User Guide for Cisco Secure ACS for Windows Server 3.2
Troubleshooting

Table Of Contents

Troubleshooting

Administration Issues

Browser Issues

Cisco IOS Issues

Database Issues

Dial-in Connection Issues

Debug Issues

Proxy Issues

Installation and Upgrade Issues

MaxSessions Issues

Report Issues

Third-Party Server Issues

User Authentication Issues

TACACS+ and RADIUS Attribute Issues

Troubleshooting


This appendix provides information about certain basic problems and describes how to resolve them.

Scan the column on the left to identify the condition that you are trying to resolve, and then carefully go through each corresponding recovery action offered in the column on the right.

This chapter contains the following topics:

Administration Issues

Browser Issues

Cisco IOS Issues

Database Issues

Dial-in Connection Issues

Debug Issues

Proxy Issues

Installation and Upgrade Issues

MaxSessions Issues

Report Issues

Third-Party Server Issues

User Authentication Issues

TACACS+ and RADIUS Attribute Issues

Administration Issues

Condition
Recovery Action

Remote administrator cannot bring up the CiscoSecure ACS HTML interface in a browser or receives a warning that access is not permitted.

Verify that you are using a supported browser. Refer to the Release Notes for Cisco Secure Access Control Server for Windows Server Version 3.2 for a list of supported browsers.

Ping CiscoSecure ACS to confirm connectivity.

Verify that the remote administrator is using a valid administrator name and password that have previously been added in Administration Control.

Verify that Java functionality is enabled in the browser.

Determine whether the remote administrator is trying to administer CiscoSecure ACS through a firewall, through a device performing Network Address Translation, or from a browser configured to use an HTTP proxy server. For more information about accessing the HTML interface in these networking scenarios, see Network Environments and Administrative Sessions.

No remote administrators can log in.

The option Allow only listed IP addresses to connect is selected, but no start or stop IP addresses are listed. Go to Administrator Control > Access Policy and specify the Start IP Address and End IP Address .

Unauthorized users can log in.

The option Reject listed IP addresses is selected, but no start or stop IP addresses are listed. Go to Administrator Control > Access Policy and specify the Start IP Address and Stop IP Address .

The Restart Services function does not work.

This may occur if the system is not responding. To manually restart services, from the Windows Start menu, choose Settings > Control Panel > Administrative Tools > Services . Click CSAdmin , and then Stop , and then Start .

If the services do not respond when manually restarted, reboot the server.

Administrator configured for event notification is not receiving e-mail.

Ensure that the SMTP server name is correct. If the name is correct, ensure that the computer running CiscoSecure ACS can ping the SMTP server or can send e-mail via a third-party e-mail software package. Make sure you have not used underscores in the e-mail address.

Remote Administrator receives "Logon failed . . . protocol error" message, when browsing.

Restart the CSADMIN service. To restart the CSADMIN service, from the Windows Start menu choose Control Panel> Services . Click CSAdmin , and then Stop , and then Start .

If necessary, restart the server.

Remote administrator cannot bring up CiscoSecure ACS from his or her browser, or receives a warning that access is not permitted.

If Network Address Translation is enabled on the PIX Firewall, administration through the firewall cannot work.

To administer CiscoSecure ACS through a firewall, you must configure an HTTP port range in Administrator Control > Access Policy . The PIX Firewall must be configured to permit HTTP traffic over all ports included in the range specified in CiscoSecure ACS. For more information, see Access Policy.

Unable to log in on CiscoSecure ACS. Authentication fails.

Back up the NT Registry.

Use the regedit command and remove the users in the following:

HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAA##\CSAdmin\Administrators

Under the Administrators key you will see all administrators that you have created. Delete the users and exit the Registry. Upon accessing CiscoSecure ACS, you will not be prompted for a username and password. After you have brought up the CiscoSecure ACS HTML interface, you can re-add administrators.


Browser Issues

Condition
Recovery Action

The browser cannot bring up the CiscoSecure ACS HTML interface.

