CiscoSecure ACS 2.4 for Windows NT User Guide
Troubleshooting Information for CiscoSecure ACS

Table of Contents

Troubleshooting Information for CiscoSecure ACS

Troubleshooting Information for CiscoSecure ACS

This Appendix provides information about some basic problems and describes how to resolve them.

Scan the column on the left to identify the condition that you are trying to resolve; then carefully go through each of the corresponding recovery actions offered in the column on the right.

Administration Issues

Remote Administrator cannot bring up CiscoSecure ACS from his or her browser or receives a warning that access is not permitted.

  • Try to ping the machine running CiscoSecure ACS to confirm connectivity.

  • Make sure you are using a valid administrator name and password that has already been added.

  • Verify that Java functionality is enabled in the browser.

  • Administration through a PIX firewall is not supported. CiscoSecure ACS can be managed only from the same side of the firewall.

Unauthorized users can log on.

Reject listed IP addresses is selected, but no Start or Stop IP Addresses are listed. Go to Administrator Control: Access Policy and enter the Start IP Address and Stop IP Address.

Restart Services does not work.

The system is not responding. To manually restart services, on the Windows Start menu, click Control Panel: Services. Click CSAdmin, then Stop, then Start.

Cannot install NDS database authentication.

Make sure Novell Requestor is installed on the same Windows NT server as the CiscoSecure ACS.

No remote administrators can log on.

Allow only listed IP addresses to connect is selected, but no start or stop IP addresses are listed. Go to Administrator Control: Access Policy and enter the Start IP Address and Stop IP Address.

Administrator configured for event notification is not receiving email.

Make sure that the SMTP server name is correct. If the name is correct, make sure that the CiscoSecure ACS machine can ping the SMTP server or can send email via a third-party email software package. Make sure you have not used underscores in the email address.





Browser Issues

The browser cannot bring up the CiscoSecure ACS interface.

Open Internet Explorer or Netscape Navigator and select the Help/About option from the menu in order to determine the version of the browser. See the "System Requirements" section for a list of browsers currently supported by CiscoSecure ACS and the Release Notes for known issues with a particular browser version.

The browser displays the Java message that your session connection is lost.

Check the idle time-out value for remote administrators. This is in the Administration Control window. Increase the value as needed.

Administrator database appears corrupted.

The remote Netscape client is caching the password. If you enter an incorrect password, it is cached. When you attempt to reauthenticate with the correct password, the incorrect password is sent. Clear the cache before attempting to reauthenticate or close the browser and open a new session.





Cisco IOS Issues

Under EXEC Commands, Cisco IOS commands are not being denied when checked.

  • Examine the Cisco IOS configuration at the NAS. If not already present, add the following Cisco IOS command to the NAS configuration:

AAA Authorization Commands <0-15> TACACS+
  • The correct syntax for the arguments in the text box is permit argument or deny argument.

Administrator has been locked out of the NAS as a result of an incorrect configuration being set up in the NAS.

Try to connect directly to the NAS at the console port. If that is not successful, consult your NAS documentation or go to the Cisco web page for service/support regarding this condition.

IETF RADIUS attributes not supported inCisco IOS 12.0.5.T

Cisco incorporated RADIUS (IETF) attributes in Cisco IOS Release 11.1. However, there are a few attributes that are not yet supported or require a later version of the Cisco IOS software. The following attributes fall into this category:

Number---Attribute Supported

  • 17---Change Password 11.2(5)F

  • 21---Password-Expiration 11.2(5)F

  • 35---Login-LAT-Node No

  • 36---Login-LAT-Group No

NAS times out when authenticating against Windows NT.

Increase the TACACS+ timeout interval from the default, 5, to 20. Set the Cisco IOS command as follows:

tacacs-server timeout 20





Database Issues

RDBMS Synchronization is not operating properly.

Make sure the correct server is listed in the Partners list.

Database Replication not operating properly.

Make sure you have set the server correctly as either Send or Receive. Make sure the correct server is selected in the Accept Replication from dropdown box.

Replication checks only the IP address, not the secret key. The database will be replicated, but authentication forwarding will not work. Check the Failed Attempts report and make sure you entered the correct IP address.

Make sure that the scheduling of replication on the sending CiscoSecure ACS is not conflicting with the schedule on the receiving CiscoSecure ACS.

If you have dual network cards, add a host for every IP address the replication partner has.

The external user database is not available in the Group Mapping section.

The external database has not been configured in External User Databases: Database Configuration or the username and password have been entered incorrectly. Make sure the username and password are correct. Click the applicable external database to configure.

External databases not operating properly.

Make sure a two-way trust (for dial in check) has been established between the CiscoSecure ACS domain and the other domains. Turn logging to the maximum and check the csauth service log file for any debug messages beginning with AAA Authorization Commands <0-15> TACACS+
See the "Event Logging" section.





