This appendix provides information about certain basic problems and describes how to resolve them.
Scan the column on the left to identify the condition that you are trying to resolve, and then carefully go through each corresponding recovery action offered in the column on the right.
Note For information on using the command line interface to execute administrative commands, see the "Administering Cisco Secure ACS Solution Engine" chapter of Installation and Setup Guide for Cisco Secure ACS Solution Engine.
Condition
Recovery Action
Administrator cannot bring up the Cisco Secure ACS HTML interface in a browser or receives a warning that access is not permitted.
•Verify that you are using a supported browser. Refer to the Release Notes for Cisco Secure ACS Solution Engine Version 3.3 for a list of supported browsers.
•Confirm that Cisco Secure ACS is powered up.
•Ping Cisco Secure ACS to confirm connectivity.
•Verify that the administrator is using a valid administrator name and password that has already been added in Administration Control.
•Verify that Java functionality is enabled in the browser.
•Determine whether the administrator is trying to administer Cisco Secure ACS through a firewall, through a device performing Network Address Translation, or from a browser configured to use an HTTP proxy server. For more information about accessing the HTML interface in these networking scenarios, see Network Environments and Administrative Sessions.
The Cisco Secure ACS Solution Engine administrator credentials have been lost.
Perform the "Recovering from Loss of All Administrator Passwords" procedure that is found in the "Administering Cisco Secure ACS Solution Engine" chapter of the Installation and Setup Guide for Cisco Secure ACS Solution Engine.
Unauthorized users can log in.
The option Reject listed IP addresses is selected, but no start or stop IP addresses are listed. Go to Administrator Control: Access Policy and specify the Start IP Address and Stop IP Address.
Restart the CSADMIN service. To restart the CSADMIN service, from the CLI type the restart command with CSAdmin as the argument.
If necessary, reboot the appliance.
Administrator cannot bring up Cisco Secure ACS from his or her browser, or receives a warning that access is not permitted.
If Network Address Translation is enabled on the PIX Firewall, administration through the firewall cannot work.
To administer Cisco Secure ACS through a firewall, you must configure an HTTP port range in Administrator Control > Access Policy. The PIX Firewall must be configured to permit HTTP traffic over all ports included in the range specified in Cisco Secure ACS. For more information, see Access Policy.
Restart Services does not work.
The system is not responding to the Restart command on the System Configuration > Service Control page.
Ping Cisco Secure ACS to confirm connectivity.
To manually restart services, log in to the Cisco Secure ACS console and type the restart command followed by a single space and the name of the ACS service you want to restart.
No administrators can log in.
The option Allow only listed IP addresses to connect is selected, but no start or stop IP addresses are listed. Go to Administrator Control: Access Policy and specify the Start IP Address and Stop IP Address.
Administrator configured for event notification is not receiving e-mail.
Make sure that the SMTP server name is correct. If the name is correct, make sure that the Cisco Secure ACS can ping the SMTP server or can send e-mail via a third-party e-mail software package. Make sure you have not used underscores in the e-mail address.
Browser Issues
Condition
Recovery Action
The browser cannot bring up the Cisco Secure ACS HTML interface.
Open Internet Explorer or Netscape Navigator and choose Help > About to determine the version of the browser. See System Installation Requirements, for a list of browsers supported by Cisco Secure ACS and the release notes for known issues with a particular browser version.
The browser displays the Java message that your session connection is lost.
Check the Session idle timeout value for remote administrators. This is on the Session Policy Setup page of the Administration Control section. Increase the value as needed.
Administrator database appears corrupted.
The remote Netscape client is caching the password. If you specify an incorrect password, it is cached. When you attempt to re-authenticate with the correct password, the incorrect password is sent. Clear the cache before attempting to re-authenticate or close the browser and open a new session.
Remote administrator intermittently can't browse the Cisco Secure ACS HTML interface.
Make sure that the client browser does not have proxy server configured. Cisco Secure ACS does not support HTTP proxy for remote administrative sessions. Disable proxy server settings.
Cisco IOS Issues
Condition
Recovery Action
The results of show eou all or show eou ip address include postures that do not match the actual result of posture validation or display "-------" instead of a posture.
If the posture displayed is "-------", the AAA client is not receiving the posture-token attribute-value (AV) pair within a Cisco IOS/PIX RADIUS cisco-av-pair vendor-specific attribute (VSA). If the posture displayed does not correspond to the actual result of posture validation, the AAA client is receiving an incorrect value in the posture-token AV pair.