Open Internet Explorer or Netscape Navigator and choose Help> About to determine the version of the browser. See System Requirements, for a list of browsers supported by CiscoSecure ACS and the release notes for known issues with a particular browser version.

For information about various network scenarios that affect remote administrative sessions, see Network Environments and Administrative Sessions.

The browser displays the Java message that your session connection is lost.

Check the Session idle timeout value for remote administrators. This is on the Session Policy Setup page of the Administration Control section. Increase the value as needed.

Administrator database appears corrupted.

The remote Netscape client is caching the password. If you specify an incorrect password, it is cached. When you attempt to re-authenticate with the correct password, the incorrect password is sent. Clear the cache before attempting to re-authenticate or close the browser and open a new session.

Remote administrator intermittently can't browse the CiscoSecure ACS HTML interface.

Make sure that the client browser does not have proxy server configured. CiscoSecure ACS does not support HTTP proxy for remote administrative sessions. Disable proxy server settings.


Cisco IOS Issues

Condition
Recovery Action

Under EXEC Commands, CiscoIOS commands are not being denied when checked.

Examine the CiscoIOS configuration at the AAA client. If it is not already present, add the following CiscoIOS command to the AAA client configuration:

aaa authorization command <0-15> default group TACACS+

The correct syntax for the arguments in the text box is permit argument or deny argument.

Administrator has been locked out of the AAA client because of an incorrect configuration set up in the AAA client.

If you have a fallback method configured on your AAA client, disable connectivity to the AAA server and log in using local/line username and password.

Try to connect directly to the AAA client at the console port. If that is not successful, consult your AAA client documentation or see the Password Recovery Procedures page on Cisco.com for information regarding your particular AAA client.

IETF RADIUS attributes not supported in CiscoIOS 12.0.5.T

Cisco incorporated RADIUS (IETF) attributes in CiscoIOS Release 11.1. However, there are a few attributes that are not yet supported or that require a later version of the CiscoIOS software. For more information, see the RADIUS Attributes page on Cisco.com.

Unable to enter Enable Mode after doing aaa authentication enable default tacacs+. Getting error message "Error in authentication on the router."

Check the failed attempts log in the ACS. If the log reads "CS password invalid," it may be that the user has no enable password set up. Set the TACACS+ Enable Password within the Advanced TACACS+ Settings section.

If you do not see the Advanced TACACS+ Settings section among the user setup options, go to Interface Configuration> Advanced Configuration Options> Advanced TACACS+ Features and select that option to have the TACACS+ settings appear in the user settings. Then select Max privilege for any AAA Client (this will typically be 15) and enter the TACACS+ Enable Password that you want the user to have for enable.


Database Issues

Condition
Recovery Action

RDBMS Synchronization is not operating properly.

Make sure that the correct server is listed in the Partners list.

Database Replication not operating properly.

Make sure you have set the server correctly as either Send or Receive.

On the sending server, make sure the receiving server is in the Replication list.

On the receiving server, make sure the sending server is selected in the Accept Replication from list. Also, make sure that the sending server is not in the replication partner list.

Make sure that the replication schedule on the sending CiscoSecure ACS is not conflicting with the replication schedule on the receiving CiscoSecure ACS.

If the receiving server has dual network cards, on the sending server add a AAA server to the AAA Servers table in the Network Configuration section for every IP address of the receiving server. If the sending server has dual network cards, on the receiving server add a AAA server to the AAA Servers table in Network Configuration for every IP address of the receiving server.

The external user database is not available in the Group Mapping section.

The external database has not been configured in the External User Databases section, or the username and password have been typed incorrectly. Click the applicable external database to configure. Make sure that the username and password are correct.

External databases not operating properly.

Make sure that a two-way trust (for dial-in check) has been established between the CiscoSecure ACS domain and the other domains.

If CiscoSecure ACS is installed on a Member Server and is authenticating to a Domain Controller, see the "Authentication Failures When ACS/NT 3.0 Is Authenticating to Active Directory" Field Notice at the following URL:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/
products_field_notice09186a00800b1583.shtml

Cannot install NovellNDS database authentication.