Dial-in Connection Issues

A dial-in user is unable to make a connection to the NAS.

No record of the attempt is displayed in either the TACACS+ or RADIUS Accounting Reports (click Reports & Activity: TACACS+ Accounting or RADIUS Accounting or Failed Attempts.)

Examine the CiscoSecure ACS Reports or NAS Debug output to help narrow the problem to a system error or a user error. Confirm the following:

  • The dial-in user was able to establish a connection and ping the Windows NT server before CiscoSecure ACS was installed. If the dial-in user could not, then the problem is related to a NAS/modem configuration, not CiscoSecure ACS.

  • LAN connections for both NAS and the Windows NT Server supporting CiscoSecure ACS are physically connected.

  • IP address of the NAS in the CiscoSecure ACS configuration is correct.

  • IP address of CiscoSecure ACS in NAS configuration is correct.

  • TACACS+ or RADIUS key in both NAS and CiscoSecure ACS are identical (case-sensitive).

  • The command ppp authentication pap is entered for each interface, if the Windows NT User Database is being used.

  • The command ppp authentication chap pap is entered for each interface, if the CiscoSecure ACS Database is being used.

  • The AAA and TACACS+ or RADIUS commands are correct in the NAS. The necessary commands are listed in:
    Program Files\CiscoSecure ACS vx.x\TacConfig.txt
    and
    Program Files\CiscoSecure ACS vx.x\RadConfig.txt.

  • The CiscoSecure ACS Services are running (CSAdmin, CSAuth, CSDBSync CSLog, CSRadius, CSTacacs) on the Windows NT Server.

A dial-in user is unable to make a connection to the NAS.

The Windows NT User Database is being used for authentication.

A record of a failed attempt is displayed in the Failed Attempts Report (clicking Failed Attempts within Reports & Activity).

The user information is not properly configured for authentication in Windows NT or CiscoSecure ACS.

Confirm the Windows NT User Database resides on the same machine as CiscoSecure ACS.

From the Windows NT User Manager, confirm the following:

  • The username and password are configured in the Windows NT User Manager.

  • The User Properties window does not have User Must Change Password at Login enabled.

  • The User Properties window does not have Account Disabled checked.

  • The User Properties for the dial-in window does not have Grant dial-in permission to user disabled, if CiscoSecure ACS is using this option for authenticating.

From within the CiscoSecure ACS confirm the following:

  • If the username has already been entered into CiscoSecure ACS, Password Authentication under User Setup has Use Windows NT User Database selected.

  • If the username has already been entered into CiscoSecure ACS, the CiscoSecure ACS Group to which the user is assigned has the correct authorization enabled (such as IP/PPP, IPX/PPP or Exec/Telnet). Be sure to click Submit + Restart if a change has been made.

  • Expiration information has not caused failed authentication. Set to Expiration: Never for troubleshooting.

Click External User Databases: List All Databases Configured and make sure that the database configuration for Windows NT is listed.

Check the Unknown User Policy to make sure that Fail the Attempt is not checked.

Check the Selected Databases box in the Unknown User Policy window.

The Windows NT group the user belongs to has not been mapped to No Access.

A dial-in user is unable to make a connection to the NAS.

The CiscoSecure ACS User Database is being used for authentication.

A record of a failed attempt is displayed in the Failed Attempts Report (clicking Failed Attempts within Reports & Activity).

From within CiscoSecure ACS confirm the following:

  • The username has been entered into CiscoSecure ACS.

  • Password Authentication under User Setup has Use CiscoSecure ACS Database selected and a password entered.

  • The CiscoSecure ACS group to which the user is assigned has the correct authorization enabled (such as IP/PPP, IPX/PPP or Exec/Telnet). Be sure to click Submit + Restart if a change has been made.

  • Expiration information has not caused failed authentication. Set to Expiration: Never for troubleshooting.

A dial-in user is unable to make a connection to the NAS; however, a Telnet connection can be authenticated across the LAN.

This isolates the problem to one of three areas:

  • Line/modem configuration problem. Review the documentation that came with your modem and verify that the modem is properly configured.

  • The user is not assigned to a group that has the correct authorization rights. Authorization rights can be modified under Group Setup.

  • The CiscoSecure ACS or TACACS+ or RADIUS configuration is not correct in the NAS. The necessary commands are listed in:
    Program Files\CiscoSecure ACS vx.x\nasconfig.txt
    Program Files\CiscoSecure ACS vx.x\radconfig.txt
    and
    Program Files\CiscoSecure ACS vx.x\readme.txt

You can additionally verify CiscoSecure ACS connectivity as follows:

  • Telnet to the access server from a workstation connected to the LAN.