Check group mappings for Network Admission Control (NAC) databases to verify that the correct user groups are associated with each system posture token (SPT). In the user groups configured for use with NAC, be sure that the Cisco IOS/PIX cisco-av-pair VSA is configured correctly. For example, in a group configured to authorize NAC clients receiving a Healthy SPT, be sure the [009\001] cisco-av-pair check box is selected and that the following string appears in the [009\001] cisco-av-pair text box:
posture-token=Healthy
Caution The posture-token AV pair is the only way that Cisco Secure ACS notifies the AAA client of the SPT returned by posture validation. Because you manually configure the posture-token AV pair, errors in configuring posture-token can result in the incorrect SPT being sent to the AAA client or, if the AV pair name is mistyped, the AAA client not receiving the SPT at all.
Under EXEC Commands, Cisco IOS commands are not being denied when checked.
Examine the Cisco IOS configuration at the AAA client. If it is not already present, add the following Cisco IOS command to the AAA client configuration:
aaa authorization command <0-15> default group TACACS+
The correct syntax for the arguments in the text box is permitargument or denyargument.
Administrator has been locked out of the AAA client because of an incorrect configuration set up in the AAA client.
If you have a fallback method configured on your AAA client, disable connectivity to the AAA server and log in using local/line username and password.
Try to connect directly to the AAA client at the console port. If that is not successful, consult your AAA client documentation or see the Password Recovery Procedures page on Cisco.com for information regarding your particular AAA client.
IETF RADIUS attributes not supported in Cisco IOS 12.0.5.T
Cisco incorporated RADIUS (IETF) attributes in Cisco IOS Release 11.1. However, there are a few attributes that are not yet supported or that require a later version of the Cisco IOS software. For more information, see the RADIUS Attributes page on Cisco.com.
Unable to enter Enable Mode after doing aaa authentication enable default tacacs+. Getting error message "Error in authentication on the router."
Check the failed attempts log in the ACS. If the log reads "CS password invalid," it may be that the user has no enable password set up. Set the TACACS+ Enable Password within the Advanced TACACS+ Settings section.
If you do not see the Advanced TACACS+ Settings section among the user setup options, go to Interface Configuration > Advanced Configuration Options > Advanced TACACS+ Features and select that option to have the TACACS+ settings appear in the user settings. Then select Max privilege for any AAA Client (this will typically be 15) and enter the TACACS+ Enable Password that you want the user to have for enable.
Database Issues
Condition
Recovery Action
RDBMS Synchronization is not operating properly.
Make sure the correct server is listed in the Partners list.
Database Replication not operating properly.
•Make sure you have set the server correctly as either Send or Receive.
•On the sending server, make sure the receiving server is in the Replication list.
•On the receiving server, make sure the sending server is selected in the Accept Replication from list.
•Make sure that the replication schedule on the sending Cisco Secure ACS is not conflicting with the replication schedule on the receiving Cisco Secure ACS.
•If the receiving server has dual network cards, on the sending server add a AAA server to the AAA Servers table in Network Configuration for every IP address of the receiving server. If the sending server has dual network cards, on the receiving server add a AAA server to the AAA Servers table in Network Configuration for every IP address of the receiving server.
The external user database is not available in the Group Mapping section.
The external database has not been configured in External User Databases or the username and password have been typed incorrectly. Make sure the username and password are correct. Click the applicable external database to configure.
External databases not operating properly.
Make sure a two-way trust (for dial-in check) has been established between the Cisco Secure ACS domain and the other domains. Check the csauth service log file for any debug messages beginning with [External DB]. See Setting Up Event Logging.
Unknown users are not authenticated.
Go to External User Databases > Unknown User Policy. Select the Check the following external user databases option. From the External Databases list, select the database(s) against which to authenticate unknown users. Click —> (right arrow button) to add the database to the Selected Databases list. Click Up or Down to move the selected database into the desired position in the authentication hierarchy.
If you are using the Cisco Secure ACS Unknown User feature, external databases can only authenticate using PAP.
Novell NDS or Generic LDAP Group Mapping not working correctly.
Make sure that you have correctly configured Group Mapping for the applicable database.
Unable to authenticate against the Novell NDS database.
Make sure that the tree name, context name, and container name are all specified correctly. Start with one container where users are present; then you can add more containers later, if needed.
If you are successful, check on the AAA client to see if you can authenticate the shell user (Telnet user). Also make sure that for PPP you have PAP authentication configured on the asynchronous interface.