Make sure Novell Requestor is installed on the same Windows server as the CiscoSecure ACS.

Unknown users are not authenticated.

Go to External User Databases> Unknown User Policy . Select the Check the following external user databases option. From the External Databases list, select the database(s) against which to authenticate unknown users. Click —> (right arrow button) to add the database to the Selected Databases list. Click Up or Down to move the selected database into the desired position in the authentication hierarchy.

If you are using the CiscoSecure ACS Unknown User feature, external databases can only authenticate using PAP.

Novell NDS or Generic LDAP Group Mapping not working correctly.

Make sure that you have correctly configured Group Mapping for the applicable database.

For more information, see "User Group Mapping and Specification"

Unable to authenticate against the NovellNDS database.

Make sure that the tree name, context name, and container name are all specified correctly. Start with one container where users are present; then you can add more containers later, if needed.

If you are successful, check on the AAA client to see if you can authenticate the shell user (Telnet user). Also make sure that for PPP you have PAP authentication configured on the asynchronous interface.

Same user appears in multiple groups or duplicate users exist in the CiscoSecure ACS database. Unable to delete user from database.

Clean up the database typing the following command from the command line:

csutil -q -d -n -l dump.txt

This command causes the database to be unloaded and reloaded to clear up the counters.

Tip When you install CiscoSecure ACS in the default location, CSUtil.exe is located in the following directory: C:\Program Files\CiscoSecure ACS vX.X\Utils.

For more information on using the csutil command see "RDBMS Synchronization Import Definitions."


Dial-in Connection Issues

Condition
Recovery Action

A dial-in user cannot connect to the AAA client.

No record of the attempt appears in either the TACACS+ or RADIUS Accounting Report (in the Reports & Activity section, click TACACS+ Accounting or RADIUS Accounting or Failed Attempts ).

Examine the CiscoSecure ACS Reports or AAA client Debug output to narrow the problem to a system error or a user error. Confirm the following:

The dial-in user was able to establish a connection and ping the computer beforeCiscoSecure ACS was installed. If the dial-in user could not, the problem is related to a AAA client/modem configuration, not CiscoSecure ACS.

LAN connections for both the AAA client and the computer running CiscoSecure ACS are physically connected.

IP address of the AAA client in the CiscoSecure ACS configuration is correct.

IP address of CiscoSecure ACS in AAA client configuration is correct.

TACACS+ or RADIUS key in both AAA client and CiscoSecure ACS are identical (case sensitive).

The command ppp authentication pap is entered for each interface, if you are using a Windows user database.

The command ppp authentication chap pap is entered for each interface, if you are using the CiscoSecure ACS database.

The AAA and TACACS+ or RADIUS commands are correct in the AAA client. The necessary commands are listed in the following:
ProgramFiles\CiscoSecureACSvx.x\TacConfig.txt
ProgramFiles\CiscoSecureACSvx.x\RadConfig.txt
.

The CiscoSecure ACS Services are running (CSAdmin, CSAuth, CSDBSync CSLog, CSRadius, CSTacacs) on the computer running CiscoSecure ACS.

A dial-in user cannot connect to the AAA client.

The Windows user database is being used for authentication.

A record of a failed attempt appears in the Failed Attempts Report (in the Reports & Activity section, click Failed Attempts ).

Create a local user in the CiscoSecure user database and test whether authentication is successful. If it is successful, the issue is that the user information is not correctly configured for authentication in Windows or CiscoSecure ACS.

From the Windows User Manager or Active Directory Users and Computers, confirm the following:

The username and password are configured in the Windows User Manager or Active Directory Users and Computers.

The user can log in to the domain by authenticating through a workstation.

The User Properties window does not have User Must Change Password at Login enabled.

The User Properties window does not have Account Disabled selected.

The User Properties for the dial-in window does not have Grant dial-in permission to user disabled, if CiscoSecure ACS is using this option for authenticating.