A successful authentication for Telnet confirms that CiscoSecure ACS is working with the NAS.

A dial-in user is unable to make a connection to the NAS, and a Telnet connection cannot be authenticated across the LAN.

  • Determine if the CiscoSecure ACS is receiving the request. This can be done by viewing the CiscoSecure ACS reports. Based on what does not appear in the reports and which database is being used, troubleshoot the problem based on one of the following:

    • Line/modem configuration problem. Review the documentation that came with your modem and verify that the modem is properly configured.

    • The user does not exist in the Windows NT User Database or the CiscoSecure ACS User Database and might not have the correct password. Authentication parameters can be modified under User Setup.

    • The CiscoSecure ACS or TACACS+ or RADIUS configuration is not correct in the NAS. The necessary commands are listed in:

    Program Files\CiscoSecure ACS vx.x\nasconfig.txt
    Program Files\CiscoSecure ACS vx.x\radconfig.txt
    and
    Program Files\CiscoSecure ACS vx.x\readme.txt




Debug Issues

When running [External DB]. on the NAS, a failure message is returned from CiscoSecure ACS.

The configurations of the NAS or CiscoSecure ACS are likely to be at fault.

From within CiscoSecure ACS confirm the following:

  • CiscoSecure ACS is receiving the request. This can be done by viewing the CiscoSecure ACS reports. Based on what does/does not appear in the reports and which database is being used, troubleshoot CiscoSecure ACS based on one of the first three listings in this matrix.

From the NAS, confirm the following:

  • The command ppp authentication pap is entered for each interface if authentication against the Windows NT User Database is being used.

  • The command ppp authentication chap pap is entered for each interface if authentication against the CiscoSecure ACS User Database is being used.

  • The AAA and TACACS+ or RADIUS configuration is correct in the NAS. The necessary commands are listed in:
    Program Files\CiscoSecure ACS vx.x\TacConfig.txt
    Program Files\CiscoSecure ACS vx.x\RadConfig.txt
    and
    Program Files\CiscoSecure ACS vx.x\readme.txt

When running debug aaa authenticationaaa authentication and debug aaa authorization on the NAS, a PASS is returned for authentication, but a FAIL is returned for authorization.

This problem occurs because authorization rights are not correctly assigned.

From CiscoSecure ACS User Setup, confirm that the user is assigned to a group that has the correct authorization rights. Authorization rights can be modified under Group Setup.

If a specific attribute for TACACS+ or RADIUS is not displayed within the Group Setup section, this might indicate it has not been enabled in Interface Configuration: TACACS+ (Cisco) or RADIUS





Proxy Issues

Proxy fails.

Make sure that the direction on the remote server is set to Incoming/Outgoing or Incoming, and that the direction on the authentication forwarding server is set to Incoming/Outgoing or Outgoing.

Make sure the shared secret (key) matches the shared secret of one or both CiscoSecure ACSes.

Make sure the character string and delimiter match the stripping information configured in the distribution table, and the position is set correctly to either Prefix or Suffix.

One or more servers is down, or no fallback server is configured. Go to Network Configuration and Configure a fallback server. Fallback servers will be used only under the following circumstances:

  • The remote CiscoSecure ACS is down.

  • One or more services (CSTacacs, CSRadius, or CSAuth) are down.

  • The secret key is misconfigured.

  • Inbound/Outbound messaging is misconfigured.





Installation and Upgrade Issues

The following error message displays when you try to upgrade or uninstall CiscoSecure ACS:

The following file is 
invalid or the data is 
corrupted 
"DelsL1.isu"

From the Windows NT registry, delete the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CiscoSecure

All previous accounting logs are missing.

If reinstalling or upgrading the CiscoSecure ACS software, the files are deleted unless moved to another directory location.

CRYPTOAPI error displays during CiscoSecure ACS installation.

If the Windows NT server has Service Pack 3 and Internet Explorer 4.0 installed, this error, which affects the encryption applet in the installation, will occur.

User Changeable Passwords do not work and the following message displays:

HTTP Error 405
405 Method Not Allowed

When you upgraded from WindowsNT Service Pack 3 to Service Pack 4, the virtual directories were removed. Set up the virtual directories again.





MaxSessions Issues

Issue Recovery Action and Explanation

MaxSessions over VPDN is not working.

The use of MaxSessions over VPDN is currently not supported.

User MaxSessions fluctuates or is unreliable.

Services were restarted, possibly because the connection between the CiscoSecure ACS and the NAS is unstable. Clear the single connect TACACS+ NAS checkbox.





Report Issues

active.csv report is blank

You changed protocol configurations recently.

Whenever protocol configurations change, the existing active.csv report file is renamed to yyyy-mm-dd.csv, and a new, blank active.csv report is generated

A report is blank.