Same user appears in multiple groups or duplicate users exist in the Cisco Secure ACS database. Unable to delete user from database.
Use the dbcompact command from the CLI to clean up the database. For information on the command see the Installation and Setup Guide for Cisco Secure ACS Solution Engine.
Dial-in Connection Issues
Condition
Recovery Action
A dial-in user cannot connect to the AAA client.
No record of the attempt appears in either the TACACS+ or RADIUS Accounting Report (in the Reports & Activity section, click TACACS+ Accounting or RADIUS Accounting or Failed Attempts).
Examine the Cisco Secure ACS Reports or AAA client Debug output to narrow the problem to a system error or a user error. Confirm the following:
•LAN connections for both the AAA client and the Cisco Secure ACS are physically connected.
•IP address of the AAA client in the Cisco Secure ACS configuration is correct.
•IP address of Cisco Secure ACS in AAA client configuration is correct.
•TACACS+ or RADIUS key in both AAA client and Cisco Secure ACS are identical (case sensitive).
•The command ppp authentication pap is entered for each interface, if the Windows user database is being used.
•The command ppp authentication chap pap is entered for each interface, if the Cisco Secure ACS database is being used.
•The AAA and TACACS+ or RADIUS commands are correct in the AAA client.
The Windows user database is being used for authentication.
A record of a failed attempt appears in the Failed Attempts Report (in the Reports & Activity section, click Failed Attempts).
The user information is not properly configured for authentication in Windows Database or Cisco Secure ACS.
From the Windows User Manager or Active Directory Users and Computers, confirm the following:
•The username and password are configured in the Windows User Manager or Active Directory Users and Computers.
•The User Properties window does not have User Must Change Password at Login enabled.
•The User Properties window does not have Account Disabled selected.
•The User Properties for the dial-in window does not have Grant dial-in permission to user disabled, if Cisco Secure ACS is using this option for authenticating.
From within the Cisco Secure ACS confirm the following:
•If the username has already been entered into Cisco Secure ACS, a Windows database configuration is selected in the Password Authentication list in User Setup for the user.
•If the username has already been entered into Cisco Secure ACS, the Cisco Secure ACS group to which the user is assigned has the correct authorization enabled (such as IP/PPP, IPX/PPP or Exec/Telnet). Be sure to click Submit + Restart if a change has been made.
•The user expiration information in the Windows database has not caused failed authentication. For troubleshooting purposes, disable password expiry for the user in the Windows database.
Click External User Databases, and then Database Configuration and click List all database configurations, and then make sure that the database configuration for Windows Database is listed.
CheckUnknown User Policy to make sure that the Fail the Attempt option is not selected. (You should have the Check the following external user databases option selected.)
Verify that Windows Database appears in the Selected Databases box on the Configure Unknown User Policy page in the External User Databases section.
Verify that the Windows Database group that the user belongs to has not been mapped to No Access on the Unknown User Group Mappings page.
A dial-in user cannot connect to the AAA client.
The CiscoSecure user database is being used for authentication.
A record of a failed attempt is displayed in the Failed Attempts Report (in the Reports & Activity section, click Failed Attempts).
From within Cisco Secure ACS confirm the following:
•The username has been entered into Cisco Secure ACS.
•CiscoSecure user database is selected from the Password Authentication list and a password has been entered in User Setup for the user.
•The Cisco Secure ACS group to which the user is assigned has the correct authorization enabled (such as IP/PPP, IPX/PPP or Exec/Telnet). Be sure to click Submit + Restart if a change has been made.
•Expiration information has not caused failed authentication. Set to Expiration: Never for troubleshooting.
A dial-in user cannot connect to the AAA client; however, a Telnet connection can be authenticated across the LAN.
The problem is isolated to one of three areas:
•Line/modem configuration problem. Review the documentation that came with your modem and verify that the modem is properly configured.
•The user is not assigned to a group that has the correct authorization rights. Authorization rights can be modified under Group Setup or User Setup. User settings override group settings.
•The Cisco Secure ACS or TACACS+ or RADIUS configuration is not correct in the AAA client.
Additionally, you can verify Cisco Secure ACS connectivity from the CLI by pinging a workstation connected to the LAN. A successful ping confirms that Cisco Secure ACS has network connectivity.
A dial-in user cannot connect to the AAA client, and a Telnet connection cannot be authenticated across the LAN.