From within CiscoSecure ACS confirm the following:

If the username has already been entered into CiscoSecure ACS, a Windows user database configuration is selected in the Password Authentication list on the User Setup page for the user.

If the username has already been entered into CiscoSecure ACS, the CiscoSecure ACS group to which the user is assigned has the correct authorization enabled (such as IP/PPP, IPX/PPP or Exec/Telnet). Be sure to click Submit + Restart if a change has been made.

The user expiration information in the Windows user database has not caused failed authentication. For troubleshooting purposes, disable password expiry for the user in the Windows user database.

Click External User Databases , and click List All Databases Configured , and then make sure that the database configuration for Windows is listed.

In the Configure Unknown User Policy table of the External User Databases section ensure that Fail the attempt is not selected. And ensure that the Selected Databases list reflects the necessary database.

Verify that the Windows group that the user belongs to has not been mapped to No Access.

A dial-in user cannot connect to the AAA client.

The CiscoSecure user database is being used for authentication.

A record of a failed attempt is displayed in the Failed Attempts Report (in the Reports & Activity section, click Failed Attempts ).

From within CiscoSecure ACS confirm the following:

The username has been entered into CiscoSecure ACS.

CiscoSecure user database is selected from the Password Authentication list and a password has been entered in User Setup for the user.

The CiscoSecure ACS group to which the user is assigned has the correct authorization enabled (such as IP/PPP, IPX/PPP or Exec/Telnet). Be sure to click Submit + Restart if a change has been made.

Expiration information has not caused failed authentication. Set to Expiration: Never for troubleshooting.

A dial-in user cannot connect to the AAA client; however, a Telnet connection can be authenticated across the LAN.

The problem is isolated to one of three areas:

Line/modem configuration problem. Review the documentation that came with your modem and verify that the modem is properly configured.

The user is not assigned to a group that has the correct authorization rights. Authorization rights can be modified under Group Setup or User Setup. User settings override group settings.

The CiscoSecure ACS or TACACS+ or RADIUS configuration is not correct in the AAA client.

Additionally, you can verify CiscoSecure ACS connectivity by attempting to Telnet to the access server from a workstation connected to the LAN. A successful authentication for Telnet confirms that CiscoSecure ACS is working with the AAA client.

A dial-in user cannot connect to the AAA client, and a Telnet connection cannot be authenticated across the LAN.

Determine whether the CiscoSecure ACS is receiving the request. This can be done by viewing the CiscoSecure ACS reports. Based on what does not appear in the reports and which database is being used, troubleshoot the problem based on one of the following:

Line/modem configuration problem. Review the documentation that came with your modem and verify that the modem is properly configured.

The user does not exist in the Windows user database or the CiscoSecure user database and might not have the correct password. Authentication parameters can be modified under User Setup.

The CiscoSecure ACS or TACACS+ or RADIUS configuration is not correct in the AAA client.

Callback is not working.

Ensure that callback works on the AAA client when using local authentication. Then add AAA authentication.

User authentication fails when using PAP.

Outbound PAP is not enabled. If the Failed Attempts report shows that you are using outbound PAP, go to the Interface Configuration section and select the Per-User Advanced TACACS+ Features check box. Then, go to the TACACS+ Outbound Password section of the Advanced TACACS+ Settings table on the User Setup page and type and confirm the password in the boxes provided.


Debug Issues

Condition
Recovery Action

When you run debug aaa authentication on the AAA client, CiscoSecure ACS returns a failure message.

The configurations of the AAA client or CiscoSecure ACS are likely to be at fault.

From within CiscoSecure ACS confirm the following:

CiscoSecure ACS is receiving the request. This can be done by viewing the CiscoSecure ACS reports. What does or does not appear in the reports may provide indications that your CiscoSecure ACS is misconfigured.

From the AAA client, confirm the following:

The command ppp authentication pap is entered for each interface if authentication against the Windows user database is being used.

The command ppp authentication chap pap is entered for each interface if authentication against the CiscoSecure user database is being used.

