup page.

Ensure that you have at least one RADIUS or TACACS+ AAA client configured in the Network Configuration section and that, in the Interface Configuration section, you have enabled the attributes you need to configure.

Note   Some attributes are not customer-configurable in Cisco Secure ACS; instead, their values are set by Cisco Secure ACS.

Beginning with Cisco Secure ACS Version 2.3, some TACACS+ attributes no longer appear on the Group Setup page. This is because IP pools and callback supersede the following attributes:

TACACS+

addr

addr-pool

callback-dialstring

Ascend RADIUS

8, Framed-IP-Address

19, Callback-Number 

218, Ascend-Assign-IP-Pool

Additionally, these attributes cannot be set via database synchronization, and ip:addr=n.n.n.n is not allowed as a Cisco vendor-specific attribute (VSA)

Novell NDS or Generic LDAP Group Mapping not working correctly.

Make sure you have correctly configured Group Mapping for the applicable database. For more information, see Database Group Mappings.