Determine whether the Cisco Secure ACS is receiving the request. This can be done by viewing the Cisco Secure ACS reports. Based on what does not appear in the reports and which database is being used, troubleshoot the problem based on one of the following:
•Line/modem configuration problem. Review the documentation that came with your modem and verify that the modem is properly configured.
•The user does not exist in the Windows user database or the CiscoSecure user database and might not have the correct password. Authentication parameters can be modified under User Setup.
•The Cisco Secure ACS or TACACS+ or RADIUS configuration is not correct in the AAA client.
Callback is not working.
Make sure that callback works on the AAA client when using local authentication. Then add AAA authentication.
User authentication fails when using PAP.
Outbound PAP is not enabled. If the Failed Attempts report shows that you are using outbound PAP, go to the Interface Configuration section and select the Per-User Advanced TACACS+ Features check box. Then, go to the TACACS+ Outbound Password section of the Advanced TACACS+ Settings table on the User Setup page and type and confirm the password in the boxes provided.
Debug Issues
Condition
Recovery Action
When you run debug aaa authentication on the AAA client, Cisco Secure ACS returns a failure message.
The configurations of the AAA client or Cisco Secure ACS are likely to be at fault.
From within Cisco Secure ACS confirm the following:
•Cisco Secure ACS is receiving the request. This can be done by viewing the Cisco Secure ACS reports. What does or does not appear in the reports may provide indications that your Cisco Secure ACS is misconfigured.
From the AAA client, confirm the following:
•The command ppp authentication pap is entered for each interface if authentication against the Windows User Database is being used.
•The command ppp authentication chap pap is entered for each interface if authentication against the CiscoSecure user database is being used.
•The AAA and TACACS+ or RADIUS configuration is correct in the AAA client.
When you run debug aaa authentication and debug aaa authorization on the AAA client, Cisco Secure ACS returns a PASS for authentication, but returns a FAIL for authorization.
This problem occurs because authorization rights are not correctly assigned.
From Cisco Secure ACS User Setup, confirm that the user is assigned to a group that has the correct authorization rights. Authorization rights can be modified under Group Setup or User Setup. User settings override group settings.
If a specific attribute for TACACS+ or RADIUS is not displayed within the Group Setup section, this might indicate it has not been enabled in Interface Configuration: TACACS+ (Cisco IOS) or RADIUS.
Proxy Issues
Condition
Recovery Action
Proxy fails
Make sure that the direction on the remote server is set to Incoming/Outgoing or Incoming, and that the direction on the authentication forwarding server is set to Incoming/Outgoing or Outgoing.
Make sure the shared secret (key) matches the shared secret of one or both Cisco Secure ACSes.
Make sure the character string and delimiter match the stripping information configured in the Proxy Distribution Table, and the position is set correctly to either Prefix or Suffix.
One or more servers is down, or no fallback server is configured. Go to Network Configuration and configure a fallback server. Fallback servers are used only under the following circumstances:
•The remote Cisco Secure ACS is down.
•One or more services (CSTacacs, CSRadius, or CSAuth) are down.
•The secret key is misconfigured.
•Inbound/Outbound messaging is misconfigured.
Installation and Upgrade Issues
Condition
Recovery Action
Installation difficulties
Refer to your Installation and Setup Guide for Cisco Secure ACS Solution Engine.
From the serial console, the upgrade command has no effect.
You must first obtain an appliance upgrade (when available, obtained from the Appliance Upgrade page of System Configuration).
While performing an upgrade using a Solaris distribution server, autorun.sh cannot be executed.
Use the command chmod +x autorun.sh to grant execution permissions to autorun.sh.
MaxSessions Issues
Condition
Recovery Action
MaxSessions over VPDN is not working.
The use of MaxSessions over VPDN is not supported.
User MaxSessions fluctuates or is unreliable.
Services were restarted, possibly because the connection between the Cisco Secure ACS and the AAA client is unstable. Click to clear the Single Connect TACACS+ AAA Client check box.
User MaxSessions not taking affect.
Make sure you have accounting configured on the AAA client and you are receiving accounting start/stop records.
Report Issues
Condition
Recovery Action
The lognameactive.csv report is blank.
You changed protocol configurations recently.
Whenever protocol configurations change, the existing lognameactive.csv report file is renamed to lognameyyyy-mm-dd.csv, and a new, blank lognameactive.csv report is generated
A report is blank.
Make sure you have selected Log to reportname Report under System Configuration: Logging: Log Target: reportname. You must also set Network Configuration: servername: Access Server Type to Cisco Secure ACS for Windows NT.