Make sure you have checked Log to reportname Report under System Configuration: Logging: Log Target: reportname.You must also set Network Configuration: servername: Access Server Type to CiscoSecure ACS for Windows NT.

No Unknown User information is included in reports.

The Unknown User database was changed. Accounting reports will still contain unknown user information.

Two entries are logged for one user session.

Make sure that the Remote Logging configuration and the Send Accounting Information field in the Distribution Table are not configured to send accounting packets to the same location.

After changing date format, Logged-Un User list and CSAdmin log still display old format dates.

Restart the csadmin services by clicking the X button in the upper right corner of the GUI.





Third-party Server Issues

You cannot properly implement the SDI Token Server.

Step 1 Log in to the Windows NT Server on which CiscoSecure ACS is installed. (Make sure your login account has administrative privileges.)

Step 2 The SDI Client software needs to be installed on the same Windows NT server as the CiscoSecure ACS.

Step 3 Follow the setup instructions. Do not restart at the end of the installation.

Step 4 Get the file named sdconf.rec located in the /data directory of the SDI ACE server.

Step 5 Place sdconf.rec on the Windows NT Server in the %SystemRoot%\system32 directory.

Step 6 Make sure you can ping the machine that is running the ACE server by host name. (You might need to add the machine in the lmhosts file.)

Step 7 Support for SDI is enabled in the External User Database: Database Configuration window in the CiscoSecure ACS.

Step 8 Run Test Authentication from the Windows NT Server control panel for the ACE/Client application.

Step 9 From CiscoSecure ACS, install the token-card server.

MCIS password is sent in Clear Text.

If you are using MCIS 2.0 with the Active Directory Service Interfaces (ADSI) 2.0 client libraries and you check the Secure Authentication check box, Windows first tries to authenticate using Kerberos, then using Windows NT LAN Manager (NTLM). If it does not find either of these types, it sends the password in Clear Text, compromising authentication security. This issue is corrected in the Microsoft ADSI 2.5 client.





PIX Firewall Issues

Remote Administrator cannot bring up CiscoSecure ACS from his or her browser or receives a warning that access is not permitted.

Administration through a PIX firewall is not supported. CiscoSecure ACS can be managed only from the same side of the firewall.





User Authentication Issues

After the administrator removes the Check NT Callback setting from External User Databases: Database Configuration: Windows NT: Configuration, Windows NT database users can still dial in and apply the Callback string configured under the Windows NT User database.

Restart the CiscoSecure ACS services.

Callback is not working.

Make sure callback is configured on the NAS.

User authentication fails when using PAP.

Outbound PAP is not enabled. If the Failed Attempts report shows that you are using outbound PAP, go to Interface Configuration and check Per-User Advanced TACACS+ Features. Then go to User Setup: Advanced TACACS+ Settings. Click TACACS+ Enable Control and enter and confirm a TACACS+ Outbound Password.

Unknown users are not authenticated.

Go to External User Databases: Unknown User Policy. Click the Check the following external user databases: button. From the External databases, click the database(s) against which to authenticate unknown users. Click the right arrow to add the database to the Selected Databases list. Click the Up or Down button to move the database into the desired position in the authentication hierarchy.

If you are using the CiscoSecure ACS Unknown User feature, external databases can authenticate using only PAP.

User did not inherit settings from new group.

Users moved to a new group will inherit new group settings but will keep their existing user settings. Manually change the settings in User Settings.

User can authenticate but authorizations are different than expected.

Different vendors use different AV pairs. AV pairs not used in one vendor's protocol will be ignored by another vendor's protocol.

Make sure the user settings reflect the correct vendor protocol; for example, Cisco RADIUS.

User cannot log in.

Re-enable the user account or reset the failed attempts counter.

Authorization fails.

The retry interval is too short. (The default is 5 seconds.) Increase the retry interval (tacacs-server timeout 20) on the NAS to 20 or greater.

User accounts become disabled when users dial in without authenticating.

Incorrect keys are configured between CiscoSecure ACSes using RADIUS.





TACACS+ and RADIUS Attribute Issues

TACACS+ and RADIUS attributes do not appear on Group Setup page.

Beginning with CiscoSecure ACS Release 2.3, some TACACS+ attributes no longer appear on the Group Setup page. This is because IP pools and Callback supersede the following attributes:
TACACS+
addr
addr-pool
callback-dialstring
Ascend RADIUS
8, Framed-IP-Address
19, Callback-Number
218, Ascend-Assign-IP-Pool
Additionally, these attributes cannot be set via database synchronization, and ip:addr=n.n.n.n is not allowed as a Cisco vendor-specific attribute (VSA)

NDS or DS Group Mapping not working correctly.

Make sure you have correctly configured Group Mapping for the applicable database. See the "Database Group Mappings" section for more information.