The AAA and TACACS+ or RADIUS configuration is correct in the AAA client.

When you run debug aaa authentication and debug aaa authorization on the AAA client, CiscoSecure ACS returns a PASS for authentication, but returns a FAIL for authorization.

This problem occurs because authorization rights are not correctly assigned.

Examine the following:

Check failed attempts reports under Reports and Activities to see if any services/protocols are being denied for the user.

From User Setup, confirm that the user is assigned to a group that has the correct authorization rights. Authorization rights can be modified under Group Setup or User Setup. User settings override group settings.

If a specific attribute for TACACS+ or RADIUS is not displayed within the Group Setup section, this may indicate that it has not been enabled in Interface Configuration: TACACS+ (Cisco IOS) or RADIUS.


Proxy Issues

Condition
Recovery Action

Proxying requests to another server fail

Make sure that the following conditions are met:

The direction on the remote server is set to Incoming/Outgoing or Incoming, and that the direction on the authentication forwarding server is set to Incoming/Outgoing or Outgoing.

The shared secret (key) matches the shared secret of one or both CiscoSecure ACSes.

The character string and delimiter match the stripping information configured in the Proxy Distribution Table, and the position is set correctly to either Prefix or Suffix.

If the conditions above are met, one or more servers is probably down, or no fallback server is configured. Go to the Network Configuration section and configure a fallback server. Fallback servers are used only under the following circumstances:

The remote CiscoSecure ACS is down.

One or more services (CSTacacs, CSRadius, or CSAuth) are down.

The secret key is misconfigured.

Inbound/Outbound messaging is misconfigured.


Installation and Upgrade Issues

Condition
Recovery Action

The following error message appears when you try to upgrade or uninstall CiscoSecure ACS:

The following file is
invalid or the data is corrupted

"DelsL1.isu"

From the Windows Registry, delete the following Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Uninstall\CiscoSecure

All previous accounting logs are missing.

When reinstalling or upgrading the CiscoSecure ACS software, these files are deleted unless they have been moved to an alternative directory location.


MaxSessions Issues

Condition
Recovery Action

MaxSessions over VPDN is not working.

The use of MaxSessions over VPDN is not supported.

User MaxSessions fluctuates or is unreliable.

Services were restarted, possibly because the connection between the CiscoSecure ACS and the AAA client is unstable. Click to clear the Single Connect TACACS+ AAA Client check box.

User MaxSessions not taking affect.

Make sure you have accounting configured on the AAA client and you are receiving accounting start/stop records.


Report Issues

Condition
Recovery Action

The lognameactive.csv report is blank.

You changed protocol configurations recently.

Whenever protocol configurations change, the existing lognameactive.csv report file is renamed to lognameyyyy-mm-dd.csv, and a new, blank lognameactive.csv report is generated

A report is blank.

Make sure you have selected Log to reportname Report under System Configuration: Logging: Log Target: reportname. You must also set Network Configuration: servername: Access Server Type to CiscoSecure ACS for WindowsNT.

No Unknown User information is included in reports.

The Unknown User database was changed. Accounting reports will still contain unknown user information.

Two entries are logged for one user session.

Make sure that the remote logging function is not configured to send accounting packets to the same location as the Send Accounting Information fields in the Proxy Distribution Table.

After you have changed the date format, the Logged-In User list and the CSAdmin log still display old format dates.

To see the changes made, you must restart the csadmin services and log on again.

The Logged in Users report works with some devices, but not with others

For the Logged in Users report to work (and this also applies to most other features involving sessions), packets should include at least the following fields:

Authentication Request packet

nas-ip-address

nas-port

Accounting Start packet

nas-ip-address

nas-port

session-id

framed-ip-address

Accounting Stop packet

nas-ip-address

nas-port

session-id

framed-ip-address

Also, if a connection is so brief that there is little time between the start and stop packets (for example, HTTP through the PIX Firewall), the Logged in Users report may fail.


Third-Party Server Issues

Condition
Recovery Action

You cannot successfully implement the RSA token server.