No Unknown User information is included in reports.
The Unknown User database was changed. Accounting reports will still contain unknown user information.
Two entries are logged for one user session.
Make sure that the remote logging function is not configured to send accounting packets to the same location as the Send Accounting Information fields in the Proxy Distribution Table.
After you have changed the date format, the Logged-In User list and the CSAdmin log still display old format dates.
To see the changes made, you must restart the csadmin services and log on again.
The Logged in Users report works with some devices, but not with others
For the Logged in Users report to work (and this also applies to most other features involving sessions), packets should include at least the following fields:
•Authentication Request packet
–nas-ip-address
–nas-port
•Accounting Start packet
–nas-ip-address
–nas-port
–session-id
–framed-ip-address
•Accounting Stop packet
–nas-ip-address
–nas-port
–session-id
–framed-ip-address
Also, if a connection is so brief that there is little time between the start and stop packets (for example, HTTP through the PIX Firewall), the Logged in Users report may fail.
Third-Party Server Issues
Condition
Recovery Action
Authentication request does not hit the external database.
Set logging to full in System Configuration > Service Control.
Use the Support feature to check csauth.log for confirmation that the authentication request is being forwarded to the third-party server. If it is not being forwarded, confirm that the external database configuration is correct, as well as the unknown user policy settings.
On ACE/SDI server no incoming request is seen from Cisco Secure ACS, although RSA/agent authentication works.
For dial-up users, make sure you are using PAP and not MS-CHAP or CHAP; RSA/SDI does not support CHAP, and Cisco Secure ACS will not send the request to the RSA server, but rather it will log an error with external database failure.
PIX Firewall Issues
Condition
Recovery Action
Remote administrator cannot bring up Cisco Secure ACS from his or her browser or receives a warning that access is not permitted.
If Network Address Translation is enabled on the PIX Firewall, administration through the firewall cannot work.
To administer Cisco Secure ACS through a firewall, you must configure an HTTP port range in System Configuration: Access Policy. The PIX Firewall must be configured to permit HTTP traffic over all ports included in the range specified in Cisco Secure ACS. For more information, see Access Policy.
User Authentication Issues
Condition
Recovery Action
After the administrator disables the Dialin Permission setting, Windows database users can still dial in and apply the Callback string configured under the Windows user database. (You can locate the Dialin Permission check box by clicking External User Databases, clicking Database Configuration, clicking Windows Database, and clicking Configure.)
Users moved to a new group inherit new group settings but they keep their existing user settings. Manually change the settings in the User Setup section.
Authentication fails.
Check the Failed Attempts report.
The retry interval may be too short. (The default is 5 seconds.) Increase the retry interval (tacacs-server timeout 20) on the AAA client to 20 or greater.
The AAA client times out when authenticating against a Windows user database.
Increase the TACACS+/RADIUS timeout interval from the default, 5, to 20. Set the Cisco IOS command as follows: tacacs-server timeout 20 radius-server timeout 20
Authentication fails; the error "Unknown NAS" appears in the Failed Attempts log.
Verify the following:
•AAA client is configured under the Network Configuration section.
•If you have RADIUS/TACACS source-interface command configured on the AAA client, make sure the client on ACS is configured using the IP address of the interface specified.
Alternatively, you can configure a default NAS in the NAS configuration area by leaving the hostname and IP address blank and entering only the key.
Authentication fails; the error "key mismatch" appears in the Failed Attempts log.
Verify that the TACACS+ or RADIUS keys, in both AAA client and Cisco Secure ACS, are identical (case sensitive).
Re-enter the keys to confirm they are identical.
User can authenticate, but authorizations are not what is expected.
Different vendors use different AV pairs. AV pairs used in one vendor protocol may be ignored by another vendor protocol. Make sure that the user settings reflect the correct vendor protocol; for example, RADIUS (Cisco IOS/PIX).
LEAP authentication fails; the error "Radius extension DLL rejected user" appears in the Failed Attempts log.
Verify the correct authentication type has been set on the Access Point. Make sure that, at a minimum, the Network-EAP check box is selected
TACACS+ and RADIUS attributes do not appear on the Group Setup page.
Make sure that you have at least one RADIUS or TACACS+ AAA client configured in the Network Configuration section and that, in the Interface Configuration section, you have enabled the attributes you need to configure.
Note Some attributes are not customer-configurable in Cisco Secure ACS; instead, their values are set by Cisco Secure ACS.
Feedback
Installation and Upgrade Issues