1. Log in to the computer running CiscoSecure ACS. (Make sure your login account has administrative privileges.)

2. Make sure the RSA Client software is installed on the same computer as CiscoSecure ACS.

3. Follow the setup instructions. Do not restart at the end of the installation.

4. Get the file named sdconf.rec located in the /data directory of the RSA ACE server.

5. Place sdconf.rec in the %SystemRoot%\system32 directory.

6. Make you can ping the machine that is running the ACE server by hostname. (You might need to add the machine in the lmhosts file.)

7. Verify that support for RSA is enabled in External User Database: Database Configuration in the CiscoSecure ACS.

8. Run Test Authentication from the Windows control panel for the ACE/Client application.

9. From CiscoSecure ACS, install the token server.

Authentication request does not hit the external database.

Set logging to full in System Configuration > Service Control

Check csauth.log for confirmation that the authentication request is being forwarded to the third-party server. If it is not being forwarded, confirm that the external database configuration is correct, as well as the unknown user policy settings.

On ACE/SDI server no incoming request is seen from CiscoSecure ACS, although RSA/agent authentication works.

For dial-up users, make sure you are using PAP and not MS-CHAP or CHAP; RSA/SDI does not support CHAP, and CiscoSecure ACS will not send the request to the RSA server, but rather it will log an error with external database failure.


User Authentication Issues

Condition
Recovery Action

After the administrator disables the Dialin Permission setting, Windows database users can still dial in and apply the Callback string configured under the Windows user database. (You can locate the Dialin Permission check box by clicking External User Databases, clicking Database Configuration, clicking Windows Database, and clicking Configure.)

Restart CiscoSecure ACS services. For steps, see Stopping, Starting, or Restarting Services.

User did not inherit settings from new group.

Users moved to a new group inherit new group settings but they keep their existing user settings. Manually change the settings in the User Setup section.

Authentication fails.

Check the Failed Attempts report.

The retry interval may be too short. (The default is 5 seconds.) Increase the retry interval (tacacs-server timeout 20 ) on the AAA client to 20 or greater.

The AAA client times out when authenticating against a Windows user database.

Increase the TACACS+/RADIUS timeout interval from the default, 5, to 20. Set the Cisco IOS command as follows:
tacacs-server timeout 20
radius-server timeout 20

Authentication fails; the error "Unknown NAS" appears in the Failed Attempts log.

Verify the following:

AAA client is configured under the Network Configuration section.

If you have RADIUS/TACACS source-interface command configured on the AAA client, make sure the client on ACS is configured using the IP address of the interface specified.

Alternatively, you can configure a default NAS in the NAS configuration area by leaving the hostname and IP address blank and entering only the key.

Authentication fails; the error "key mismatch" appears in the Failed Attempts log.

Verify that the TACACS+ or RADIUS keys, in both AAA client and CiscoSecure ACS, are identical (case sensitive).

Re-enter the keys to confirm they are identical.

User can authenticate, but authorizations are not what is expected.

Different vendors use different AV pairs. AV pairs used in one vendor protocol may be ignored by another vendor protocol. Make sure that the user settings reflect the correct vendor protocol; for example, RADIUS (Cisco IOS/PIX).

LEAP authentication fails; the error "Radius extension DLL rejected user" appears in the Failed Attempts log.

Verify the correct authentication type has been set on the Access Point. Make sure that, at a minimum, the Network-EAP check box is selected

If you are using an external user database for authentication, verify that it is supported. For more information, see Authentication Protocol-Database Compatibility.


TACACS+ and RADIUS Attribute Issues

Condition
Recovery Action

TACACS+ and RADIUS attributes do not appear on the Group Setup page.

Make sure that you have at least one RADIUS or TACACS+ AAA client configured in the Network Configuration section and that, in the Interface Configuration section, you have enabled the attributes you need to configure.

Note Some attributes are not customer-configurable in Cisco Secure ACS; instead, their values are set by Cisco Secure ACS.